
business
Vulnerabilities and widespread information security risks
Banks, Financial Services Operators, Insurance companies, E-comm providers, Automotive companies: no business that exploits the potential of technology today escapes cybercrime.
WhiteJar is the ideal player to entrust with the management of System Vulnerability Research Campaigns, as it offers an innovative service that provides immediate access to a vast network of Ethical Hacking professionals, ready to identify problems and propose effective remediation solutions.
Operating model
What we offer
Proprietary console available 24 hours a day
Proprietary console for communicating with the Ethical Hacker Community, available 24 hours a day.
Customisable technical reports including description of vulnerabilities found including:
- Stages of reproduction/testing of findings;
- Corrective notes/remediation suggestions;
- Evidence (images, http request/response, video).
Executive verified report for the C Level
Possibility to independently customize CISO reporting directly on the platform.
Communication tracking and reporting system
Integration with popular corporate communications tracking systems (JIRA, Redmine, etc.).
Type of programmes

Public or private
The programme may be public, i.e. open to all Community members, or private, i.e. communicated only to a selection of Ethical Hackers.
Bug bounty / Subscription and rewarding / One-shot or ongoing
Once the subscription has been activated, for a minimum of 12 months, and access to the platform has been configured, the Customer is free to publish all its Campaigns, each time setting a budget for the rewards of the vulnerabilities detected in favour of Ethical Hackers.

Frequently Asked Questions
We only work on reporting vulnerabilities, not solving them. The report format is very thorough, and it’s usually made of step-by-step reproducibility, PoC, Suggested Mitigation, Type (e.g. SQLi), Severity (e.g. CRITICAL), and media (e.g. screenshots).
The type of vulnerabilities we will accept in every program can vary, and we can define the in-scope and out-of-scope together. For example, we can work on RCE
SQLi, XSS, CSRF, Authentication bypass, Horizontal or Vertical privilege escalation.
But, if you have a particular scope, like for example an IoT to be tested, we can vary the Type of Vulnerability.
All Ethical Hackers sign confidentiality bonds and are not “unknown” people. They subscribe to a code of ethics (Article 2 of our T&C) and follow a certification path (Article 3 of our T&C) which requires, among other things, identity verification, verification of held certifications, and training of various kinds. This process implements logics similar to the stringent verification procedure applied in the EU, called KYC. Accepted certifications evolve during time and can involve: CEH, CISSP, GXPN, OSCP, GWAPT, GMOB.
We also accept non-certified Ethical Hackers in the process because we think that the crowd windows and the power of collective consciousness is more powerful than the single Pen Tester work. You can only choose certified Ethical Hackers, but we strongly suggest to also include the non-certified: it will increase the odds to detect vulnerabilities.
Yes, we can create a custom second level NDA upon request and we can activate extra insurance to handle liabilities (we already have a basic insurance of up to €50,000 – Article 6 T&C). All the documents will be verified before the program starts and we can work to adapt the process to the customer compliance policy (you need to activate an extra package).
At this moment, we have experience on Private Bug Bounty Programs or Public Bug Bounty Programs. A program can last a precise time period (like 1 month) or stay active forever (until you decide to end it).
But our philosophy is that we want to stay flexible and give you the maximum space to engage with the Ethical Hackers community. This means that we can also work on custom programs, as long as we bring value to the community (for example: Capture The Flag program).
The service is weighted to have the customer interact with a group of Ethical Hackers. We believe in the collective consciousness of our certified and trained community. The number of Ethical Hackers that will take part in our programs can vary, but we usually start with a small group and expand along the way (so we will adapt depending on the customer workload capacity). These elements are built with the customer in a service setup phase.
Yes, we can activate the “security platform” that is to pass all Ethical Hackers activities through a controlled VPN, encrypted and certified by the WhiteJar team.
Yes, we can configure a point-to-point VNP between WhiteJar and the customer internal systems, and then we will manage to have all the Ethical Hackers on the same line.
This is not a standard procedure. We don’t usually share personal information and prefer to keep it private (in order to better manage GDPR-side issues). However, under a specific contract and agreement with the customer, we can ask a small group of Ethical Hackers if they will allow us to pass along their personal data to the customer. Only the Ethical Hackers that accept this condition will participate in the programs you will launch.
A budget for the vulnerability payout is defined quarterly with a cap. The cap is defined with the customer in the setup phase and can vary during the year. Everything that exceeds the cap will be on our side, no extra cost for you.