HackenProof is the bug bounty platform for web3 apps. We help companies put their live apps in front of our global community of security researchers. The clients get multi-faceted, crowdsourced security review for only a fraction of a cost of “red team” security investigation. The security professionals, aka bug hunters, get rewards for valid bug reports, rank for activities, and also plenty of totally legal opportunities to train using research tools and approaches on real world cases.

It’s not big :) Up to a dozen of people, among them great developers that work on adding new functionality to the platform, a brilliant marketing researcher, two people working with triage and support, and me working on content, opportunities, and perks for our large hacker community. I’m really proud that our CEO Yev Broshevan is not just a woman founder in tech, she is also a certified cybersecurity professional (in other words, an ethical hacker). That’s our premise: built for the hackers, by the hackers.

You know how a bag or apparel piece is labeled “waterproof” because it has a solution preventing liquid getting inside? We are a solution that prevents software from getting hacked. Bear in mind though, in both cases the solution has to be applied thoroughly in advance!

Well, we all want to use secure products, right? Mobile apps, websites, especially platforms that involve any kind of payments and submitting personal data. Companies that sell their services also have to prove to investors and general public that their software is reliable. There are numerous “checkboxes” that add to the overall security — security audits, in-house security teams, etc... these are either time- or budget-consuming. It’s something you definitely should do, but not every month. Maybe once in every couple of years, or when a major update of your product is about to be launched. Bug bounty programs, on the other hand, are another feature that contributes to the product security. Our customers run bug bounties with us because modest pay-as-you-go pricing and large community of researchers give them affordable, and also continuous vulnerability research. And for the bug hunters we provide a way to grow their cybersec experience on live environments and earn bounties – real cash rewards.

There’s a certain “bug bounty kryptonite” issue which always becomes a cornerstone challenge for bug bounty platforms — keeping balance between the customer companies and bug hunters when charging the cash rewards. You don’t want to put pressure on the client, but you also want the hacker to get deserved bounty. But that’s the primary reason for bug bounty platforms to exist – we find the way to be a mediator to the benefit of all parties involved.
At HackenProof we mitigated that introducing bounty deposits. When a customer launches a program we give them an option to commit $10K towards bounty rewards on their program. We never take service fees out of that fund for ourselves, it’s strictly for fallback alternative to make sure reports can be compensated fast under any circumstances. This might sound like something that benefits security researchers at expense of the business customers, but in fact a safeguard like that makes HackenProof programs more reliable and effective with paying out the rewards, which attracts more community engagement, which brings better results to the customer’s programs in the long run.

It’s actually interesting you’d say “developer or tester”. Bug bounty hunters are called different names: cybersec researchers, ethical hackers, infosec, “white hats”... but it doesn’t reflect any specific background. Among our community we have CS students, ex-web developers, QA, even hardware professionals who went and learned security tools and started applying them to bug hunting. There’s no wrong “backstory” for getting into cybersecurity, and the diversity of previous experiences often helps to obtain a fresh angle: someone well-versed in DevOps will notice flaws in API integrations, another hunter with past in the product team can find business logic issues, and so on. To put simply, all you need to do to start with bug bounties is register a profile, select any program with a tech stack that looks interesting, definitely check out the rules (scope of project, and what areas of the app are out of scope and won’t be rewarded), and then just explore it using curiosity and vulnerability research tools.

We’ve had a great growth in number of users this year, but probably a special moment is pivot to focusing on web3 projects, which happened for us in December 2021. Essentially ~50% bug hunt programs on our platform already were crypto exchange platforms, but after the last Web Summit we’ve realised that the crypto sector is not only growing at an enormous speed, but also has much more at stake: money investments, reputation risks. While HackerOne and Intigriti do a great job at covering the traditional web2 security fields with their programs, the crypto security programs are still developing. As a part of Hacken ecosystem, which profoundly specializes in crypto security matters, with our web3-facing bug bounty services we can offer expert level second to none.

There are two things we are accelerating right now: HackenProof dashboard and community initiatives. The dashboard we already have allows clients to publish their own programs easily, while for bug hunters dashboard offers full visibility on the actual status of their reports. We want to go beyond that and add translation to other languages for our customers, add metrics that will help reduce duplicate reports (exhausting both for hackers and triagers), probably add more payment features, etc. We are lucky to have open line of communication with our users, so we don’t have to guess which feature should be developed next to enhance their experience with the platform.
The second is community growth: starting with open online events with invited professionals, a list of open-source security training resources, then developing our own content to help security specialists ease into web3 security. This is how we see our part in trying to counter the shortage of cybersec talent pool, especially in crypto field.

Of course we want to grow the amount of open programs and active bug hunters, we have the plan that focuses on increasing our market share. But I know that pursuing it we will also strive to take people along on the journey, not just tap into existing talent pool. So we fully expect that with bigger suite of training and bounty hunt opportunities in 5 years we will have more than just business metrics. We will have radically improved a career and even a life path for some people, helping them move into web3 security.