ZKB erkundet Bug-Bounty-Programm mit GOHack Challenge
Trust is a core value of Zürcher Kantonalbank (ZKB), and cybersecurity plays a crucial role in upholding it. Sarah Plocher, Security Analyst at ZKB, explains how the bank, in collaboration with GObugfree, explored the potential of a bug bounty program through the GOHack Challenge. The goal of this exploration was to evaluate the necessary preparations and internal processes for a potential implementation, thereby strengthening the bank's security measures and proactively addressing vulnerabilities.
Trust and cybersecurity are central to Zürcher Kantonalbank. Sarah Plocher, Security Analyst, explains how ZKB used the GOHack Challenge as an opportunity to gain initial experience with bug-bounty programs.
Sarah, what is your current role at ZKB, and what do you particularly enjoy about it?
I work in the Cyber Defense Team as a Security Analyst. My main responsibility is to monitor the IT systems of Zürcher Kantonalbank, detect suspicious activities, and respond if necessary. There are also numerous opportunities to contribute to internal projects. The best part of my job is the diverse range of tasks, a friendly team, and continuous learning as integral aspects.
How did you get into cybersecurity? What inspired you?
During my computer science studies, I began to specialize in information security. To me, log analysis is similar to detective work. I find it exciting to reconstruct events, ask the right questions, and understand the actions of malware.
A bug bounty program can tap into a broad community of experts who can test your application creatively and individually over an indefinite period. This helps reduce the risk of security vulnerabilities.
ZKB is currently exploring the possibility of a bug-bounty program. What makes this option appealing to you?
As a bank, trust is one of our most valuable assets, which includes trust in cybersecurity. ZKB uses established tools and measures to ensure and continuously check the security of IT applications from the start. We also invest in developing our employees, including promoting security awareness among our developers, similar to phishing awareness training. A bug bounty is an effective, complementary measure. A bug-bounty program can tap into a broad community of experts who can test your application creatively and individually over an indefinite period, helping to reduce the risk of security vulnerabilities.
We know that setting up such a program isn't always straightforward and that internal hurdles must be overcome. What has your experience been like with this? What tips would you give to others in a similar position?
Establishing a bug-bounty program involves many areas: software development, vulnerability management, legal department, and management. It's essential to create common expectations, discuss the advantages and limitations, and establish coherent processes as a result.
How did you find the onboarding process?
Thanks to the structured approach and straightforward communication, the onboarding process went very smoothly. Questions were answered comprehensively and promptly, both in planned meetings and spontaneous email inquiries. The professional and efficient collaboration with GObugfree reinforced our trust and contributed to the successful execution of our hacking challenge.
The active preparation for the GOHack Challenge led to improvements in internal processes and understanding of the project.
What initial results or insights did you gain from the bug bounty challenge?
For us, it was important to gain first-hand experience. The active preparation for the GOHack Challenge led to improvements in internal processes and understanding of the project. While the experience clearly shows that every software will eventually have security gaps, it's also encouraging to see that the already established security measures stood the test.
What advice would you give to other companies considering a bug-bounty program
There are various ways to gain initial experience: a time-limited program, a program with a closed participant group, or a Vulnerability Disclosure Program (VDP). It's not necessary to dive into the deep end and establish a full-scale bug-bounty program overnight. It's possible and advisable to consider different options and choose the one that fits best.