Unique, a pioneer in developing generative AI solutions for the financial sector, skillfully navigates between rapid development and the strict compliance and security requirements of its highly regulated and risk-averse customers. How does a bug bounty program fit into this scenario?
In an industry that is characterized by innovation and strict regulations in equal measure, Unique is setting new standards with its AI-based solutions. Balancing rapid development with the strict security and compliance requirements of the risk-averse financial world is a challenge.
To explain how Unique overcomes this and what role a bug bounty program plays in this, Michael Dreher, CISO at Unique, gave an interview to GObugfree. Read the full version (translated to English) below:
Michael, your goal is to develop a visionary Unique FinanceGPT platform for the digital age. Can you tell us more about your approach?
Unique is a Swiss startup specializing in generative AI solutions for the financial industry. We are pioneers in Switzerland and Europe when it comes to implementing generative AI solutions with a focus on security and compliance. Our products include a chat that helps banks upload knowledge and chat against it, as is known from ChatGPT, as well as a conversation platform for transcribing and summarizing conversations. This can involve highly sensitive bank customer data that is subject to the highest security levels of FINMA regulation.
Our B2B SaaS platform is specially designed for banks and insurance companies that operate in a highly regulated environment and are very risk-averse. We attach great importance to security and compliance and have designed our solutions from the outset to be as secure and compliant as possible. Data storage can be flexibly carried out on a multi-tenant system, a completely separate enterprise tenant or, if desired, in the bank's environment (tenant or on-premises) in order to meet the highest security standards.
We quickly realized that one-off testing, whether by the community or formal penetration testing, could not keep pace with our rapid development cycle.
How did you come up with the idea of a bug bounty program?
We originally planned to conduct traditional penetration tests and started with a GObugtest in September 2022, which we repeated in September 2023. This was our first step to evaluate the security of our platform. However, we quickly realized that annual testing, whether by the community or formal penetration testing, could not keep pace with our fast development cycle. A striking example of this is our experience from September last year, when a pentest was conducted and a completely new platform went online in January. The results of the test were therefore already out of date just a few months later. The bug bounty program allows us to react to changes much more flexibly. We can quickly and flexibly adapt the scope of our security audits.
How did your customers react to the change?
Initially, banks were concerned about moving from traditional pen tests to a bug bounty program, fearing there would be too little continuous activity. To address these concerns, we implemented transparent communication, including monthly public statistics on our website showing the number of rejected reports and the severity of vulnerabilities found. This transparency has increased our customers' trust, as they can see that security work is being done continuously.
Despite regular static and dynamic scans, there are always vulnerabilities that only experienced researchers can identify – errors that are overlooked by automated systems.
What is the benefit of the bug bounty program?
The bug bounty program has helped us significantly in finding and fixing vulnerabilities more quickly. The flexibility of the program allows us to react quickly to changing security requirements. Despite regular static and dynamic scans, there are always vulnerabilities that only experienced researchers can identify - errors that are overlooked by automated systems.
Since we do not conduct internal security research, external validation of our security measures, as required by ISO 27001 certification, is crucial. The bug bounty program meets this requirement comprehensively and flexibly. Our goal goes beyond mere compliance; we want to make our software truly secure.
GObugfree's professional triage relieves our team by filtering out irrelevant or erroneous reports, allowing us to focus on real threats. We also use the data from the program to identify trends and proactively adapt our security measures, which continuously improves our defense strategies.
What further plans do you have regarding cybersecurity?
Since launching a private bug bounty program with a handful of researchers in October 2023, we have been continuously expanding it. Our goal is to further expand the program by the end of 2024 and eventually make it available to a wider public. We plan to increase the bounties to make the program more attractive to researchers and thus increase the quality and quantity of incoming security reports. This underlines our commitment to the highest security standards and shows our desire to always stay on top of the latest developments and respond proactively to security threats.
A bug bounty program enables ongoing security monitoring and adaptation, which is critical to keeping pace with the dynamic cyber threat landscape.
What would you recommend to other organizations that want to start a bug bounty program?
I recommend that small and medium-sized businesses seriously consider implementing a bug bounty program. It complements traditional security measures and is more in line with the rapid evolution of the technology industry. A bug bounty program enables continuous security monitoring and adaptation, which is critical to keeping up with the dynamic cyber threat landscape. Especially at a time when new threats are emerging rapidly, it provides an efficient and effective method to proactively address and close security gaps.
With a bug bounty program, we benefit from a broad pool of security researchers with a variety of specializations. This has significantly improved the quality of our security reports and uncovered vulnerabilities that were missed in previous penetration tests.
