European Regulation for the Protection of Personal Data and Data Security


By

Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
&
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice


The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

GDPR Article 32 on the security of data processing lists the various criteria that a controller and a processor must take into account to determine the level of security required, namely, the state of the art, the costs of implementing security, the processing in question, including its purpose and context, the probability and the severity of the risks for individual rights and freedoms The logic consists in customizing security measures to the risks identified with respect to the processing of personal data.
Major change: the Regulation provides for an assessment of risks to privacy from data processing. Subsequently, it is up to the controller to perform a PIA (privacy impact assessment) for all the processing actions likely to result in a high degree of privacy risk for the individuals in question. According to GDPR, some types of processing are deemed to constitute risks and are subject to a PIA because of the nature of the data being processed (large-scale processing of sensitive or criminal record data) or the purpose of such processing (profiling, large-scale monitoring of public areas, etc.).
Given that this is about safeguards to be put in place, Article 32 lists certain measures that are to be implemented by the controller and/or the processor, such as data pseudonymization or encryption, the implementation of methods capable of ensuring system confidentiality, integrity, availability, and resilience, the implementation of techniques capable of restoring availability and access to personal data in the event of a physical or technical incident, regular verification of such measures. The Code of Conduct (GDPR Article 40) and certification (GDPR Article 42) are also solutions that are likely to be considered with respect to security.
Pursuant to GDPR Article 36, whenever a PIA identifies a high level of risk, it becomes mandatory to consult the CNIL prior to proceeding with the data processing in question. This requires, for instance, that the CNIL be advised of any measures having to do with the security of processing for the CNIL to evaluate whether they are sufficient to allow the processing to proceed.
Pursuant to GDPR, data security also requires that a notification of a personal data breach be made initially to the supervisory authority (CNIL) within 72 hours of it becoming known (Article 33) and to the data subject (Article 34) if CNIL believes the security measures to have been inadequate. This obligation extends to the processor who must notify the controller of any data breaches as soon as it becomes aware of them. These data breaches result from one or more security incidents (unauthorized access to an IT system, data extraction, reproduction, or distribution). Advance incident detection and correction help obviate the need to notify since there is no breach.
We understand that the new regulation requires that locations where data are processed within an organization (mapping) be brought to a condition that will help determine specific priorities for bringing into compliance as well as the relevant support. As for security, implementation of Bug Bounty practices appears to us to be highly recommended to detect security incidents early, thereby preventing them.

GDPR leads us to the following motto:

When security works, everything works!

Interview of Gilles Cadignan – CEO & Co-Founder of Woleet

First of all, can you introduce us to Woleet?

Woleet.io was founded in Rennes in 2016. Woleet is a data anchoring platform using the Bitcoin blockchain. To sum up, we provide a SaaS platform that receives digital fingerprints of data and proceeds to anchor them in Bitcoin by linking these fingerprints to a transaction having a certain date. To achieve this, Woleet builds a cryptographic structure that allows multiple fingerprints to be put together in a single transaction.

The use of Woleet has many benefits:

Once anchored in the blockchain, verification of proof of existence dated and free for anyone with data, anchor receipt and Internet access to retrieve the relevant Bitcoin transaction.
Confidentiality is preserved, Woleet only deals with digital fingerprints, which can be improved with meta-data for information purposes.
No need to have bitcoins to use our service, as Woleet takes care of interacting with the blockchain by building transactions.

Ok but why does the partnership Woleet and YesWeHack make sense?

Well, Yes We Hack is actually a nice team : they like to chat and laugh around a beer 😉

More seriously, the Woleet and YesWeHack partnership came quite logically following a meeting held in Rennes in December 2016 on the framework of the EuroCyberWeek.

The technology and the start-up spirit offered by Woleet fit perfectly with YesWeHack’s know-how. You know the concept of blockchain is too often used as a buzz word. Too often, so called experts talk about it but very few know what it is really. Concretely, the synergy between Woleet, YesWeHack and its partner Digital Security took place in record time (less than 3 weeks), that synergy made it possible very effectively to integrate all the skills to the benefit of the project Zerodisclo.com.

