At the end of March this year, HackenProof announced a new bug bounty program for a highly reputable company Avalanche. This program has drawn the strong attention of our community of white hat hackers. And we would like to share with you the feedback on this program provided by Dr Arnold Yau, the Security Consultant at Ava Labs. By reading this interview you will get to know the reasons driving the decision of our clients to cooperate with HackenProof, their fears, expectations, and first impressions. HackenProof is a highly reputable security brand developing an individual approach to solving clients’ issues depending on their requirements and specifics of work. And we are so proud that the feedback provided by our clients confirms this statement.
So, enjoy reading this interview to realize what the HackenProof client thinks about our community and the work we do.
Q: Could you please introduce yourself? Where do you work? Your previous experience?
After getting a degree in computer science at Imperial College London, I studied cryptography and got my PhD in Information Security at Royal Holloway, University of London. After graduation, I started working in the industry. My career so far has spanned multiple sectors including defence R&D, mobile, banking, and blockchain technology.
Q: How many people work in your cybersecurity team?
We have a small but growing team. It’s important to remember that cybersecurity is the responsibility of everyone. The security team does not secure everything, but rather we provide policies, guidance, and tools to help everyone perform their duties in a secure manner.
Q: What are the biggest security issues affecting your project?
Like developing a new type of aircraft, we are working with the cutting edge technology at Ava Labs bringing with it enormous potential but also possessing some safety and security risks associated with the unknown. It’s my job to help Ava Labs manage those risks while ensuring that excessive security does not hamper innovation.
Q: Why and when did you decide to run a bug bounty program for your project?
Security vulnerabilities are a fact of life in software development. Running a bug bounty program is an accepted best practice of the secure software development lifecycle (SDLC). It provides great value by leveraging the collective expertise of the community of independent ethical researchers to help us secure our software and infrastructure as well as provide assurance to all our stakeholders.
Q: What was the opinion of your colleagues and other executives regarding your decision to apply for bug bounty testing?
They all supported the idea with regard to the benefits associated with running a bug bounty program.
Q: Did you consider any alternatives to running a bug bounty program?
Not alternatives as such but a level of software security assurance can be brought about by passing penetration testing and security review performed by security specialists. But these methods complement rather than replace a bug bounty program.
Q: Did you have any fears before deciding to apply for running the bug bounty program?
I’d say the main concerns were related to the possible quality of submissions, the lack of engagement, and the time needed to process the submissions. I’m glad to mention that the HackenProof triage team has been really helpful in screening submissions thereby greatly reducing our workload.
Q: Did you perform penetration tests before launching the Bug Bounty program on HackenProof? If so, could you please provide more details?
We follow our internal process for secure software development. The requirement for penetration testing depends on the risk profile for the project. In very general terms, high-risk projects have to pass an external security review.
Q: What was the main argument for you to choose HackenProof as the platform for your bug bounty program?
While HackenProof is a relatively new bug bounty platform, it has been born in the blockchain ecosystem with a hacker community that strives to use technology for making a success story. They have contributed significant efforts to understand our requirements to fully and effectively meet our specific needs.
HackenProof team would like to thank Dr Arnold Yau for giving such a sincere and detailed interview for our community. It’s a great pleasure for us to cooperate with such a great company.
HackenProof team will keep on sharing with you the interviews with our clients. Monitor our announcements to get useful and valuable insights from our clients. Thank you for performing a great job!!! Our community of ethical hackers is our main success.