Customer | Vulnerability | Damage | Fix time |
---|---|---|---|
Czech Construction Company | Vulnerable contact form allowing to send malware including ransomware | Direct 4000 EUR + indirect costs (loss of reputation) | 5 days |
Czech e-shop | Dump of the whole database using SQL injection | Direct 10000 EUR + indirect costs (loss of reputation) | 14 days |
Slovak IT company | Weak password to the admin interface leading to compromise VPN & access to the internal network | Direct 250000 EUR | 6 months |
Slovak e-shop | The application vulnerability allowing to send spams to their customers | Indirect costs (loss of reputation) | 3 days |
Threats | Typical attacks |
---|---|
Insiders (disgruntled employee) | Leakage, Backdooring, Espionage |
Ransomware (Malware) | Forced disk encryption with unknown passphrase |
Automated botnets | Simple infrastructure scans, simple WebAppSec attacks, DDoS attacks |
Cyber Crime Syndicates, Rented blackhat hackers | Complex & Sophisticated WebAppsec attacks + infrastructure attacks, installing malware |
Social Engineers | Pretexting, Phishing, Vishing, Baiting, Piggybacking, Typosquatting... |
Hacktivists, political hackers | Web defacing, DDoS attacks |
customer chooses one specific company for penetration testing that means:
a limited number of ethical hackers is used for the given testing
a limited amount of time is used for the given testing
a limited competition of the given company in the given region leading to high prices
customer sets an economic incentive (bounty) for a big group of ethical hackers around the globe to test his application/service that means:
a big crowd of ethical hackers is used for the given testing
almost unlimited amount of time is used for the given testing
because of global competition of ethical hackers, prices could be relatively low or reasonable
their relationship is usually strongly asymmetrical:
army of skilled blackhat hackers need to reveal at least one vulnerability
usually defender (company) have to patch all vulnerabilities
benefits from the global market
more eyes (of the crowd) usually mean better security
allow people with hacker skills to gain their money in a completely legal way without a risk of prosecution
end-to-end connection between the customer and the ethical hackers may lead to a reduction of transaction costs (the same for Uber, Airbnb, ...)
because of the relatively anonymous crowd, the reputation becomes much more important
Bug bounty programs represent a sharing economy model ("Uber for hackers") with all related advantages:
strong reputation of the ethical hackers
lower transaction costs in case of end-to-end connection between the customer and the hacker
strong economic incentive to do the job properly (and firstly try to find the most "valuable" critical vulnerabilities)
Example price template
Priority | Vulnerability Types | Pricing in EUR |
---|---|---|
Critical | RCE, SQLi, XXE, Vertical Authentication Bypass | 700 / 2200 / 6000 |
High | Stored XSS, CSRF, Lateral Authentical Bypass | 400 / 750 / 1200 |
Medium | Reflective XSS, URL redirect | 125 / 250 / 425 |
Low | SSL misconfigurations, XSS/CSRF with limited impact | 45 / 60 / 135 |
Do you process your client´s economic data (such as accountancy) OR financial transactions (such as credit card payment) through your application/web?
How extensive are potential consequences of your application/web when being hacked?