Closed Bug Bounty Program

During the Closed Bug Bounty program, we examine IT systems in depth. With your permission, we search for bugs and security-related configuration errors. You only pay for vulnerabilities we find.

Contact Codepurple

What is Bug Bounty?

The term Bug Bounty Program refers to an approach to identifying, fixing, and disclosing vulnerabilities in IT systems with a reward for the finders.

How does the Closed Bug Bounty program work?

In the Closed Bug Bounty program, Codepurple's specialists search for security vulnerabilities in your systems. You pay only for detected vulnerabilities. The program usually runs for four weeks. Every found vulnerability is documented with a detailed description including step by step instructions for reproduction.

Price model

Category CVSS Score CHF
Low 1.1 - 3.9 200
Medium 4 - 6.9 800
High 7 - 8.9 2'500
Critical 9 - 10 5'000

Our rules

Basically, everything is allowed, except:

  • No social engineering attacks
  • No phishing attempts
  • No DDoS attacks
  • No destruction of data / systems

How big is the risk?

Both your financial risk and the risk that your IT systems are no longer available is small. Thanks to a cost cap, you can estimate the maximum costs.
Hackers act like surgeons, their aim is not to cause damage, but to find vulnerabilities and not to interfere with the IT systems.

Are hackers evil?

The term hacker often has a negative connotation. This is unjustified. Most hackers have no evil or criminal intentions. So the term "ethical hacker" or "white-hat hacker" has become established for the friendly hackers.

What is the difference between a security review and the Closed Bug Bounty program?

In a security review, the scope is defined and specialists search for vulnerabilities within the defined scope and available time. A review covers a broad scope, whereas a Closed Bug Bounty program goes into the depths of an individual system.

Why is it called Closed Bug Bounty program?

In a Closed Bug Bounty program, only a small group of selected specialists analyze the systems. All findings remain internal and the public does not know anything about the program.

What does it cost?

Each vulnerability is assessed, classified and billed according to the established CVSS (Common Vulnerability Scoring System: https://www.first.org/cvss/). In this process, the cost of a security breach is based on its impact, not on the complexity of the attack.

Cost cap

The customer decides himself about the cost cap he provides to Codepurple for the Closed Bug Bounty program.

Advantages

  • Cost structure
  • Out of the Box thinking
  • Detailed step-by-step documentation
  • More time on an interesting attack vector
  • Increase security of own product
  • Increase confidence in own product

What is the scope?

Generally, all systems that can be reached from the outside are included in the scope. Social engineering attack or phishing attempts are not performed by Codepurple. If there are systems which must not be analysed, these can be excluded by the customer. In general, the less excluded, the more meaningful the outcome.

Contact Codepurple

63% of confirmed data leaks are caused by a weak, preset or stolen password.

Source: SecurityIntelligence