Thanks to the meeting of Woleet and YesWeHack, the blockchain finally finds a relevant and concrete use-case to better secure the Internet.

Woleet is very proud to have contributed to its measure to this useful initiative for the public interest. Obviously, it is a smart and good way for Woleet to promote our skills and vision.

So from your point of view : why is zerodisclo.com a good usecase?

Yes We Hack wanted for its Zerodisclo.com service to have irrefutable proof of integrity and time-stamping for vulnerability reports transmitted via the Zerodisclo.com. An open and verifiable proof by all without intermediary. The choice of anchoring the integrity and time-stamp data for these vulnerability reports was self-evident. By anchoring them in the blockchain, the service offered full transparency without revealing any information about the source or content about the discovered vulnerability. The anchoring of data in the blockchain coupled with the electronic signature thus ensures an increased degree in terms of irrefutable traceability for each party, both for the security researcher and for the company concerned by the vulnerability.

Zerodisclo.com was launched during the FIC2017 and it showed very genuinely that an idea can become operational and efficient when all the stakeholders involved contribute with a common interest. This notable exercise reveals the quality of startups in France and furthermore in Europe.

Zerodisclo is therefore an ambitious project aimed at strengthening information systems by facilitating the reporting of vulnerabilities by some good Samaritans. Innovation is at this stage rather unique, Zerodisclo.com is a non-profit tool to better protect bug reporters by putting in the loop the official CERTs that will have the responsibility to warn the organizations concerned.

By the way, next march 29 in Paris for Hackpero.com at Ecole 42, i will take the floor with Guillaume from YesWeHack to present the synergy we made within the project : ZeroDisclo.com !

Can you tell us more about the evolutions of Woleet?

After a year of various experiments with several customers, Woleet is entering a phase of production of the various projects. By focusing solely on mature low-level uses, we differentiate ourselves from the only experimental approach of the majority of current blockchain projects. Beyond the implementation of the projects based on the Woleet platform, we owe many projects such as the standardization work on proofs, carried out jointly with several other international startups with authorities such as the W3C. At R&D level, we are working on the next primitives that we intend to provide as an alternative to the digital signature based on the Bitcoin protocol, we also provide tools for the management of digital assets, always on Bitcoin. To lead all these projects, we will have to make our team grow and welcome passionate people who want to participate in – what we think is – a revolution at least as big as the Internet revolution.

YesWeHack is now member of FNTC’s business incubator

YesWeHack is now an official member of FNTC (The Federation of the Digital Trusted Third Parties) ‘s business incubator.

We, YesWeHack, were used to mentioning during our conferences the real need for building trust for our Bug bounty platform namely Bountyfactory and this membership is a milestone for our company.

The FNTC Board met in December to validate our application to its business incubator.

Thanks to the FNTC Board for having accepted us in its business incubator.

FNTC has a three-pronged mission :

  • Promote techniques and methods for guaranteeing trust in digital technology and foster knowledge of best practices.
  • Build trust in the digital technology of tomorrow.
  • Assist public institutions.

We hope to be able to contribute to all projects within FNTC’s business incubator by putting our expertise and our vision in terms of computer security at the service of new and future actors.

ZeroDisclo.com : IT Security Researchers finally Protected

In constant contact with its community of security researchers, YesWeHack has noted that it is complex for a security researcher and therefore, for a whistle-blower to report security flaws -in a  coordinated way – to impacted organizations. Especially if those organizations do not have a Bounty Bounty program registered on BountyFactory.io !

Vulnerability discoverers often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.

A long-time partner of the security research community through its founders, YesWeHack launches ZeroDisclo.com.

This platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as “Coordinated Vulnerability Disclosure“.

The platform, which can be accessed directly or via the Tor network, offers any Internet user the opportunity to report a vulnerability to CERTs™ via an on-line form, providing the necessary information to understand and evaluate its severity through its CVSS score. The researcher can then choose to remain anonymous or provide his identity if he/she wishes to be contacted, or even thanked in return.

The report will be encrypted via OpenPGP plus the key of the CERT™ in the very browser, time-stamped, signed by the Blockchain and forwarded automatically to the CERTs™ chosen from an exhaustive list.

