Whitehat Penetration Testing

[crazy_rabbit]

In light of the number of web services that are starting up and the questionable level of security that they offer, perhaps it would be useful to have some sort of "Whitehat penetration testing" service or bounty. Perhaps sites could submit themselves to being tested by the community (and offering some sort of bounty?) and if the community isn't able to penetrate the site- a sort of 'symbol' or 'seal' could be awarded showing that the site survived penetration testing up till a certain date.

Eventually people will want to know the site they are dealing with is safe, and the endless 'hacks' look bad for us in general.

[paraipan]

Agree, how we could achieve doing it safely? Maybe joining a "White Hat Union" or something similar?
They could give their seal of approval to bitcoin websites, dunno just thinking out loud here

[Indemnified]

This would be a very valuable service, and given the choice of competing web services I would invest in the one that had a Whitehat Penetration Certification. I would pay a reasonable bounty to a Whitehat company to obtain a report on a given web service that I was considering using (the cost would of course have to be spread over a large number of customers because I certainly couldn't afford to individually pay for penetration test of every web service I was considering using.

[Elwar]

There are already services out there for this. The company I work for just had a team come in and do this, providing a decent report of vulnerabilities.

Rather than look into the Bitcoin community for this, look into experts who do this for a living every day.

[paraipan]

There are already services out there for this. The company I work for just had a team come in and do this, providing a decent report of vulnerabilities.

Rather than look into the Bitcoin community for this, look into experts who do this for a living every day.

Any of them accepting bitcoins? 

[kiba]

Every member should pay a fee that will be used to raise the bounty price.

For example, gold members pay 20 BTC a month, silver members 5 BTC a month, and bronze members only 1 BTC a month.

If there are 20 members that are gold, that mean 400 BTC are contributed each month to the bounty coffer.

[crazy_rabbit]

There are already services out there for this. The company I work for just had a team come in and do this, providing a decent report of vulnerabilities.

Rather than look into the Bitcoin community for this, look into experts who do this for a living every day.

Any of them accepting bitcoins? 

+1

[Ferroh]

I love this idea.

Hopefully sufficient incentives can be provided for capable penetration testers to conduct such a service.

[randy-waterhouse]

Easy. Just put a sufficiently valuable bitcoin private key associated with a bounty somewhere relevant on your system and say "come get it".

NB: Make it a multi-sig (keep one key to yourself) to make sure you get some info about the vulnerabilities in case the penetrators just want to abscond with the loot.

[crazy_rabbit]

Easy. Just put a sufficiently valuable bitcoin private key associated with a bounty somewhere relevant on your system and say "come get it".

NB: Make it a multi-sig (keep one key to yourself) to make sure you get some info about the vulnerabilities in case the penetrators just want to abscond with the loot.

of course, now they will assume it's a multi-sig key. :-)

But really, this idea is solid- but how do we get someone involved? I think at the start we might have to turn to the community and later on start to think about dedicated professionals in this field. I don't think many firms are interested in turning their attention away from banks and corporations to work on someone's bitcoin website project. :-)