This is the third part of the article Our customer guide I and Our customer guide II.

Repeated tests and bug bounty program

The results of the performed penetration test or security audit are valid only to the specific date when the customer receives the final report. Neither we nor any other IT security company in the world can guarantee that the application will not be hacked the next day, when a new critical vulnerability appears. Therefore, regular testing in the form of repeated tests are needed.

For continuous testing of applications (ideally for filling time gaps between repeated tests), we recommend using the so-called bug bounty platform. This is a system where thousands of hackers are registered who try to look for security vulnerabilities in applications and get rewarded for it. If you set the financial reward for detecting vulnerabilities in your application to be sufficiently motivating, you will ensure that thousands of eyes will have an economic incentive to search for and report new vulnerabilities in your application non-stop.

As a bug bounty platform, you can use Hacktrophy, which is a unique bug bounty solution in Central Europe, which we operate together with Citadelo in partnership and technology.

We recommend that you deploy your website or web application in a bug bounty platform as soon as you fix all errors detected by our penetration test or security audit.

What technology certificates should ethical hackers have?

The IT security sector is flooded with various security certificates of varying quality.

It should be noted that ISACA certificates have nothing to do with penetration testing or technology security audits. Similarly, CISSP is only a senior management security certificate and does not in any way reflect the technological knowledge of ethical hackers. There are also “hacker” certificates of questionable quality (such as CEH) from EC-Council, who have been repeatedly hacked (which says everything about its certificates).

Probably the highest quality hacker certificates are provided by Offensive Security, many of which are owned by most of our ethical hackers. Nevertheless, our certified experts see a few problems in “Offensive Security” (you can find a summary here ). 

The rule is that if an ethical hacker is able to independently create more complex exploits, he should meet the minimum requirements for professional handling of penetration testing. This means that he must be able to program in a scripting language and have a decent knowledge of operating systems or web technologies. He should also have detailed knowledge of security guides and manuals (such as OWASP).

Why test at a “free” voluntaryist company?

One of the key advantages of our special company is that we operate on the so-called voluntary basis – our testers voluntarily choose the projects in which they want to participate. We don’t force anyone into anything.

For you as a customer, this means that, unlike other companies, our experts work for you because they have made such a voluntary decision. Not because someone forced them to be the boss.

This is especially reflected in the increased motivation and quality of our work, which is naturally higher when people voluntarily choose it than in a situation where it is forced on them, as is the practice in ordinary corporations.

It also means that due to the fact that people in our country voluntarily choose the projects in which they participate, just like the company, we have minimal staff turnover. As a result, most of our testers are seasoned experts with years of experience in IT security.

You can find more information about our work model in the presentation of The Most Free Company.