“The 6th largest crypto exchange Bithumb was hacked and $30 million was stolen by the hackers”. Sounds familiar? Most probably, because this just happened a few weeks ago. Companies, both large and small are at risk of being hacked. Even if as an individual, you do not own a company, you definitely do use services and products offered by these companies that are at risk, so this concerns everyone. This is because the demand for cybersecurity professionals immensely exceeds supply as hackers are advancing minute by minute. The Global Information Security Workforce Study 2017 report from Frost & Sullivan and the International Information Systems Security Certifications Consortium Inc. states that unfilled jobs in Cybersecurity will be over 1.8 million by 2022. This should worry you as every company will be at risk as personal data, even customer data will definitely be vulnerable as by 2025, it is estimated that there will be 50 billion devices online. The security issue is not even farfetched because just two years ago, there was an email leak during the U.S. presidential elections that portrayed the Democratic party in a negative light. This shows that hacking is a problem, not only for existing software companies but also for blockchain companies. This is a problem, but Buglab has a solution!
According to the Founder and CEO, Reda Cherqaoui, Buglab is “An affordable penetration testing for small and medium businesses”. “We are proud to say cybersecurity. What we are doing is that we are connecting a community of cybersecurity researchers which are certified and hand selected with customers who have needs in cybersecurity”, he added during an exclusive interview with Decentral Magazine.
In essence, Buglab aims to helps companies in different fields such as IT, financial services, or retail to identify and mitigate cybersecurity gaps in their systems. The platform is meant to detect vulnerabilities on these companies websites, smart contracts, IoT devices and mobile applications by performing penetration tests.
How do they do this?
Whoever said cybersecurity penetration is not fun, definitely has not heard of Buglab’s penetration testing contests:
“Typically we are turning penetration testing into contests. We are creating a competition whereby the cybersecurity researchers challenge each other in order to be the first three with the highest score in vulnerabilities reported. Those top 3 researchers get awarded 70% of the contest prize. The first one will get 40%, second will get 20%, third gets 10%. The platform also enables clients to give some customer rewards to those researchers that did not win the contest who may have found critical vulnerabilities that were not found by the top three.” Reda Cherqaoui at the Blockchain Economic Forum in an exclusive interview with Decentral Magazine.
The Buglab penetration contest enables all companies to use the platform work with a community of certified cybersecurity penetration testers who get incentivized for it. This is done in a form of a race so the clients are sure to receive fast and credible results. The testers can be independent or a group of less than five from a validated company.
As a Company, how do I go about this?
No matter how big or small, all companies are welcome to use the Buglab platform. The following steps show how easy it is to get your company pentested by cybersecurity professionals:
- Sign up on the platform and provide information about the company; goods and services it provides then subscribe to competition contract choosing personalized rules the company would like to set. It is possible to customize competition confidentiality, type of management wanted, contest cost depending on the chosen plan and an option bonus.
- Based on the set confidentiality, the client chooses from a list of pentesters in the community and the Buglab recommendation engine helps to assign a proper match.
- Chosen pentesters test the company’s system and submit a report. The scoring system encourages pentesters to be the first to submit vulnerabilities as the maximum amount discovered gets the highest score.
What are the core features behind Buglab?
- Public Contests: After the company provides required information and launches contest, the community receives an invitation to participate.
- Private Contests: Clients can choose pentesters from the community or a team from a validated cybersecurity company to solve their problem.
- Selection features: Clients can choose pentesters using different filters like country, skill set, scores etc
- Triage System: Reported vulnerabilities go through a sorting system on the platform to identify duplicates before reaching the client. This reduces redundancy and gives the client relevant information only.
- Reports: The clients receive reports on the security contest with summarized performance. This will help the client compare security status and assets progress.
- Client-Managed: Clients can choose their own contest management from Basic, Pro or Enterprise.
- Mediation: In the case of a client managing the contest themselves, they may ask for mediation from Buglab. This happens if a pentester feels that the score or evaluation was unfair so Buglab will mediate the situation.
- Leader-board: This shows a ranking of pentesters according to their scores and experience. This makes it easier for clients to pick star pentesters.
- Chat: Every report gives a chance for clients to chat with pentesters to get help fixing the vulnerabilities.