How Unique Uses GObugfree to Enhance Security in the Financial Sector
Unique, a pioneer in developing generative AI solutions for the financial sector, skillfully navigates between rapid development and the strict compliance and security requirements of its highly regulated and risk-averse customers. How does a bug bounty program fit into this scenario?
In an industry that is characterized by innovation and strict regulations in equal measure, Unique is setting new standards with its AI-based solutions. Balancing rapid development with the strict security and compliance requirements of the risk-averse financial world is a challenge.
To explain how Unique overcomes this and what role a bug bounty program plays in this, Michael Dreher, CISO at Unique, gave an interview to GObugfree. Read the full version (translated to English) below:
Michael, your goal is to develop a visionary Unique FinanceGPT platform for the digital age. Can you tell us more about your approach?
Unique is a Swiss startup specializing in generative AI solutions for the financial industry. We are pioneers in Switzerland and Europe when it comes to implementing generative AI solutions with a focus on security and compliance. Our products include a chat that helps banks upload knowledge and chat against it, as is known from ChatGPT, as well as a conversation platform for transcribing and summarizing conversations. This can involve highly sensitive bank customer data that is subject to the highest security levels of FINMA regulation.
Our B2B SaaS platform is specially designed for banks and insurance companies that operate in a highly regulated environment and are very risk-averse. We attach great importance to security and compliance and have designed our solutions from the outset to be as secure and compliant as possible. Data storage can be flexibly carried out on a multi-tenant system, a completely separate enterprise tenant or, if desired, in the bank's environment (tenant or on-premises) in order to meet the highest security standards.
We quickly realized that one-off testing, whether by the community or formal penetration testing, could not keep pace with our rapid development cycle.
How did you come up with the idea of a bug bounty program?
We originally planned to conduct traditional penetration tests and started with a GObugtest in September 2022, which we repeated in September 2023. This was our first step to evaluate the security of our platform. However, we quickly realized that annual testing, whether by the community or formal penetration testing, could not keep pace with our fast development cycle. A striking example of this is our experience from September last year, when a pentest was conducted and a completely new platform went online in January. The results of the test were therefore already out of date just a few months later. The bug bounty program allows us to react to changes much more flexibly. We can quickly and flexibly adapt the scope of our security audits.
How did your customers react to the change?
Initially, banks were concerned about moving from traditional pen tests to a bug bounty program, fearing there would be too little continuous activity. To address these concerns, we implemented transparent communication, including monthly public statistics on our website showing the number of rejected reports and the severity of vulnerabilities found. This transparency has increased our customers' trust, as they can see that security work is being done continuously.
Despite regular static and dynamic scans, there are always vulnerabilities that only experienced researchers can identify – errors that are overlooked by automated systems.
What is the benefit of the bug bounty program?
The bug bounty program has helped us significantly in finding and fixing vulnerabilities more quickly. The flexibility of the program allows us to react quickly to changing security requirements. Despite regular static and dynamic scans, there are always vulnerabilities that only experienced researchers can identify - errors that are overlooked by automated systems.
Since we do not conduct internal security research, external validation of our security measures, as required by ISO 27001 certification, is crucial. The bug bounty program meets this requirement comprehensively and flexibly. Our goal goes beyond mere compliance; we want to make our software truly secure.
GObugfree's professional triage relieves our team by filtering out irrelevant or erroneous reports, allowing us to focus on real threats. We also use the data from the program to identify trends and proactively adapt our security measures, which continuously improves our defense strategies.
What further plans do you have regarding cybersecurity?
Since launching a private bug bounty program with a handful of researchers in October 2023, we have been continuously expanding it. Our goal is to further expand the program by the end of 2024 and eventually make it available to a wider public. We plan to increase the bounties to make the program more attractive to researchers and thus increase the quality and quantity of incoming security reports. This underlines our commitment to the highest security standards and shows our desire to always stay on top of the latest developments and respond proactively to security threats.
A bug bounty program enables ongoing security monitoring and adaptation, which is critical to keeping pace with the dynamic cyber threat landscape.
What would you recommend to other organizations that want to start a bug bounty program?
I recommend that small and medium-sized businesses seriously consider implementing a bug bounty program. It complements traditional security measures and is more in line with the rapid evolution of the technology industry. A bug bounty program enables continuous security monitoring and adaptation, which is critical to keeping up with the dynamic cyber threat landscape. Especially at a time when new threats are emerging rapidly, it provides an efficient and effective method to proactively address and close security gaps.
With a bug bounty program, we benefit from a broad pool of security researchers with a variety of specializations. This has significantly improved the quality of our security reports and uncovered vulnerabilities that were missed in previous penetration tests.