Philippines’ cybersecurity testing platform Secuna reported detecting and resolving 494 vulnerabilities across 21 local private firms last year, with significant findings.
According to Secuna’s report, 58.89% of vulnerabilities identified mainly came from the enterprise technology sector. Financial services companies took the second lead, followed by the health sector.
Said critical vulnerabilities are remote code execution flaws, SQL injection flaws, and exposed .git repositories.
To explain the following terms, remote code execution (RCE) vulnerability can be exploited to remotely control the target server, retrieve the complete source code, access the database, and even delete the entire filesystem of the server. Meanwhile, the SQL injection vulnerabilities found by its penetration testers can be exploited by malicious users to obtain full access to the database and cause massive data breaches depending on their privilege. On the other hand, exposed .git repositories allow hackers to retrieve the source code of the target application along with sensitive keys, passphrases, and tokens, among others.
There are also security weaknesses discovered by Secuna’s platform, including zero-day security flaws, cross-site scripting (XSS) gaps, insecure direct object reference (IDOR) vulnerabilities, and missing security and privacy best practices, which, if neglected, could lead to terrifying cyber consequences.
Without a proper policy, security researchers might be less inclined to report a vulnerability, or cybercriminals might join the hunt.
In light of this, Secuna’s bug bounty program (BBP) service allows its clients compliant with Bangko Sentral ng Pilipinas and National Privacy Commission to collaborate with vetted security researchers worldwide to identify potential security threats in their applications. For every valid bug submission from Secuna researchers, the program owners reward them depending on the severity of the vulnerability discovered.
Secuna requires a KYC (know your customer) check for hackers before they can hunt vulnerabilities. The company currently offers a free subscription and only adds a 10% commission on top of every rewarded bug report.