Dmytro Matviiv, Hackenproof: “bug bounty programs are beneficial for any industry that relies on technology”

No matter if you own a big company or small business, cyberthreats are a real danger these days, and it is important to take on multiple measures to stay protected.

While VPNs and antivirus services can protect you from threats, regular penetration testing can help to find the weak spots before any real attack occurs. By taking on a proactive approach to cybersecurity and implementing bug bounty programs, companies can not only prevent a destructive cyberattack but also provide an opportunity for new ethical hackers to try out their skills.

To find out more, we sat down with Dmytro Matviiv, Product Owner at Hackenproof – a bug bounty platform that uses a crowdsourced approach to cybersecurity that rewards ethical hackers for finding and reporting vulnerabilities in a company or project's software or systems.

How did HackenProof come to be? What has your journey been like since your launch?

HackenProof was founded in 2017 as a response to the growing demand for security in the rapidly expanding cryptocurrency industry. As more and more individuals and businesses began to utilize blockchain technology, it became clear that there was a critical need for comprehensive security solutions to protect against potential hacks and cyber attacks.

Our team at Hacken recognized this need and saw an opportunity to create a bug bounty platform that could connect cryptocurrency projects with a community of ethical hackers and security experts. By incentivizing these experts to find and report vulnerabilities, we believed we could help protect projects and their users from potential security threats.

Since our launch, our journey has been one of constant growth and development. We've worked hard to build a platform that is user-friendly, secure, and effective while also forging partnerships with some of the most innovative and forward-thinking projects in the industry. We've also continued to expand our community of ethical hackers and security experts, providing them with the tools and resources they need to help keep our clients' projects secure.

Of course, we've also faced our fair share of challenges along the way. The constantly evolving landscape of cybersecurity means that we must always be vigilant and adaptive, and we've had to work hard to stay ahead of emerging threats and new attack vectors. But through it all, our team has remained committed to our mission of making the cryptocurrency industry a safer place for everyone.

Looking ahead, we're excited to continue growing and evolving as a company, and we're proud of the impact we've had on the broader crypto community. We believe that by working together, we can help ensure a more secure and trustworthy future for the blockchain industry.

You take great pride in your bug bounty platform. Can you briefly explain what this practice is about?

Certainly! A bug bounty program is a crowdsourced approach to cybersecurity that rewards ethical hackers for finding and reporting vulnerabilities in a company or project's software or systems. The goal of a bug bounty program is to incentivize security researchers to proactively search for and report security vulnerabilities before malicious actors can exploit them.

Bug bounty programs typically offer rewards, such as cash or other prizes, to security researchers who report valid vulnerabilities. These rewards can range from a few hundred dollars to tens of thousands of dollars, depending on the severity of the vulnerability.

Bug bounty programs have become increasingly popular in recent years, particularly in the technology industry, as a way to supplement internal security teams and identify vulnerabilities that may have been missed during internal testing. By crowdsourcing security testing to a global community of web3 ethical hackers and security experts, bug bounty programs can help companies identify and fix web3 vulnerabilities more quickly and effectively, ultimately improving the overall security of their products and services.

Even though penetration testing has gained momentum over the past few years, why do you think it is still not a widespread practice?

While penetration testing has gained popularity in recent years, it is still not a widespread practice for a few reasons.

Firstly, penetration testing can be expensive and time-consuming. Many organizations may not have the budget or resources to perform regular penetration testing, or they may not see the value in investing in this type of security testing.

Secondly, penetration testing requires a high level of expertise and skill, both in terms of the testers performing the tests and the internal teams that must analyze and address any vulnerabilities that are found. This can be a barrier to entry for some organizations that may not have the necessary in-house expertise or may not know how to find and hire qualified external testers.

Lastly, there may be a lack of awareness or education about the importance of penetration testing and the benefits it can provide. Many organizations may not fully understand the potential impact of a successful cyber attack or the value of proactively testing their systems for vulnerabilities.

Overall, while penetration testing is an important practice for identifying and addressing security vulnerabilities, it may still be considered a luxury or a "nice-to-have" for some organizations rather than a necessary part of their security strategy. However, as the threat landscape continues to evolve and the consequences of cyberattacks become more severe, we may see more organizations prioritize and invest in regular penetration testing as a critical component of their security posture.

