This service is stroke of genius! Here's the idea: You're building a Web-based application and, being the savvy techcrat you are, you know that no matter how good you and your develoment people might be, there's always a chance that somewhere in your code is a hole, a flaw that could make your application unsafe.
Moreover, should that vulnerability be found when your app is turned loose on the world and actually in use by paying customers your reputation could vanish overnight. Or quicker.
You obviously need to test your application thoroughly but how? Your in-house people can do all the testing they like but unless you've really got an unbelievably good Q&A department full of serious hackers and lots of man hours at their disposal they are unlikely to find the really subtle flaws. You could bring in consultants but how to find them? Or ...
Or you could crowdsource the testing.
Yep, crowdsourcing -- the concept of setting a large group of people onto a problem -- has been applied to vulnerability testing by Hatforce. As a client you contract through Hatforce with the testers (which legalizes the testers' hacking activities at least under German law), set a bounty for each vulnerability found and the total payout you are willing to make, and then sit back and wait.
As a tester, you contract with the client via Hatforce and then off you go, hacking, completely legally, to your heart's desire ... if you find a vulnerability you have to submit a report detailing ow you tested and what you found.
Hatforce suggests that starting values of bounties should be "at least 50€ per web application vulnerability and 75€ per mobile application vulnerability." Hatforce currently offers a free vulnerability test with free consulting on a single vulnerability and 40 € per additional vulnerability consulting until 31.10.2011. For 200 € you get consulting on all found vulnerabilities. As an intial pass at testing, for 100 € you can have an automated vulnerability test run which provides a detailed report of the results.
The advantage of Hatforce is obvious: You're potentially drawing upon a pool of testers with a wider range of experience and skills than you could ever hope to have access to through the usual channels. If you're a big company which wants to be as obscure as possible, you could easily work through a consultant to make sure your identity is hidden (just make sure that any code that might be viewable should a tester get inside your code has no identifying strings or other clues).
This is a great business concept and one that could make a huge difference in how safe your application, and brand, is.