In exchange, the researcher receives a certificate attesting to his/her submission.

Currently, the CERTs™ selected by ZeroDisclo.com are the CERT-EU, CERT-FR, and the CERT-UBIK created by Digital Security dedicated to the Internet of things. Moreover, organizations can subscribe to ZeroDisclo.com in order to monitor in real time, the flaws concerning their systems and -if necessary- to contact the relevant CERTs™ in order to know the details.

ZeroDisclo.com aims at empowering the community, for security researchers to prove their good faith. ZeroDisclo.com offers an efficient and ethical alternative to services disclosing vulnerabilities on the Internet and on the black market.

Founded in 2013, YesWeHack connects organizations or projects with IT security needs with skilled people.

4 interdependent platforms are available:

– YesWeHack Jobboard: the first job site specializing in computer security.
– Bounty Factory: Bug Bounties’ first European platform.
– FireBounty: Bug Bounties aggregator.
– ZeroDisclo: Vulnerability Reporting Platform.


References


Press contact: presse@yeswehack.com


Edouard Camoin, CISO of Outscale.com, on the bug bounty switching process from private to public status

https://twitter.com/skelkey

Edouard Camoin, CISO of Outscale.

– What’s your role as CISO within Outscale?

First of all, Outscale deals with IaaS : like AWS we provide API and we have Branch offices in France, USA and China. Each Branch office is subject to a specific digital sovereignty.

I’ve been wearing two hats : Guarantor of the internal security and guarantor of the security for the customers.
Globally speaking the human resources are at the core of my job.

– What was the need assessment that led to the opening of a bug bounty program?

We provide cloud computing services with certification 27001.

Regularly, we order pentesting sessions led by IT security companies. The results are pretty good but that did not satisfy us enough and we wanted to go deeper to better secure our products.

We made up our mind to expanse our culture in terms of security. Clearly, bug bounty is another approach because the payment is bound to the result, only the result counts, and bug bounty is not limited in time.

– Why did you opt for BountyFactory and more precisely, what criteria convinced you compared to other US and European platforms?

We needed a platform based in France and so in Europe strictly because it was a strong demand on the behalf of our management because we are very sharp on the sovereignty of the data.

So de facto, the US platforms have been disqualified.

BountyFactory offers much better responsiveness with the integration of features within the platform and the process of creating the program is clear. We were seduced and convinced by the high quality of the responsiveness and relevance of the YesWeHack team.

– Did you ask for assistance in setting up your program?

BountyFactory provides a real and efficient support and follow-up.

As a matter of fact, we managed to publish our program in just a single day!

I was sent an example of a program and in no time I was able to finalize, define our scope properly. Last step was the adjusting of the overall amount for the rewards.

– For the private step how many hunters did you select?

From the hall of fame, I just selected the hunters that I knew of reputation (5 or 8) and completed with some of the yeswehack private team.

– During the private program what did you notice in terms of reporting of vulnerabilities?

Indeed, we had two private programs.
One focused on our IaaS and Api and the other one focused on our web application .

As for our Web interface : we’ve got 10 reported bugs in one month, and 5 were validated. Only 3 of them were critical.
Concerning our API : nothing critical so far .

– Have you enjoyed the quality of communication between you and the hunters via the Bountyfactory platform? What improvement would you need?

The ticketing system via email is ok beyond that, we often discuss with hunters via twitter and more generally via the famous IRC so it would be a good idea to have a secure and built-in Instant messaging feature.
The hunters are very correct, they ask before attacking. The level of discussion and consultation is really good, prevention upstream before testing the perimeter because the platform was in production. They are careful and responsible, they want to have the customer’s approval before trying various methods.

– Why did you decide to go public?

First beginning by a Private program was highly needed for we had no experience in managing a bug bounty program.
The private step has a clear advantage : a private bug bounty is like a pentest without time limit.
Going Public will allow us to test in real conditions our IaaS + Api.
This first pass throughout the private mode is important to lucidly approach the switching from private to public status.
Now we are glad to announce : Everyone can play !

The real attacker does not care about standards so only Bug Bounty can simulate this brutal truth !

– In short, are you satisfied with your choice?

Bug Bounty is really appreciated in communities, we wanted to set an example, in our humble opinion, the pentesting will have to question itself. The Hunter is involved in bug bounty to find. Unfortunately, no normative aspects (PASSI) look at the benefits and we can confirm that the real attacker does not care about standards so only bug bounty can simulate this brutal truth !
With our customers, we will promote this exercise widely via twitter, and moreover our security approach via bug bounty will be explained to our partners and customers in the forthcoming appointments.

***

The Hunt is ON !

Outscale Bug Bounty Program

***

Xavier Leune, CCM Benchmark Group, on the benefits of bug bounty

Xavier Leune - CCM Benchmarck group -

Xavier Leune – CCM Benchmarck group –

What is your role in CCM benchmark ?
I am deputy CTO and i’m in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.

What were the reflexion and the needs assesment that brought about a bug bounty program ?
Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The bug bounty Program we opened was a very important step complementary of others methods we set up (pentests, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code.

Why did you guys choose Bounty Factory : What made the difference compared to other bug bounty platforms ?
We paid attention to several criteria provided by Bountyfactory.io. First advantage was the fact that it is based in France and it strongly facilitated the set up because we had a good feeling throughout the discussion with YesWehack teams. They did prove their capacity in mobilizing some high-level hunters for a program such as ours. Eventually, The European approach and the way the rewards are run were both arguments that can assure us to fight against the financing of terrorism.

Did you ask for an help for setting up of your program (in terms of scope, timing, invitations) ?
Since the launching of our bug bounty program on the 28th of September, we’ve been helped by Bounty Factory dedicated Team from the very beginning and on the regular basis. We did profit from their experiences in order to better write up our program and better define our scope so that hunter were precisely informed of our expectations. Moreover, we have been accompanied to define our rewarding policy to treat properly the feedback given by hunters who are spending long time for securing our platforms.
Last but not least, we benefited from Bounty Factory dedicated team in order to select and send invitations to high-ranked hunters.

How many hunters did you invite for the private step ?
For the private step we have invited the whole YesWehack private team made of 10 people.

During the private time, what did you notice out in terms of reported vulnerabilities ?
Obviously at the very beginning of the program simple and common vulnerabilities were reported, especially XSS vulnerabilities. As time went by, more sophisticated vulnerabilities appeared , we were really surprised by some findings. We have felt a very good implication on the behalf of each hunter who was driven by their appetite for being the first reporting a critical vulnerability.
The features : 58 reported bugs, 34 were subject to corrective measures. Others were mainly duplicates 18 out of 24.
The number of critical vulnerabilities were up to 5.
The best reward  for one and only bug was up to 1000 €.

Did you appreciate the level of communication between you and the hunters ?
The level of communication with the hunters was really appreciated by our team. At times, we experienced some difficulties concerning some vulnerabilities in reproducing them or understanding the prejudice they implied. So the hunters were really good at answering our questions and at double-checking the patches we delivered.

Why did you choose to go public ?
To us, going public is a natural evolution of our bug bounty program. We wanted to be able to understand correctly the art of running a bug bounty through Bountyfactory.io especially by dealing with a restricted number of reported bugs in a first movement and along with hunters whom we wanted to communicate with. Now, we are far more confident in terms of procedures and in terms of patching policy, so it makes sense going public and being exposed to a max of skills to keep on securing our platform .

In terms of profits, can you say that beyond the financial aspect there are issues of communication and reputation ? How would CCM deal with these aspects ?
It is important for us to show a proactive approach on such crucial issues. However, it is not planned at the moment to promote the opening of our bounty bug program towards our audience. Above all, we decided to go public for ourselves and our visitors.

***

So, Hunters 

Hack and take the cash

via BountyFactory

***

Portrait of a hunter : Ylujion

ylujionYesWeHack is glad to introduce you to its best hunters performing on BountyFactory.io

This week, it’s @Ylujion‘s turn, Check his portrait below !