- Fix Companion: A company that chooses Enterprise level has the opportunity to let Buglab verify whether the fix has been implemented.
The Buglab pentester contest is just one offering from the company. There is another offering, specifically for “Whitehats” under the Vigilante Protocol.
The Vigilante protocol is an integrated hacking prevention program. Under this, whitehat researchers report vulnerabilities about companies that are not on the Buglab platform. Companies are then invited to reward the whitehats for the discovered vulnerabilities. Essentially, companies get to know their flaws at a minimum cost. The way in which this works as explained by Reda Cherqaoui is that:
“It allows whitehat hackers globally to report vulnerabilities to Buglab. These vulnerabilities are of companies that are not on our platform and in partnership with Cert and CSirt they contact those companies to help them fix their vulnerabilities.”
Buglab also recently announced that they plan to secure cryptocurrency exchanges by hosting contests with a reward pool on $2 million.
Why partner with Cert and CSirt in the first place?
When a white hat reports a vulnerability to us; if we check if this vulnerability exists or not, we need to test it by exploiting it and if we do that it’s illegal. So if they do that, it’s legal and that’s why they are in partnership. So when the cert and CSirt confirm that the vulnerability exists, the whitehat hacker receives some tokens from the vigilante protocol reserve in which the company puts funds.
The company helped can choose to reward the hacker or host a contest on the Buglab platform. Since the whitehat is the one that brought the company on board, they receive 2% of the service fee. The whitehat will be allowed to participate even without a pentester status.
Why focus on whitehats?
Normally, people are not allowed to do this as they have no authorization from the company to perform those tests and find vulnerabilities. When they do it, they protect their identity in many ways like having journalists be the intermediary between themselves and the vulnerable company as they cannot contact the companies directly. There are currently cases of people who have critical vulnerabilities data on really big companies but they cannot communicate with nor contact the companies to help them because they are afraid. Whitehats normally do not get money from reporting these vulnerabilities so they decide to just keep them and do nothing about it. However, if a blackhat discovers a vulnerability, they will just steal the data and sell it on the black market, deface the website or do something bad for the company. There is a gap here and there is something to do for whitehats.
There are thousands of Russian Companies doing exactly this- cybersecurity penetration tests. What makes Buglab different?
Currently, available penetration testing services are not viable for small and medium companies. Penetration tests performed by cybersecurity consulting firms require clients to pay in regards to total billable hours. Moreover, only one or two pentesters do the job. This means that regardless of the results the company will pay close to $100 per hour with only limited pentesters on the job. The end result is often a report in a PDF format and doesn’t facilitate the fixing of the vulnerability or getting more details about the vulnerability from the pentesters. Secondly, bug bounty challenges require clients to pay according to each vulnerability found. Vulnerabilities discovered are sometimes not in the budget of the company in regards to resources. From these tests, the client might get irrelevant results as flaws are researched without deep research. At the end of the day, a client will just receive flaws without any value for their company.
Another reason raised by Reda Cherqaoui in regards to bounties is that:
“Big businesses can afford to do this because they know their level of security. So, they can afford running a bounty because they know people will not find 1001 vulnerabilities. Small and Medium businesses don’t normally perform penetration tests; so imagine if you end up receiving 101 vulnerabilities, each worth about $100. That’s more expensive.”
What is the revenue model?
In Buglab, 70% of the contest fee goes towards the top three pentesters, while 19% goes to the company itself. 1% is for Buglab transaction reserve that is used to pay transaction on the blockchain and 10% is for the vigilante protocol reserve so as to pay whitehats.
What about the ICO?
Status: Whitelist phase with over 1600 whitelisted people
Pre-sale: June 30th 2018
High target cap: 20,000,000
Soft cap: 6,000,000
Total tokens: 425 million tokens and 40% dedicated to the token sale.
Any final words for the Buglab community?
Reda Cherqaoui has very short but powerful words for the Buglab community:
Something good is coming. Check the website and be updated
If you still have not joined the Buglab community, what are you really waiting for? The future is exciting, but it also seems scary because we don’t know who’s next in regards to being hacked. In order to avoid being the next future statistic, do the right thing and protect yourself using Buglab.