What we learned from our bug bounty program

At Ergon we are always looking for new ways to make Airlock even more secure. That's why Airlock has been challenged by the best hackers. In order to uncover potential attack vectors, we launched the Airlock Bug Bounty Program a year ago. Since a year ago, experts all over the world have tried to circumvent Airlock's security mechanisms. As an incentive, there are rewards of several thousand dollars per vulnerability.


The Airlock Bug Bounty Program aims to improve the effectiveness of Airlock. Participants are asked to attack the Secure Access Hub and all protected applications behind it. The infrastructure is set up similarly to our customers' environments. It contains both Airlock Gateway and IAM components and several back-end applications. The hackers try to circumvent Airlock by taking up specific challenges. One of these challenges is to circumvent the Airlock filter rules (Allow / Deny Rules). The IAM functions such as login and self-service are also checked for weak points. For example, they can try to (re)use a one-time password multiple times.


What is a bug bounty program?

A bug bounty program is like a call to attack a product in order to find bugs and vulnerabilities. Now even the US Department of Defense has called for the Pentagon to be hacked!

Basically every security specialist can participate in a bug bounty program. These "white hat" testers have to adhere to the rules of the bounty program in order to be able to launch their targeted attacks within a controlled environment. By participating, a hacker undertakes not to exploit or publish the reported vulnerabilities. This gives the producer a chance to fix the error before it is exploited. The participants are therefore also referred to as ethical hackers.

When a hacker finds a new vulnerability, he reports it to the producer via a confidential channel. When the reported vulnerability is successfully verified, the finder receives a reward (usually a predefined amount of money). The amount of compensation depends e.g. on the consequences of a possible attack. Some professional hackers can make a living from these "bounties". Once it is fixed, the vulnerability can be published and the hacker can be released from keeping it confidential.


Up to $ 5000 reward

If a hacker finds a hole, he submits a structured bug report. He must show in detail how the vulnerability can be exploited. This allows the Airlock Incident Response Team to reproduce the attack step by step and unlock the bounty. The severity of a bug is classified on a four-point scale from low to critical. The hacker receives a minimum of $100 or up to $5,000 for a critical vulnerability. 


In addition to the classic penetration tests, we wanted a continuous security assessment by a large number of experts.

So we looked at different bounty platforms. We wanted a big community to find as many clever hackers as possible.

Reto Ischi, Team Lead Product Development Airlock Gateway

The idea of a bounty program was born after a "successful" penetration test: Despite high fixed costs, the testers had not found any serious security issues. Many would have considered this a success. But Reto Ischi, the development manager of the Airlock Gateway, was not satisfied. Where can you find the best application security experts? The team looked at bounty platforms like Hackerone or BugCrowd. „We wanted a platform with a large community to find as many clever hackers as possible”. In the end, the decision was made in favor of Hackerone. „Also because we have more control over the amount of bounties there.”

Bounty hunters continuously ensure security

More than 500 participating hacker professionals are struggling to bypass the security mechanisms of the Airlock Secure Access Hub. So far not a single vulnerability of the level high or critical was reported. The average reward paid is $ 200. The majority of successful attacks have been cross-site scripting (XSS) or SQL injections. These vulnerabilities were mostly closed by adapting the filter rules (deny rules). It is no coincidence that these attacks are among the top 10 risks for web applications

Conclusion: Standing still means falling behind

The global community of ethical hackers ensures a continuous security assessment of the Airlock Secure Access Hub. Since the program was launched a year ago, minor errors have been reported on a regular basis; critical gaps have not been reported yet. The bug reports help to continuously and promptly improve product security in the interests of our customers. The bug bounty program thus confirms what periodic penetration tests have shown: Airlock ensures extremely effective protection against any attacks on applications and the theft of sensitive data.

Although the analysis of the bug reports ties up valuable engineering resources, the cost-benefit ratio is still positive. The reports are of high quality and the bounties per finding are relatively low. And the continuous stream of bug reports also fits our agile development process. Therefore it was decided to continue the Airlock Bug Bounty Program for another year. "We are also considering how the WAF's standard filter rules can be updated more frequently in order to close vulnerabilities even faster." The program continues because in IT security,Standing still means falling behind!

IT news from Airlock directly to your inbox

The Airlock newsletter keeps you informed about IT security, cIAM implementation and current IT risks.


Comments 0

Write comment

Comments closed

More interesting articles


With Airlock this would not have happened


Study: Application and API Security in the Container Environment 2022


Leftward slide in security culture

Information for you

-Our whitepapers-

Visit us at it-sa!

From 8 to 10 October you can visit us at the it-sa, the largest IT security event in Europe. Learn the latest news about application security, API security, access management and cloud security. In our congress on 9 October you can learn in many further lectures how you should turn your IT security from a spoilsport to an accelerator of your digitization projects.

Register now and get a free ticket

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge