Ambitious Mission, Humble Approach.
We believe that life is not about money.
We believe that ethical hacking is not a crime.
We believe that the world needs a safer Internet.
OpenCIRT is here to make it happen, one bug at a time.
The Story in Brief
OpenCIRT stands for Open Cyber Incident Response Team. It was founded by Francesco, a software developer with a strong passion for hacking. He was shopping online with his HTTP proxy active and noted an API endpoint with no authentication, exposing his own personal data (including weakly hashed passwords, and medical records).
He quickly validated the vulnerability trying to access his partner’s data, who also had an account on that platform, and noted that more than 300 thousand people had their data unprotected. At that point, like any ethical hacker would have done, he tried to see if the company had a VDP (vulnerability disclosure policy) or any way to report the vulnerability… without success.
At that point, he had two choices:
- try to contact the company and taking the risk they would initiate legal action against him
- ignore the vulnerability and leave hundreds of thousands people with their data exposed
After some thinking, he realized that he was in front of a paradox: he wanted to help the company to fix the vulnerability by reporting it privately and responsibly and help people to get the privacy they deserve (by law) – but “doing the right thing” may put him in a difficult and uncomfortable position, facing a potential legal action.
He did the right thing (full story coming soon), and he also decided that was the last time a hacker should be scared of doing the good thing. 15 days later, OpenCIRT was online.
We have clear and strict criteria to define good hacking:
- Always preserve system integrity – the good hacker helps companies, does not damage them. Never.
- No intrusive testing/scanning – for the very same reason.
- No phishing, no social engineering – hack machines, not humans.
- Never access PII or other private data – and if you do by accident, stop.
- Act confidentially – and never share your finding with other that the company involved or the autorities.
- Never ask money for reporting a vulnerability – the good hacker is powered by curiosity, not money. Furthermore, that’s called blackmail and is illegal.
While we strongly believe in the “defense in depth” principle, we also think that security issues with the strongest impact have to be prioritized. This is why – at the moment – we decided to only handle vulnerabilities with serious impact. A few examples can be:
- Remote Code Execution
- SQL Injections
- Data Leaks
- PII Exposure
- Broken Access Control
- Code Injections
- Session Fixation
If you believe is impactful, go ahead and submit!