A White Hat Army?
Here I just want to put on paper my idea. Nothing here is set in stone, all is to be discussed.
This is not a plan yet, but an idea that needs to be nurtured into a plan.
We are trying to fight multiple army of black hat in a storm of vulnerability single handed and on our own. Am I the only one who think that is kinda dumb?
Black hats are regrouped and organized. White hats are plentiful, and more waiting to be, but we are divided, we have no organization, no structure, no timing. We need to centralize and organize our efforts. Our main mission should be simply be to scan and report. Also coming for a centralized place, it will be easier to gain trust and to be recognized for the good we do.
What could we accomplish with a white hat army? Lets move forward in time and assume we succeeded at starting this and are starting to be known. I could see agreements with (software company A for example) that would play out like this: Vulnerability found, they work on it to develop fix, public is not aware yet, neither are we. When patch is ready to be deployed in 24 hours or so. They contact us with a prewarning that an important vulnerability will be patch soon. Provide no detail but enough to test targets, or provide testing method. Companies can sign up with us ($)( Preemptive scans :D ), they get scanned and tested before the public knows. They know before to be ready to apply an update from X product due to an yet undisclosed vulnerability.
NOW WE START TO GET AHEAD OF THEM!!!! :D
It also gives us time to elaborate a plan to scan the Internet, prep reports templates and start our scan and test. Nearly at the same time as the vulnerability would become public, reports would go out, every report is a chance to fix the problem sooner, but also a chance to get a new client.
Client can pay for pen test. Here, the difference with current bounty programs and platform? First, not anyone (hacker) can sign up, an investigation has to be done to check for skills and ethics and history. Not every white hat will get every pen test request. Example, maybe I have no interest in web testing, but I will try to hack your os, firewall, ssh …. Maybe the pen request fee is to reflect the organization, the planing, the client gets specific hackers assigned, with contacts, We can elaborate a plan. We help for pricing bounty, bounty go to the hacker, help finance their efforts.
If we can generate more money then needed to operate, we can supplement rewards to hackers. We can be nice and offer the service free for non-profit. Hacker would have the choice to participate on those which could give good review.
By creating a more personal communication between hackers and clients, it will allow client to post reviews on said hacker.
We start it making more interesting to become a white hat. We then start to have a war like structure to fight, faster response time, constant public view. We become trusted.
I think it is one hell of a dream, and also a solution that would work (given time) to shift the balance. Can I make it happen, with help, I need quality contact to talk about it, I need more brain than my own. With the right people put together, this could come true.
Want to help bring this idea to reality? Let me know on LinkedIn.
What do I need to get this off the ground? Not very much, I need a few Generals with me. This is a war I want to organize an army for. I would like to have to following skills: 1 - Programmer, a programmer will be useful to build test scripts and programs. during stage 2 we will need an efficient way to gather a list of IP to scans. 2 - Network specialist. I think it goes without saying that if I can find a General that knows the inner of networking would be useful to say the least. 3 - Security specialist. Well, that is kind of the war we are fighting. 4 - Generalist. Yes, one that has touched and played with all the above. One that can help anywhere anytime for anything. Lots of knowledge and critical thinking, but master of none. (Hint: I fill this position) That is it, I need 3 dedicated high quality contact to join. With there help I will be able to refine the PDP, create database structure, I can even start the programming. What I cannot do is all the thinking on my own. I need better trained and knowledgeable brain in each fields. I need people with more experience that will see pitfall that I miss, risk I did not think of, road blocks I did not see. Experience and specialization brings a lot that I cannot.
The PDP is a protocol that get initiated when a new vulnerability is disclosed to the public. This is also when we would know about it. it includes 6 stage and also initiate 2 protocol at the end of its cycle. Stage 1: Now we know about a vulnerability. Generals gather together to define how we will go about fixing this, how are we going to test, do we test servers, pc, linux, windows, all or completely different device like routers. What is needed in the report? Simply stating the IP is Vulnerable does not work, how can we add weight to the report, in the case of memcrashed, it would be useful to add the amplification rate if possible. What recommendation do we add to the report if any.
I have been busy with this idea, I have Slack channels setup for whomever would like to participate. I have also been working on the PDP (Post Disclosure Protocol). I am really looking at this and organizing it like an army. A protocol is a set of guideline that gets initiated based on an event.