How bug bounty programs enhance security in the financial sector

In an industry equally driven by innovation and strict regulations, Unique sets new standards with its AI-based solutions. Balancing rapid development with the stringent security and compliance requirements of the risk-averse financial world is a challenge. To understand how Unique masters this and the role a bug bounty program plays, we spoke with Michael Dreher, CISO at Unique.

Michael, your goal is to develop a visionary Unique FinanceGPT platform for the digital age. Can you tell us more about your approach?

Unique is a Swiss startup specializing in generative AI solutions for the financial sector. We are pioneers in Switzerland and Europe in implementing generative AI solutions focused on security and compliance. Our products include a chat system that assists banks in uploading knowledge and engaging in dialogues similar to those with ChatGPT, as well as platforms for transcribing and summarizing conversations. These may involve highly sensitive bank customer data, subject to the highest security levels of FINMA regulation.

Our B2B SaaS platform is specifically designed for banks and insurance companies operating in a heavily regulated environment and are very risk averse. We place great emphasis on security and compliance, designing our solutions from the outset to be as secure and compliant as possible. Data storage can be flexibly managed on a multi-tenant system, a separate enterprise tenant, or, if desired, within the bank's own environment (tenant or on-premises) to meet the highest security standards.

How did you come up with the idea of a bug bounty program?

Originally, we planned to conduct traditional penetration tests and started in September 2022 with a GObugtest, which we repeated in September 2023. This was our first step in evaluating the security of our platform. However, we soon realized that annual tests, whether by the community or formal penetration tests, could not keep up with our rapid development cycle. A notable example is our experience from last September when a pentest was conducted, and by January, a completely new platform was launched. The results of the test were therefore outdated within a few months. The bug bounty program allows us to respond much more flexibly to changes. We can quickly and flexibly adjust the scope of our security reviews.

How have your customers reacted to the switch?

Initially, banks were concerned about the switch from traditional pentests to a bug bounty program, fearing there might be insufficient continuous activity. To address these concerns, we introduced transparent communication, including monthly public statistics on our website showing the number of rejected reports and the severity of the vulnerabilities found. This transparency has strengthened our customers' trust, as they can see that security is continuously being worked on.

What benefits has the bug bounty program brought?

The bug bounty program has significantly helped us find and fix vulnerabilities faster. The flexibility of the program allows us to quickly respond to changing security requirements. Despite regular static and dynamic scans, there are always vulnerabilities that only experienced researchers can identify—errors that automated systems overlook.

Since we do not conduct internal security research, external validation of our security measures, as required by ISO 27001 certification, is crucial. The bug bounty program comprehensively and flexibly fulfills this requirement. Our goal goes beyond mere compliance; we want to make our software truly secure.

The professional triage by GObugfree relieves our team by filtering out irrelevant or erroneous reports. This allows us to focus on actual threats. We also use data from the program to identify trends and proactively adjust our security measures, continuously improving our defense strategies.

What further plans do you have regarding cybersecurity?

Since introducing a private bug bounty program with a handful of researchers in October 2023, we have continuously expanded it. Our goal is to further expand the program by the end of 2024 and eventually make it accessible to a wider public. We plan to increase the bounties to make the program more attractive to researchers, thereby enhancing the quality and quantity of incoming security reports. This underscores our commitment to the highest security standards and shows our endeavor to stay at the forefront and proactively respond to security threats.

What would you recommend to other organizations considering starting a bug bounty program?

I strongly recommend small and medium-sized enterprises consider introducing a bug bounty program. It complements traditional security measures and better suits the rapid development of the technology sector. A bug bounty program enables continuous security monitoring and adjustment, which is crucial to keep pace with the dynamic landscape of cyber threats. In a time when new threats emerge quickly, it offers an efficient and effective method to proactively address and close security gaps.

Is there anything you would have done differently in retrospect?

In retrospect, we might have switched to a bug bounty program earlier. The transition was initially associated with some discussions about budget and customer acceptance, which made us hesitate. In traditional penetration tests, the software is examined by one or two specialized researchers who, while experts in certain areas, cannot cover all potential vulnerabilities. With a bug bounty program, we benefit from a broad pool of security researchers who bring a variety of specializations. This has significantly improved the quality of our security reports and uncovered vulnerabilities that previous penetration tests overlooked.