Philippines’ first and only cybersecurity testing platform, Secuna, reported that it has detected and resolved 494 vulnerabilities across 21 private local firms in 2021. In addition, Secuna’s bug bounty payouts increased to $24,045 for valid bug reports from its thousands of ethical hackers.
According to Secuna’s report, these are the sectors that showed "vulnerabilities":
- Enterprise technology sector - 58.89%
- Financial services companies - 20%
- Health sector - 15.78%
- Other organizations - 5.33%
The top three “critical” vulnerabilities unveiled by Secuna’s certified cybersecurity testers are:
1. Remote code execution flaws
Remote code execution (RCE) vulnerability can be exploited to remotely control the target server, retrieve the whole source code, access the database, and even delete the whole filesystem of the server.
2. SQL injection flaws
Secuna explained that the SQL injection vulnerabilities found by its penetration testers can be exploited by malicious users to obtain full access to the database and cause massive data breaches depending on their privilege.
3. Exposed .git repositories.
Exposed .git repositories allow hackers to retrieve the source code of the target application along with sensitive keys, passphrases, and tokens among others.
"Secuna encourages companies to review their assets for these security gaps and take measures to eliminate known vulnerabilities,” said CEO and Co-Founder AJ Dumanhug.
Security weaknesses including zero-day security flaws, cross-site scripting (XSS) gaps, insecure direct object reference (IDOR) vulnerabilities, and missing security and privacy best practices were also discovered by Secuna's vulnerability assessment and penetration testing services.
Secuna’s bug bounty program (BBP) service allows its clients compliant with Bangko Sentral ng Pilipinas and National Privacy Commission to collaborate with vetted security researchers around the world to identify potential security threats in their applications. Dumanjug explained that for every valid bug submission from Secuna researchers, the program owners reward them depending on the severity of the vulnerability discovered.
“Cybercriminals are already testing your app to find potential loopholes that will allow them to compromise your application or server. Having no BBP will leave you clueless about potential vulnerabilities in your application. BBP solves this problem by allowing good hackers to report those potential vulnerabilities and allow you to resolve this before cybercriminals exploited those vulnerabilities for their personal gain. BBP also helps clients to maintain compliance by regularly testing their applications,” said Dumanhug.
Secuna requires a KYC (know your customer) check for hackers before they could hunt vulnerabilities. The company currently offers a free subscription, and only adds a 10% commission on top of every rewarded bug report.