During the Closed Bug Bounty program, we examine IT systems in depth. With your permission, we search for bugs and security-related configuration errors. You only pay for vulnerabilities we find.
The term Bug Bounty Program refers to an approach to identifying, fixing, and disclosing vulnerabilities in IT systems with a reward for the finders.
In the Closed Bug Bounty program, Codepurple's specialists search for security vulnerabilities in your systems. You pay only for detected vulnerabilities. The program usually runs for four weeks. Every found vulnerability is documented with a detailed description including step by step instructions for reproduction.
|Low||1.1 - 3.9||200|
|Medium||4 - 6.9||800|
|High||7 - 8.9||2'500|
|Critical||9 - 10||5'000|
Basically, everything is allowed, except:
Both your financial risk and the risk that your IT systems are no longer available is small. Thanks to a cost cap, you can estimate the maximum costs.
Hackers act like surgeons, their aim is not to cause damage, but to find vulnerabilities and not to interfere with the IT systems.
The term hacker often has a negative connotation. This is unjustified. Most hackers have no evil or criminal intentions. So the term "ethical hacker" or "white-hat hacker" has become established for the friendly hackers.
In a security review, the scope is defined and specialists search for vulnerabilities within the defined scope and available time. A review covers a broad scope, whereas a Closed Bug Bounty program goes into the depths of an individual system.
In a Closed Bug Bounty program, only a small group of selected specialists analyze the systems. All findings remain internal and the public does not know anything about the program.
Each vulnerability is assessed, classified and billed according to the established CVSS (Common Vulnerability Scoring System: https://www.first.org/cvss/). In this process, the cost of a security breach is based on its impact, not on the complexity of the attack.
The customer decides himself about the cost cap he provides to Codepurple for the Closed Bug Bounty program.
Generally, all systems that can be reached from the outside are included in the scope. Social engineering attack or phishing attempts are not performed by Codepurple. If there are systems which must not be analysed, these can be excluded by the customer. In general, the less excluded, the more meaningful the outcome.
63% of confirmed data leaks are caused by a weak, preset or stolen password.