FAQ – Things people want to know

There are multiple facets and tools that the cybersecurity field can profit from. But the trick is to go just one step further and increase your security beyond the necessary implementations. Beyond simple Pentesting, beyond the mind of a hacker, beyond the average cybersecurity measurements. We do this by making cybersecurity a collective effort and making sure only the best, vigorously vetted ethical hackers are directly at your disposal.

Bug bounties are compared often to traditional application security assessment methods such as penetration testing. The volume of testers involved and the differing reward models can be defined as the most significant differences between the two. Bug bounties involve a more substantial amount of diverse researchers with all different skills and experience, as opposed to a select few penetration testers. In bug bounties, your pay per vulnerability and the height of the bounty depends on the severity of the vulnerability rather than for effort.

Known vulnerabilities are known to the public because they are published on the internet or when it has a CVE ID. These vulnerabilities are also added to vulnerability scanners so they can be easily detected. A vulnerability scan could be thought of as a surface-level security assessment since it only detects known vulnerabilities. A vulnerability scan cannot spot logic issues. A hacker might be able to intercept traffic and change data in transit, for example. A vulnerability scanner might not deem information disclosure as an issue. Furthermore, this type of assessment may not see images stored on the network without protection or encryption as being anything to be concerned about. However, if these images happen to be of peoples’ ID or credit cards, then that is a severe problem. A researcher can spot this and uncover the unknown vulnerabilities.

With a Bug Bounty Program( or Researcher Program) we offer the possibility to have a selected group of the best ethical hackers search for unknown vulnerabilities on your website. All researchers in our platform are screened and tested, so we can be sure we only work with the best and the most reliable researchers in the world. All reported issues are reviewed and validated by the Zerocopter’s Triage Team before publishing it to the dashboard. The researchers will be rewarded on a no-cure-no-pay basis, per approved vulnerability.

In a Coordinated Vulnerability Disclosure (CVD) policy you ask when someone discovers a vulnerability in your online environment to report it as soon as possible so you can address it quickly. This policy is visible to all of your users by for example mentioning it on your homepage. Vulnerabilities discovered by users are compiled by Zerocopter and reported to you in an easy to understand overview of the problem. The reports are presented in your own dashboard, you and your team will receive an email when a report has been added or edited.

The scanner finds known vulnerabilities in your site. Our scanner is a combination of the best vulnerabilities scanners available on the market. For example, OpenVAS is implemented in our scanner and we are working to implement more scanners for every aspect of your organisation.

Our community of researchers are from all over the world besides countries that are on the U.S. sanctions list.

For our researcher programs we work with a carefully selected group of security researchers worldwide. We check personal information through an ID verification, review the researchers track record through an internet background check and assess their skills. The selection of Zerocopter Researchers is done by the Zerocopter team. When irregularities occur we are authorized to exclude a researcher from the community.

Zerocopter uses minimal bounties to reward our Researchers for finding unknown vulnerabilities. Rewards for researcher programs are determined by the severity of the report. Each severity has a minimum reward. We subtract the average reward amount from your researcher program budget per validated vulnerability, once you set the actual reward this amount will be subtracted from the researcher program budget. The amounts are the rewards paid to the researcher and do not include a 30% handling fee. You can find the Vulnerability Price List via https://www.zerocopter.com/vulnerability-price-list

Yes we do! We offer App support (default) and Services support.

With App support you get all the support you need to use our platform and our services. With our Services report we will help you with several custom support issues, like attending regular meetings, supporting you with custom overviews and support on the use of our services within your general security policies.

A Coordinated Vulnerability Disclosure report has a reward amount of 0 euros by default, but we offer the possibility to assign a bonus to a Coordinated Vulnerability Disclosure report. A bonus bounty is always optional and totally up to the customer.

Our triage team assesses all submitted reports for validity and completeness. Only complete and validated reports are accepted and forwarded to the customer.

This depends on the subscription plan you use. We work with Triage response times for max. 3 working days (starter plan), 2 working days (professional plan) and 1 working day (enterprise plan).

We ask you to submit a report via our platform and choose a category for the vulnerability, fill in the URL of the found vulnerability and provide a description of the vulnerability, steps on how to reproduce the vulnerability and a possible solution. This will make it easier for triage to validate your report and easier for our customers to understand your report. Triage validates every report and will ask you questions when something is not clear. After validation, your report will be sent to the customer.

Zerocopter is a closed platform. This means we don’t have public lists with our customers that use our CVD or researcher program services. We also don’t have a public list with the researchers in our platform and we don’t have a ranking.

Payments are done after a report gets the status “resolved”. Payments are distributed via bank, PayPal and Bitcoin. To receive payments, make sure that you have a working PayPal account or Bitcoin address. Unfortunately, some payment providers charge a fee for receiving money.