This is how hackers investigate your online security
One of the services we offer at Zerocopter is that hackers (we call them researchers) check whether they can find vulnerabilities in your online security. Here we will explain how it works, what options you have and how the researchers do this.
When you put something online on the internet you are automatically a target for hackers. They scan entire IP ranges to search for specific vulnerabilities and you might have one of them. Before you know it, your online environment is part of a botnet used to commit DDOS attacks on banks or they download your database and sell it on the internet. How do you prevent this?
You have a website and you want that website tested for vulnerabilities. After registration on our platform you can launch a researcher program. A group of at least 10 ethical hackers selected by us will scour your environment for vulnerabilities within a scope and period specified by you.
In short, you invite ethical hackers to hack you. These hackers come from all over the world and all have different specialties. All this experience is bundled together in a researcher program.
But for what vulnerabilities will the hackers be searching? Although hacking often sounds like magic, it is often simply "logic". Do you, for example, once tried to buy -10 Playstations? Or did you ever change the url from ?user=101 to ?user=102? Bugs like this are usually just "logic", while they can have a huge impact. These so-called "logical flaws" can be found by anyone, as long as you are creative.
Something that does require technical skills are "SQL injections”. A SQL database is a way to store data, imagine it as an (large) Excel file where all personal data is in that customers left on a website. What SQL does is communicate between your website and where the data is stored. In a SQL injection it is possible to give an instruction to the database when filling out your personal data. You can instruct the database to send, delete or edit the data in the database.
Besides these examples there are many more vulnerabilities. Our researchers are going to look on behalf of you if they can find vulnerabilities on your site or network. Researchers all have their own specialties, think of the different programming languages out there. With a researcher program we look at which specialties we can combine in order to build the best team to look at your security. We screen the researchers in order to verify who they are, they are reliable and what their specialties are.
When you start a researcher program you can specify the following things: What they have to examine (the scope), in what period the research must be done, how much you want to spend.
The researchers work on a 'no cure, no pay' basis. In practice, you set a fixed budget and when they find a vulnerability we will verify the vulnerability and will make sure it will be rewarded appropriately. These rewards are predetermined by us and correspond to the severity of the detected vulnerability. When the total rewards has reached the maximum limit of your budget then the researchers stop their research. If you want to continue at that time you can immediately increase the budget. But if they can’t find vulnerabilities, it won’t cost you anything.
How do you ‘debug’ pentests with Bug Bounty programs?