Prophet (Security Public Testing) is a platform that helps companies establish private emergency response centers (helping companies collect vulnerability information). After enterprises join the Prophet (Security Public Testing) platform, they can independently release reward plans to encourage security experts on the Prophet platform to test and submit vulnerabilities in the company's own website or business system to ensure that security risks can be quickly responded to and repaired to prevent greater consequences. safety loss.

The Prophet (security public testing) service aims to establish an efficient and complete security emergency response center (Security Response Center) for enterprises. By joining the Prophet (Security Public Testing) platform, enterprises can use the Prophet platform's many high-quality and credible white hats to promptly discover security issues in their existing businesses, including business logic vulnerabilities, permission issues and other vulnerabilities that cannot be effectively detected by security tools, etc., as soon as possible. Discovering existing vulnerabilities can effectively reduce possible losses to the enterprise. Moreover, as the business continues to develop, security issues in new services can be discovered in a timely manner through white hat continuous security testing. The Prophet Platform will strictly keep the vulnerabilities of all participating companies confidential, thereby preventing the vulnerabilities from being maliciously publicized.

Customize your own reward plan

Vulnerability collection

Free vulnerability audit

Assist with bug fixes

Service Content Service classification Service description Service area Service Deliverables Application system testing Basic business logic testing With an attacker (hacker) mindset, Alibaba Cloud conducts comprehensive and in-depth security testing of business systems, helps customers identify security flaws and vulnerabilities hidden in normal business processes, and provides repair suggestions to help customers discover security issues before attackers (hackers). Risks and troubleshooting safety hazards. Intranet and extranet assets "Vulnerability Test Report" "Repair Opinions and Retest Report" OWASP TOP 10 Vulnerability Test Third-party component testing Permission authentication test Security configuration testing business process testing Mobile app testing Client test: Installation package testing Data transmission security testing Component security testing Security enhancement testing App update security testing For mobile app applications, customers need to consider the security of both the client and the server. Alibaba Cloud fully covers the entire security life cycle of the app and conducts in-depth testing of security reinforcement and data compliance. Server side test: Account system security test Basic business security testing Code protection testing Dynamic protection adversarial testing

Service Content Service classification Service description Service area Service Deliverables Network security status research and assessment services Asset sorting Alibaba Cloud conducts a comprehensive inventory of customers' assets exposed to the internal and external networks, and investigates all detected ports and services exposed to the external network. Alibaba Cloud sorts out the customer's website, system, and platform, identifies the responsible units and specific responsible persons for the website and system, and forms a detailed list. External network assets and intranet assets "Internet Open Asset List" "Application System Asset List" Asset risk screening Alibaba Cloud uses a combination of special tools and manual work to conduct a comprehensive inventory of the customer's intranet assets, and comprehensively conducts vulnerability scanning, weak password inspection, intrusion trace inspection, open port verification, and useless system and account cleaning based on the customer's existing asset list. Waiting for work. Intranet assets "Vulnerability Scan Report" "Weak Password Scanning Report" "Host Security Inspection Report" Assist in asset risk remediation Alibaba Cloud assists customers in sorting out the results of intranet asset inspections, gives professional advice on the priority of vulnerability repairs, and provides guidance and suggestions on vulnerability repairs. "Vulnerability Fix Suggestions" Penetration testing Alibaba Cloud draws on hacker attack techniques and techniques to penetrate customers' external network assets through multiple methods and angles within a controllable range to discover vulnerabilities to the greatest extent so that network defense can operate normally according to the predetermined plan. Extranet assets "XX System Penetration Test Evaluation Report" Network architecture security analysis Alibaba Cloud analyzes the current security capability status of the customer's current network architecture, as well as the flow direction of key business flows, etc., to facilitate subsequent supplementation, monitoring, analysis and resolution of security capability deficiencies. none "Network Architecture Security Analysis Report" Security Awareness Assessment In order to test the effectiveness of customers' security awareness training and strengthen security awareness recognition, Alibaba Cloud needs to conduct a network security awareness assessment. Alibaba Cloud uses simulated social engineering methods such as email phishing, telecommunications fraud, identity forgery, and office visits to conduct security awareness assessments. none "Security Awareness Assessment Report" Red and blue confrontation actual combat drill service Red and blue confrontation drill organization Alibaba Cloud assists customers in coordinating plans, plans and various tasks for actual offensive and defensive drills against red and blue. After the exercise, Alibaba Cloud sorted out the blue army's attack ideas, result paths, and attack methods during the exercise, as well as the attack events, attack characteristics, Trojans, and incident handling measures detected during the red army's coordinated defense process; and summarized actual combat experience based on the results of the red and blue confrontation. , analyze the deficiencies in protection capabilities and safety systems, and discuss implementable solutions; assist customers in rectifying and reinforcing the discovered problems. none "Red-Blue Confrontation Exercise Review Report" "Red-Blue Confrontation Drill Phase Report" "All network and all port assets" Blue Team (Attack Team) Services The Alibaba Cloud security attack team will carry out network intrusions in accordance with attack and defense drill standards, find attack paths, and obtain key information of the target system (including but not limited to asset information, important business data, code or administrator accounts, etc.), and discover customers. security vulnerabilities and hidden dangers, and explore the customer's security protection capabilities; after the drill, records should be kept, the results organized, and traces of attacks should be cleaned up. none "Red and Blue Confrontation-Blue Army Attack Report" Red Army (assistant defense) service Based on the asset scope of the exercise, Alibaba Cloud dispatched an engineer to assist the customer in attack monitoring and emergency response, monitor attack behavior in real time, dig out intrusion events, analyze and handle events, and ensure the safe and smooth operation of the business system; verify various Whether the security coordination mechanism and emergency response mechanism can operate normally will assist customers in analyzing and optimizing. none "Red and Blue Confrontation - Assistance and Defense Work Daily"

White hats refer to security experts who participate in the vulnerability submission process through the Prophet platform. White hats can identify security vulnerabilities in computer systems or network systems, but they will not use them maliciously. Instead, they will report the vulnerabilities to help companies fix the vulnerabilities before they are maliciously exploited by others and maintain computer and Internet security.

White hats can obtain the title of prophet by submitting vulnerabilities, and the level of the prophet is ultimately determined based on the points obtained, so you can see terms such as "Level 4 Prophet" and "Level 5 Prophet".

Enterprises that join the Prophet (Security Public Testing) platform can set up a reward plan, that is, the enterprise's high, medium, and low-risk vulnerabilities will display the reward amounts to the outside world respectively. In the end, the operators of the Prophet platform will also decide how much money to distribute to white hats based on this reward amount. .

High, medium, and low-risk vulnerabilities all correspond to a fixed range of contribution values. Enterprises that join the Prophet (Security Public Testing) platform only need to set a reward coefficient. For example, if the basic contribution value of a high-risk vulnerability is 60-80 points, and the enterprise sets the reward coefficient to 10, then the final amount of the high-risk vulnerability reward program will range from 600 to 800 yuan.