How did the recent global events challenge cybersecurity worldwide? What vulnerabilities were exploited the most?

The COVID-19 pandemic, digital transformation, and the Russian invasion of Ukraine have brought new challenges to cybersecurity. As a result, our platform has engaged in various activities to promote cybersecurity.

One of our activities is researching blockchain security, and we have found that almost 75% of NEAR projects do not have audits or bug bounties.

The web3 community is also working on official documentation of cybersecurity thanks to cryptoconsortium.org. The recent events have emphasized the need for organizations and governments to invest in robust cybersecurity measures, stay vigilant, educate their employees and citizens about cybersecurity best practices, and adopt necessary security technologies and protocols to safeguard their digital assets from cyber threats.

Cybercriminals have been exploiting vulnerabilities in remote work technologies, such as video conferencing and collaboration tools, to gain access to sensitive information. The Russian invasion of Ukraine has also highlighted the importance of protecting critical infrastructure and sensitive information from cyber-attacks. It has been warned that the conflict could escalate into a full-blown cyber war, with both sides using cyber attacks to gain the upper hand.

In summary, the recent global events have demonstrated the critical role that cybersecurity plays in protecting national security and the digital assets of organizations and governments.

In your opinion, which industries should be especially concerned with implementing bug bounty programs?

Bug bounty programs can be beneficial for any industry that relies on technology and digital assets. However, some industries may be more vulnerable to cyberattacks and data breaches than others and, therefore, may benefit more from implementing bug bounty programs.

Industries that should be especially concerned with implementing bug bounty programs include:

Financial Services: The financial services industry is a prime target for cybercriminals due to the high value of the assets they hold. A bug bounty program can help financial institutions identify and address vulnerabilities in their systems before they can be exploited by attackers.

Healthcare: The healthcare industry is responsible for storing and protecting vast amounts of sensitive patient information, making it an attractive target for cybercriminals. A bug bounty program can help healthcare organizations identify and address vulnerabilities in their systems to protect patient data and maintain regulatory compliance.

Technology: The technology industry is at the forefront of digital innovation, but this also means that it is often the target of cyber attacks. Implementing a bug bounty program can help technology companies identify and address vulnerabilities in their software and hardware products before they are released to the market.

Government: Governments at all levels are responsible for protecting critical infrastructure and sensitive information, making them attractive targets for cybercriminals. A bug bounty program can help governments identify and address vulnerabilities in their systems to protect national security and maintain public trust.

E-commerce: Online retailers are responsible for storing and protecting vast amounts of customer data, including credit card information and personal details. A bug bounty program can help e-commerce companies identify and address vulnerabilities in their systems to protect customer data and maintain trust.

Any industry that relies on technology and digital assets should consider implementing a bug bounty program, but those that hold especially sensitive information or assets should take extra precautions to protect themselves from cyber threats.

What are some of the worst cybersecurity mistakes that can expose not only a company but also its customer data to threat actors?

Not patching software and systems: Failing to update and patch software and systems leaves vulnerabilities open that can be exploited by attackers. These vulnerabilities can be used to gain unauthorized access to sensitive data, steal credentials, or install malware.

Weak passwords: Weak passwords or using the same password across multiple accounts can leave systems and data vulnerable to attack. Passwords should be complex, unique, and changed regularly to prevent unauthorized access.

Lack of employee cybersecurity training: Employees are often the weakest link in an organization's cybersecurity defenses. Failing to provide adequate cybersecurity training can leave employees vulnerable to phishing attacks, social engineering tactics, and other cyber threats.

Inadequate access controls: Allowing users access to data or systems that they do not need can leave sensitive information vulnerable to attack. It is important to implement access controls that limit user access to only what is necessary for their job.

Not encrypting sensitive data: Failing to encrypt sensitive data can leave it vulnerable to unauthorized access, theft, or manipulation. Encryption should be used to protect data both in transit and at rest.

Third-party risks: Failing to properly vet and secure third-party vendors and contractors can leave a company and its customer data vulnerable to attack. It is essential to conduct thorough due diligence on third-party vendors and ensure they meet cybersecurity standards.

Lack of incident response plan: Failing to have an incident response plan in place can leave a company unprepared to respond to a cyber attack. An incident response plan should include procedures for detecting, containing, and mitigating cyber threats, as well as guidelines for running a bug bounty program.

Which cybersecurity solutions do you think are essential for every organization and individual these days?

Code audits help identify potential security vulnerabilities in the codebase, enabling organizations to fix them before they are exploited by cybercriminals. Penetration testing involves simulating a cyber attack to identify weaknesses in the organization's security infrastructure. By conducting regular penetration testing, organizations can detect vulnerabilities and improve their security posture.

Bug bounties are another important cybersecurity solution, as they incentivize ethical hackers to identify and report security flaws in an organization's systems or applications. Bug bounties can help organizations identify security weaknesses that may have otherwise gone unnoticed, and they encourage ethical hackers to report security flaws rather than exploiting them for personal gain.

Antivirus and anti-malware software: Antivirus and anti-malware software can help protect against viruses, malware, and other malicious software that can infect systems and steal sensitive data.

Firewall: A firewall is a network security device that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. Firewalls can help prevent unauthorized access to networks and systems.

Multi-factor authentication: Multi-factor authentication adds an extra layer of security to login processes by requiring users to provide additional forms of identification beyond just a password, such as a fingerprint or a one-time code sent to a mobile device.

Encryption: Encryption is the process of converting data into a code to protect it from unauthorized access. Encryption should be used to protect sensitive data both in transit and at rest.

Regular software updates and patching: Regularly updating and patching software and systems can help prevent vulnerabilities from being exploited by attackers.

Employee cybersecurity training: Employees are often the weakest link in an organization's cybersecurity defenses. Providing regular cybersecurity training can help employees identify and respond to cyber threats.

Backup and disaster recovery plan: Backup and disaster recovery plans are essential for organizations to minimize the impact of a cyberattack. Regularly backing up data and having a plan in place to quickly recover from a disaster can help ensure business continuity.

What predictions do you have for the future of the crypto space?

Increased adoption: Cryptocurrencies and blockchain technology are gaining mainstream acceptance and adoption. More businesses and individuals are beginning to use cryptocurrencies for transactions, investments, and other purposes. This trend is expected to continue, leading to increased adoption and integration of crypto into mainstream financial systems.

Regulatory developments: As cryptocurrencies become more widely adopted, regulators are expected to play a more significant role in overseeing the industry. Governments and financial regulators around the world are currently working to establish clear guidelines and regulations for cryptocurrencies and blockchain technology.

Innovation and development: The crypto space is known for its rapid innovation and development. This trend is expected to continue as developers and entrepreneurs explore new use cases and applications for blockchain technology.

Decentralization and peer-to-peer networks: The decentralized nature of blockchain technology is one of its most attractive features. This trend is expected to continue, with more focus on peer-to-peer networks and decentralized platforms that operate without a central authority.

Integration with other technologies: Blockchain technology is being integrated with other emerging technologies, such as artificial intelligence, the Internet of Things (IoT), and big data analytics. This trend is expected to continue, leading to new use cases and applications for blockchain technology.

As for the bug bounty market, it is predicted to reach $5.4 mln in revenue by 2027.

And finally, what’s next for HackenProof?

At HackenProof, we are always looking for ways to improve our platform and provide the best bug bounty services for our clients. In the near future, we plan to focus on the following initiatives:

Expanding our network of security researchers: We plan to continue expanding our network of skilled security researchers to ensure we have the best talent available to find vulnerabilities in our clients' systems.

Offering more customized bug bounty programs: We plan to offer more tailored bug bounty programs that are specific to the needs of individual clients, including different testing methodologies, target selection, and reward structures.

Enhancing our platform features: We plan to enhance our platform features to make it easier for clients to manage and track their bug bounty programs, including streamlined reporting and communication with security researchers.

Strengthening our partnerships: We plan to strengthen our partnerships with other companies and organizations in the cybersecurity industry, like auditors, to provide more comprehensive solutions for our clients.

Increasing awareness and education: We plan to continue our efforts to increase awareness and education around the importance of bug bounty programs and the value they provide in enhancing cybersecurity.

Overall, our goal at HackenProof is to continue to innovate and provide the best bug bounty services for our clients to help them secure their systems and protect against cyber threats.