
Unleash the force of
our Ethical Hackers
and kickstart the protection of your business.
and kickstart the protection of your business.
The Success Fee Model that reduces company costs
Banks, financial services, insurance companies, e-commerce providers, automotive—no business that leverages technology and innovation is immune to cybercrime. WhiteJar is the cybersecurity service that guarantees immediate access to Ethical Hackers via a crowdbased platform. The hackers receive financial rewards for every vulnerability found after a triage evaluation process.

The full service of a scalable model
Personal console available 24/7
Owned console to communicate with the Community of Ethical Hackers, accessible 24/7.
Verified executive report for C-level
CISO reports customizable through the platform.
Customizable vulnerability technical reports.
The reports include:
- detailed description of verified vulnerability
- reproduction/test phases for verified vulnerability
- correction notes and remediation suggestions
- evidence (images, http requests/replies, videos)
Tracking system for communication and reports
Integration with the most popular tracking systems for corporate communication (JIRA, Redmine, etc.)

Program types

Public or private
The Bug Security Bounty programs that corporations launch on the platform can be either public or private: open to all Community members (public) or targeted to a selection of profiled Ethical Hackers (private).
Bug Bounty / Subscription and Rewards / One-shot and Ongoing
Subscriptions last for a minimum of 12 months. Once a subscription is activated, the Client can immediately launch their Bug Bounty Campaigns, either public or private, for a limited time period or as ongoing campaigns. Each time, the Client can set a budget for rewards for each vulnerability found to be devolved to Ethical Hackers.


Operating model
FAQ
We only work on reporting vulnerabilities, not solving them. The report format is very thorough, and it’s usually made of step-by-step reproducibility, PoC, Suggested Mitigation, Type (e.g. SQLi), Severity (e.g. CRITICAL), and media (e.g. screenshots).
The type of vulnerabilities we will accept in every program can vary, and we can define the in-scope and out-of-scope together. For example, we can work on RCE
SQLi, XSS, CSRF, Authentication bypass, Horizontal or Vertical privilege escalation.
But, if you have a particular scope, like for example an IoT to be tested, we can vary the Type of Vulnerability.
All Ethical Hackers sign confidentiality bonds and are not “unknown” people. They subscribe to a code of ethics (Article 2 of our T&C) and follow a certification path (Article 3 of our T&C) which requires, among other things, identity verification, verification of held certifications, and training of various kinds. This process implements logics similar to the stringent verification procedure applied in the EU, called KYC. Accepted certifications evolve during time and can involve: CEH, CISSP, GXPN, OSCP, GWAPT, GMOB.
We also accept non-certified Ethical Hackers in the process because we think that the crowd windows and the power of collective consciousness is more powerful than the single Pen Tester work. You can only choose certified Ethical Hackers, but we strongly suggest to also include the non-certified: it will increase the odds to detect vulnerabilities.
Yes, we can create a custom second level NDA upon request and we can activate extra insurance to handle liabilities (we already have a basic insurance of up to €50,000 – Article 6 T&C). All the documents will be verified before the program starts and we can work to adapt the process to the customer compliance policy (you need to activate an extra package).
At this moment, we have experience on Private Bug Bounty Programs or Public Bug Bounty Programs. A program can last a precise time period (like 1 month) or stay active forever (until you decide to end it).
But our philosophy is that we want to stay flexible and give you the maximum space to engage with the Ethical Hackers community. This means that we can also work on custom programs, as long as we bring value to the community (for example: Capture The Flag program).
The service is weighted to have the customer interact with a group of Ethical Hackers. We believe in the collective consciousness of our certified and trained community. The number of Ethical Hackers that will take part in our programs can vary, but we usually start with a small group and expand along the way (so we will adapt depending on the customer workload capacity). These elements are built with the customer in a service setup phase.
Yes, we can activate the “security platform” that is to pass all Ethical Hackers activities through a controlled VPN, encrypted and certified by the WhiteJar team.