green background
Secure your
business
Protecting the data in your infrastructure and offering reliable products and services to the general public is the only way to remain competitive in a highly digitalised economy.
Slash-logo

Vulnerabilities and widespread information security risks

Banks, Financial Services Operators, Insurance companies, E-comm providers, Automotive companies: no business that exploits the potential of technology today escapes cybercrime.

WhiteJar is the ideal player to entrust with the management of System Vulnerability Research Campaigns, as it offers an innovative service that provides immediate access to a vast network of Ethical Hacking professionals, ready to identify problems and propose effective remediation solutions.

DISCOVER THE POTENTIAL OF THE CROWD
Plus - 1

Why WhiteJar is the right choice

Relationship of trust

The trust that companies place in the ethicality of the people they entrust with checking the security of their systems is the prerequisite for the work of the certified experts in our Community.

Plus - 2

Why WhiteJar is the right choice

Certified skills

Recruitment, skills assessment and certification procedures guarantee the professionalism and reliability of Ethical Hackers.

Plus - 3

Why WhiteJar is the right choice

Immediate contact with experts

The activation of Community professionals is done through an open campaign on the platform which can be addressed to all members or reserved for a selection of specialists.

Plus - 4

Why WhiteJar is the right choice

Integrated communication system

For better asynchronous, contextual and real-time communication, the platform integrates with the most modern business communication management systems.

Plus - 4

Why WhiteJar is the right choice

Total control

The constant support and guidance of the WJ team of experts helps to prevent attacks and intervene promptly in the event of a threat or vulnerability being detected.

Plus - 6

Why WhiteJar is the right choice

Regulatory compliance

The platform is developed in accordance with the most important and modern common practices in cybersecurity.

Operating model

1

STEP. 1

Request a demo via the online contact form.

2

STEP. 2

Schedule calls to learn about the benefits and operation of the platform.

3

STEP. 3

Receive credentials to access the platform and activate the service.

4

STEP. 4

Define your vulnerability and reward scheme and launch your Engagement Campaign.

5

STEP. 5

Receive notifications of detected vulnerabilities, reports and remediation recommendations.

6

STEP. 6

Publish new campaigns in total autonomy.

What we offer

Proprietary console available 24 hours a day

Proprietary console for communicating with the Ethical Hacker Community, available 24 hours a day.

Customisable technical reports including description of vulnerabilities found including:

  • Stages of reproduction/testing of findings;
  • Corrective notes/remediation suggestions;
  • Evidence (images, http request/response, video).

Executive verified report for the C Level

Possibility to independently customize CISO reporting directly on the platform.

Communication tracking and reporting system

Integration with popular corporate communications tracking systems (JIRA, Redmine, etc.).

Type of programmes

man smiling with laptop

Public or private

The programme may be public, i.e. open to all Community members, or private, i.e. communicated only to a selection of Ethical Hackers.

Bug bounty / Subscription and rewarding / One-shot or ongoing

Once the subscription has been activated, for a minimum of 12 months, and access to the platform has been configured, the Customer is free to publish all its Campaigns, each time setting a budget for the rewards of the vulnerabilities detected in favour of Ethical Hackers.

man smiling with laptop

Frequently Asked Questions

01.

We only work on reporting vulnerabilities, not solving them. The report format is very thorough, and it’s usually made of step-by-step reproducibility, PoC, Suggested Mitigation, Type (e.g. SQLi), Severity (e.g. CRITICAL), and media (e.g. screenshots).

The type of vulnerabilities we will accept in every program can vary, and we can define the in-scope and out-of-scope together. For example, we can work on RCE

SQLi, XSS, CSRF, Authentication bypass, Horizontal or Vertical privilege escalation.

But, if you have a particular scope, like for example an IoT to be tested, we can vary the Type of Vulnerability.

02.

All Ethical Hackers sign confidentiality bonds and are not “unknown” people. They subscribe to a code of ethics (Article 2 of our T&C) and follow a certification path (Article 3 of our T&C) which requires, among other things, identity verification, verification of held certifications, and training of various kinds. This process implements logics similar to the stringent verification procedure applied in the EU, called KYC. Accepted certifications evolve during time and can involve: CEH, CISSP, GXPN, OSCP, GWAPT, GMOB.

We also accept non-certified Ethical Hackers in the process because we think that the crowd windows and the power of collective consciousness is more powerful than the single Pen Tester work. You can only choose certified Ethical Hackers, but we strongly suggest to also include the non-certified: it will increase the odds to detect vulnerabilities.

03.

Yes, we can create a custom second level NDA upon request and we can activate extra insurance to handle liabilities (we already have a basic insurance of up to €50,000 – Article 6 T&C). All the documents will be verified before the program starts and we can work to adapt the process to the customer compliance policy (you need to activate an extra package).

04.

At this moment, we have experience on Private Bug Bounty Programs or Public Bug Bounty Programs. A program can last a precise time period (like 1 month) or stay active forever (until you decide to end it).

But our philosophy is that we want to stay flexible and give you the maximum space to engage with the Ethical Hackers community. This means that we can also work on custom programs, as long as we bring value to the community (for example: Capture The Flag program).

05.

The service is weighted to have the customer interact with a group of Ethical Hackers. We believe in the collective consciousness of our certified and trained community. The number of Ethical Hackers that will take part in our programs can vary, but we usually start with a small group and expand along the way (so we will adapt depending on the customer workload capacity). These elements are built with the customer in a service setup phase.

06.

Yes, we can activate the “security platform” that is to pass all Ethical Hackers activities through a controlled VPN, encrypted and certified by the WhiteJar team.

07.

Yes, we can configure a point-to-point VNP between WhiteJar and the customer internal systems, and then we will manage to have all the Ethical Hackers on the same line.

08.

This is not a standard procedure. We don’t usually share personal information and prefer to keep it private (in order to better manage GDPR-side issues). However, under a specific contract and agreement with the customer, we can ask a small group of Ethical Hackers if they will allow us to pass along their personal data to the customer. Only the Ethical Hackers that accept this condition will participate in the programs you will launch.

09.

A budget for the vulnerability payout is defined quarterly with a cap. The cap is defined with the customer in the setup phase and can vary during the year. Everything that exceeds the cap will be on our side, no extra cost for you.