Author

Topic: Whitehat Penetration Testing (Read 1472 times)

legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
August 19, 2012, 02:53:35 AM
#10
Easy. Just put a sufficiently valuable bitcoin private key associated with a bounty somewhere relevant on your system and say "come get it".

NB: Make it a multi-sig (keep one key to yourself) to make sure you get some info about the vulnerabilities in case the penetrators just want to abscond with the loot.


of course, now they will assume it's a multi-sig key. :-)

But really, this idea is solid- but how do we get someone involved? I think at the start we might have to turn to the community and later on start to think about dedicated professionals in this field. I don't think many firms are interested in turning their attention away from banks and corporations to work on someone's bitcoin website project. :-)
newbie
Activity: 41
Merit: 0
August 18, 2012, 10:40:41 PM
#9
Easy. Just put a sufficiently valuable bitcoin private key associated with a bounty somewhere relevant on your system and say "come get it".

NB: Make it a multi-sig (keep one key to yourself) to make sure you get some info about the vulnerabilities in case the penetrators just want to abscond with the loot.
member
Activity: 111
Merit: 100
August 18, 2012, 10:40:15 AM
#8
I love this idea.

Hopefully sufficient incentives can be provided for capable penetration testers to conduct such a service.
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
August 17, 2012, 04:51:06 PM
#7
There are already services out there for this. The company I work for just had a team come in and do this, providing a decent report of vulnerabilities.

Rather than look into the Bitcoin community for this, look into experts who do this for a living every day.

Any of them accepting bitcoins?  Smiley

+1
legendary
Activity: 980
Merit: 1020
August 17, 2012, 03:40:00 PM
#6
Every member should pay a fee that will be used to raise the bounty price.

For example, gold members pay 20 BTC a month, silver members 5 BTC a month, and bronze members only 1 BTC a month.

If there are 20 members that are gold, that mean 400 BTC are contributed each month to the bounty coffer.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
August 17, 2012, 03:15:45 PM
#5
There are already services out there for this. The company I work for just had a team come in and do this, providing a decent report of vulnerabilities.

Rather than look into the Bitcoin community for this, look into experts who do this for a living every day.

Any of them accepting bitcoins?  Smiley
legendary
Activity: 3598
Merit: 2386
Viva Ut Vivas
August 17, 2012, 02:57:37 PM
#4
There are already services out there for this. The company I work for just had a team come in and do this, providing a decent report of vulnerabilities.

Rather than look into the Bitcoin community for this, look into experts who do this for a living every day.
full member
Activity: 216
Merit: 100
August 17, 2012, 02:54:35 PM
#3
This would be a very valuable service, and given the choice of competing web services I would invest in the one that had a Whitehat Penetration Certification. I would pay a reasonable bounty to a Whitehat company to obtain a report on a given web service that I was considering using (the cost would of course have to be spread over a large number of customers because I certainly couldn't afford to individually pay for penetration test of every web service I was considering using.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
August 17, 2012, 08:31:00 AM
#2
Agree, how we could achieve doing it safely? Maybe joining a "White Hat Union" or something similar?
They could give their seal of approval to bitcoin websites, dunno just thinking out loud here
legendary
Activity: 1204
Merit: 1002
RUM AND CARROTS: A PIRATE LIFE FOR ME
August 17, 2012, 08:18:20 AM
#1
In light of the number of web services that are starting up and the questionable level of security that they offer, perhaps it would be useful to have some sort of "Whitehat penetration testing" service or bounty. Perhaps sites could submit themselves to being tested by the community (and offering some sort of bounty?) and if the community isn't able to penetrate the site- a sort of 'symbol' or 'seal' could be awarded showing that the site survived penetration testing up till a certain date.

Eventually people will want to know the site they are dealing with is safe, and the endless 'hacks' look bad for us in general.
Jump to: