1.1 We sign confidentiality agreements and service contracts with white-hat hackers and file them to ensure our clients are risk-free. The company employs a full-time legal counsel.

1.2 Define test boundaries, strictly control the scope of the boundaries, and prohibit testing irrelevant content.

1.3 All projects are eligible for cybersecurity insurance (the insurance coverage and amount will be defined in a signed agreement based on the user's specific requirements).

1.4 Sign a commitment letter, assume criminal liability for any eventuality risks, and give advance notice.

2.1 The White Hat Town testing and auditing platform is provided by the National Information Technology Security Research Center, and the testing process can be monitored.

2.2 All white-hat login activities require remote authorization of the VPN login account in order to access the test target.

2.3 Vulnerability Box can audit traffic accessed by white-hat accounts.

2.4 Log in to the client's bastion host, log in to the resources to be accessed from the bastion host, and implement auditing.

2.5 The platform confirms the effectiveness of white-hat hackers in discovering vulnerabilities.

Work order management: The authenticity of a vulnerability is determined by its status, such as pending, in progress, fixed, or ignored.

2.6 If any VPN account is found to have logged out abnormally, these accounts will be subject to close monitoring.

2.7 If an account is found to have no traffic for an extended period of time, it will also be closely monitored.

3.1 Strict Hierarchical System for White Hats in Society

The Vulnerability Box team has a set of white-hat grading standards, including projects participated in, skills, and engagement with the platform. Different levels of white-hats are assigned to key projects. White-hats can also improve their level by participating in projects or submitting vulnerabilities on the Vulnerability Box platform, similar to leveling up in a game. Actual projects are assigned based on different levels and skills.

3.2 Bonus Distribution Mechanism

The reward is 80% for the first discovery of the vulnerability, 20% for the second discovery, and no reward for the third discovery.

3.3 Vulnerability Remediation Verification

After the company's white-hat hackers patch vulnerabilities discovered by external white-hat hackers, they conduct retesting until the vulnerabilities are completely patched as the final solution.

3.4 On - site support

We can send our project manager to conduct on-site supervision and resource allocation as needed by the client.3.5 Offline Activities

Organizing offline events often involves interaction with white hat hackers to understand them and build mutual trust.

4.1 Website registration requires real-name registration (ID card, contact information, bank card account, etc.).

4.2 Connect and verify with the public security real-name authentication system.

4.3 Establish a reward and punishment system, with severe penalties for violators;

4.4 Record information about the white-hat hackers who participated in the project, including their IP address, name, and time of participation.

5.1 Timely Communication: Chat tools enable company project managers to communicate with white hat hackers efficiently and quickly .

5.2 Confirm the true identity of personnel through remote video communication

5.3 Collaborate with multiple organizations to conduct background checks, including employment and personal background information. Ensure traceability and locate the test subject immediately.

5.4 Prioritize the participation of white-hat hackers with high experience, good behavior, strong research capabilities, and a strong sense of responsibility.

5.5 The bonus pool can be dynamically increased temporarily based on the actual situation of the project to attract more white hat hackers to participate in the project, thereby achieving the expected testing effect.

5.6 White hat hackers need to submit a penetration test report as evidence of their penetration test results.

5.7 Define a time period and require white hat hackers to test within that period to achieve the desired goal.

5.8 Avoid peak business periods and communicate with white-hat hackers in a timely manner to avoid unnecessary risks.

5.9 For emergency incidents, the project manager implements on-site emergency response, with company resources serving as a second line of support. This provides clients with comprehensive protection.

5.10 We will communicate promptly regarding any inactivity of white-hat hackers, and if there are other reasons, we will replace them with other white-hat hackers.

5.11 Strict control is exercised over the time, resources, and permissions that white-hat accounts can access.

Most of our registered white hats (www.volbox.com) are located in mainland China (and we have verified their addresses). A few thousands are in HK and others are in US, Russia, Israel etc.