Quite a common obstacle in joining a bug bounty program is the decision of the company management that they don’t want to be exposed to the “world of hackers”. They believe that if the hackers get to know about them, there is a higher chance of being attacked.
They say to themselves that they’re just a small, not really important company that nobody knows about, and that’s why hackers won’t find them. For many reasons, however, this is not accurate.
If nobody knows about you, it means your marketing is wrong
There aren’t many companies that wish to be invisible for others. The way how your customer gets to know about you is the same as the way how any attacker may find you. Your company’s marketing department wants your company to be seen by as many potential customers as possible, that the customers can find you easily and, perhaps, buy some of your products or services. And this is exactly one of the ways how a hacker can get to know about you.
Non-ethical hackers can find you by automatic means, using a bot
To search for their targets, ethical hackers seek who will pay them for a discovered security vulnerability or for a penetration test. To achieve this, they log in to Hacktrophy and check which companies offer a bounty for a discovered vulnerability.
Non-ethical hackers basically search for their targets by automated means—in a similar way as you appear in the search engine (e.g. Google) index. A robot browses the Internet, follows the links, connects to various IP addresses and tries to discover an unsecured system or a potential target. For non-ethical hackers, it is even wise not to check the lists of bug bounty platforms, such as Hacktrophy, while it is clear that they were checked by ethical hackers who wanted to earn a reward. That’s why it is wiser for them to search elsewhere, somewhere they could find an easier target.
Ethical and non-ethical hackers may use similar techniques to search for security vulnerabilities, but they select their targets differently. Ethical hackers are bound by terms and conditions as well as the ethical way how to earn money. Non-ethical hackers try to hack all possibly successful targets.
Motivating the ethical hackers to work for you will in no way negatively influence the number of attacks against your application by non-ethical hackers. The procedures that ethical- and non-ethical hackers choose when selecting their targets are different. So join Hacktrophy and have your security improved by ethical hackers.
The author of the article is Juraj Bednár, co-founder of Hacktrophy