In unserem Blog veröffentlichen wir in unregelmäßigen Abständen Artikel zu verschiedenen Themen der IT-Sicherheit, wie z.B. Open Penetrationstests, öffentlichen Bedrohungsanalysen und Analysen zu anderen interessanten Themen.

Last September, we announced our pro bono program to support non-commercial organizations and open-source applications. With this program, we want to help them to increase security if they cannot afford a professional penetration test. For selected applicants, we will conduct a professional penetration test with a total expense of up to ten man-days - for free!

Earlier this year we selected our first candidate: the JavaScript-based password manager KeeWeb. We identified multiple security issues and helped the developers to fix them. This allowed them to effectively protect KeeWeb’s users and their valuable credentials. You can find the full report of the penetration test here: KeeWeb Penetration Test Report. 

"The reports you sent were very easy to follow and understand, and all the vulnerabilities and recommendations make a lot of sense."

Dimitri Witkowski | KeeWeb

 

Are you involved with any project or application that could benefit from a professional penetration test, as well? 

As an example, an interesting aspect of your application could be the login process. The protection of the users’ data relies on a secure login process. The integration of single sign-on with major social logins, such as Google, Apple, or Facebook, is prone to have security issues because its configuration is often not straightforward.

Please apply to become our next candidate if your project/application fulfills the following requirements:

  • Non-commercial application (e.g., open-source software)
  • High impact (e.g., a high number of users or high criticality in the security/privacy areas)
  • You as an applicant should take care of clarifying any potential ethical and legal concerns.

There will not be any significant difference between our pro bono penetration test and our usual commercial engagements except that you do not have to pay anything. However, in contrast to our commercial tests, you must agree to allow Hackmanit to publish the unfiltered version of our penetration test report. We will do this after you have fixed the weaknesses or, at the latest, after 90 days from informing you about the weaknesses.

What should your application cover?

  • Project name
  • Your name and your affiliation within the software project
  • Short motivation: Why should we choose your project for the pro bono penetration test?

To be added to the pool of possible candidates for our next pro bono penetration test, simply send your application to: pro-bono@hackmanit.de (PGP-Key)

We will inform you if we choose your project.

Finished Pro Bono Penetration Tests:

Karsten Meyer zu Selhausen

Your Contact for the Pro Bono Penetration Test Program

Karsten Meyer zu Selhausen
pro-bono@hackmanit.de (PGP-Key)
+49 (0)234 / 54456499