***

  1. How old are you  ?
    I’m 32
  1. Where does your nickname come from ?
    The reason why i’ve chosen Ylujion as nickname is really simple : i wanted to invent a genuine nickname that does not exist on the Internet to see how it will propagate through search engines as i started posting on twitter and co. Generally speaking, i am told that my nickname is shitty 🙂 and i do agree somehow ! … Apart from that, the correct way of pronouncing “Ylujion” is like the way you pronounce the English word “illusion”. This kind of phonetic trick amuses me 🙂
  1. How long have you been hunting ?
    I have been hunting for more than one year.
  1. How did you discover bug bounty hunting ?
    Thanks to a friend who told me to test different bug bounty platforms.
  1. When do you spend most of your time hunting bugs ?
    Mainly during the night and the week-end, sometimes at lunch break when i am at work.
  1. As a Bug Bounty hunter, What are you driven by ?
    What i do appreciate in Bug Bounty is the diversity of scopes and technologies. It enables you to test up-to-date technologies by the prism of information security. Above all, there is a sort of freedom of action, you can go hunting whenever you want, from wherever you are, without being under pressure. Last but not least, you can earn money if you get good results.
    I often do recommend beginners interested by pentesting to dive into bug bounty platforms as a training discipline. It enables you to increase your skills in information security with real targets but within a full legal framework !
  1. Can you tell us one funny story about Bug Bounty Hunting ? (epic win and/or fail)
    I had spent more than 20 hours on exploiting one vulnerability in the scope of a rather famous startup’s program. Thanks to this vulnerability, i gained access to almost the entire information system so i decided to submit a report. Meanwhile, i was excited in terms of reward : usually this kind of vulnerability can be rewarded between 1,000$ & 10,000$ !
    Eventually, i won a  t-shirt ^^
    Driven by excitement and performance, i forgot the program clearly mentioned there was no reward but only gifts 🙂 too bad !
  1. What’s the best reward for one vulnerability you got thanks to Bounty Factory ?
      5 000 € (Ed.

Ylujion’s total rewards for December reached 15 000 €

    !)
  1. To you, What are the benefits of  Bug Bounty compared to pentesting?
    For a company, a bug bounty program enables you to test without time restriction moreover your system will be tested by various and numerous hunters. The company can also define the different level of reward and thus know the required budget to have a successful bug bounty program. Beyond that, it does not replace a traditional and classical pentest.
  1. What’s your favorite language ?
    Python
  1. What’s your favorite OS  ?
    Arch Linux but i guess there is no relation between this OS and bug hunting
  1. Beyond bugbounty, what are your hobbies ?
    I am really good at drinking, eating and sleeping of course 🙂

***

follow @Ylujion on twitter !

&

Come on and play on BountyFactory.io

YesWeHack winner of the Jury’s Favorite Prize #FIC2017

https://www.forum-fic.com/site/GB,C59984,I59984.htm?KM_Session=15efbfef1e084b087bdc5a5e39919cdb

YesWeHack Team is honored to have received the #FIC2017 Jury’s Favorite Prize

This Jury’s Favorite Prize proves that our products meet the challenges of today: the hiring of talents and the need for agile security. This award will allow us to strengthen our leadership in France and above all to boost us to conquer the Euro zone, that is our priority for 2017 !

Guillaume Vassault-Houlière, Yeswehack CEO

brad_pit

Congratulations to the winners :

  • Prove & Run
  • GateWatcher 

img_2044

We do thank all members of the Jury

  • François Lavaste, Président CyberSecurity, Airbus Defence and Space
  • Alain Bouillé, RSSI, Caisse des Dépôts et Président du CESIN (Club des experts de la sécurité de l’information et du numérique)
  • Gilles Daguet, General Partner, ACE Management
  • Thierry Delville, Inspecteur général de la Police nationale, Délégation ministérielle aux industries de sécurité
  • Laurent Dumas Crouzillac, Associé, CapHorn Invest
  • Thomas Fillaud, Chef de bureau, Politique industrielle et Assistance (PSS), ANSSI
  • Philippe Gaillard, Associé, CyberD Capital
  • Joseph Graceffa, R&D-SSI, CLUSIR Nord de France
  • Jacques Hébrard, Commandant, Région gendarmerie Hauts de France
  • Geoffroy Hermann, Chef du bureau Réseaux & Sécurité, DGE
  • Jacques-Benoît Le Bris, DSI, Solvay
  • Olivier Ligneul, RSSI, Groupe EDF
  • Thierry Olivier, RSSI, Société Générale
  • Frédéric Valette, Responsable du pôle SSI, Direction générale de l’armement, Ministère de la Défense
  • Yves Veret, Senior Advisor Sécurité Numérique & Technologie de l’information CALAO Finance

***

For those who do not know the FIC aka International Cybersecurity Forum (Hosted in Lille – France)

The International Cybersecurity Forum is a platform aiming at promoting a pan-european vision of cybersecurity as well as to strengthen the fight against cybercrime.

In order to do so, the FIC relies on :

• The trade show, to share knowledge and ideas, recruit new employees and maintain contacts
• The forum, to discuss and debate with experts, to gather ideas and to share professional lessons
• The Observatory, to continue exchanging views and information after the FIC, to explore topics in greater depth and to consolidate our network of experts and like minded throughout the year

***

See you soon #FIC2017 !

fic2017_ban_horizontal

 

Bountyfactory.io : What about the legal features ?

Load European Cybersecurity

Bountyfactory.io – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, Bountyfactory.io presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

  • BountyFactory uses OVH dedicated cloud that is subject to Service Organization Controls namely SOC 1 type II (SSAE 16 et ISAE 3402) & SOC 2 type II
  • Our infrastructure is ISO 27001 certified
  • Each vulnerability, each report, each comment is encrypted before being stored in our database and only identified actors are access granted.
  • In terms of financial transactions : BountyFactory complies with the following norm > The Payment Card Industry Data Security Standard (PCI DSS)
  • In terms of Privacy, BountyFactory is subject to EU Data Protection Reform (January 2012) While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
  • Our payment system, MangoPay, is tightly compliant to EU legal framework in terms of anti Money laundering and anti financing terrorism

mangopay_european_legal_framework

***

Beyond that essential standards, let’s go deeper into BountyFactory.io in order to discover some useful and relevant features :

As a customer – once logged in as Admin-manager – you will be able to digitally sign the General Terms & Conditions of Use thanks to YouSign Company based in France and subject to both French and European Law.

The GTU signing process

Send Bug Bounty Confirmation Code

Validation of the signing Process

signing process

Still as a customer, you are free to Credit and Refund your account any time you need.

Bug Bounty Credit and Refund

By default, your bug bounty program will be private so you can select the hunters (max 50 people) you want to invite.

For instance, you can choose BountyFactory core Team made of 10 people.

Yes We Hack Bug Bounty Private Team

And let the game begin !

The chosen hunters will start searching for vulnerabilities within the scope you defined with BountyFactory Manager.

Bug Bounty Program Management is a differentiating criterion and this feature will be the topic of the a forthcoming and dedicated post.

In order to win efficiency and time : only confirmed true vulnerabilities are taken into account.

Therefore, you will see the amount of bugs found in your dashboard . Each Bug is categorized according to OWASP criteria.

The screenshot below shows more details about the gamification feature focusing on the quality of reports submitted by Bug Bounty Hunters.

The admin-manager is able to rate and allocate one or several points to a well written report on one vulnerability .

Validation of the Vulnerability Report

Over Communicate

Comments are very useful to discuss some details with the researcher and it strengthens significantly the level of communication between the requester and the hunters.

Comments of the Vulnerability Report

One important step is the following : The way you will be able to reward a good hunter.

Thanks to MangoPay technology and security, one hunter can be paid by credit card or through your wallet. MangoPay is a service provided by the French Bank > Crédit Mutuel Arkéa

Rewarding Bug Bounty Hunter

The Dashboard gives you an overview of bug types and statuses

Dashboard

types_of_bug_bounty

As a Game Master : manage your Budget, your Timing, your Hunters

For instance, the screenshot shows you can keep an eye on your budget by checking statistics of the ongoing bug hunting (average and max rewards out of your total budget)

budget_average_reward_bug_bounty

Any time, you can choose to switch from a private program to a public program.

Switching from Private to Public Status

This step is specifically critical so BountyFactory Manager will be notified.

In order to avoid failure, YesWeHack Program manager will double check with the requester if it is a legitimate move.

To sum up, BountyFactory.io provides original features that will help customers managing their Bug Bounty Programs with all the specs, layers of security and trustworthy norms.

rihannaRegister and open your own bug bounty program !

***

/!\ Keep in mind /!\

We Have More Features to Show You

We will keep You posted folks !


Read More > Our FAQ

The Internet of Elevators, of Cars, of Weapons !

lift

Have you ever watched The Lift ? A Dutch horror movie by director Dick Maas about an intelligent ( or smart ?) and murderous elevator starting a killing spree. (Source : wikipedia)

Scary, isn’t it ?

Beyond fiction, the film “The Lift” aimed at questioning technology, systems you can not regain control over.

Nowadays, we are told about the benefits of design thinking, internet of things and their tremendous power in terms of digital and economic development… Oh wait.

Unfortunately, the Internet of Things is driven by marketing ravenous hyenas and very few IoT companies are inspired by – what we could call – the Security Design Thinking.

nebula_of-things

Today, within the Internet of Things, Auto Industry has to struggle to prevent itself from being hacked both by criminals and by their inner blind appetite for market at the expense of their duty in the field of security.

Imagine the antithesis of the legendary film “Rebel without a cause” where the hero no longer rides a car as a symbol of freedom but he’s the prisoner of a runaway wagon.

The revelations concerning the recent fraud on the behalf of  Volkswagen – by the way VW is not an isolated case – highlighted what is at stake in terms of security in the fabulous world of the Internet of Cars.

Before reaching the point of no return, Cars companies and end users should deeply consider the following thoughts :

  • Cars like drones and planes are not harmless devices

In terms of security and safety, Auto and aeronautics industries have to be exemplary and they constantly have to improve again and again their technology, their protocol. Unlike many devices of the Internet of things, cars and planes are massive vehicles. They can cause real and serious damages when they are out of control. They unfortunately can be used as weapons. Therefore, smart and connected cars could be potential massive killing machines.

  • Millions of cars as One Botnet

Like any device of the Internet of things, a car can be pirated and subject to a botnet. In this case, a huge number of cars can be orchestrated as one  and only system driven by just one freak, Remember Skynet ! Needless to say that a terrorist attack could be coordinated via this kind of botnet.

  • Top priority : Privacy and Security By Design

IoT companies seem far from tackling the highly critical issue : How to secure the entire chain of their business including their precious customers (known as end users), their reputation, their data.

The Internet of Cars could be, somehow, a strong ally for security (reducing car accidents) and environmental issues (reducing the CO² emissions footprint) but Automakers don’t seem to prioritize acutely despite some attempts like the Automotive Cybersecurity Best Practices.

Auto industry has to embrace privacy and security by design, they must think and implement these concepts before moving on to the unbridled production of hackable products.

Examples of compromised connected cars are legions such as Tesla, Range Rover etc.

To address these concerns and data compliance issues, car manufacturers need to address privacy and security issues and legislative requirements at the design stage – and not as an afterthought – and, in the EU at least, will need to develop technological solutions to empower individuals to track and manage their own data.
Privacy by design – essential for the growth of the Internet of Things? by Taylor Wessing

  • The vital need for an offline button.

In case of emergency, every single connected car should be provided with a kill-switch feature meaning at any time one could switch a smart car from a full connected mode to a full manual and off-line mode including the old-school and reliable steering wheel.

  • Fighting the diktat of Obsolescence

Tackling the issue of Obsolescence is highly relevant especially when the world is facing the global climate change. Beyond security, Car Manufacturers have to improve the reputation of their products and thus adapt their marketing policy by promoting the sustainable quality of their vehicles.

  • The fallacious comfort of voice controlling, key-less and wireless features

Internet of Things is a constellation of connected devices, it requires user-friendly innovation to  improve its appropriation by speaking human beings. It turns out to be clear that voice controlling, key-less and wireless features are to be core parts of IoT UX namely User experience.

That Generalization of wireless and key-less features is a real curse for it is exposing more and more IoT and therefore smart cars to encryption_is_not_a_crimecriminals. There are numerous testimonies asserting that thieves use cloning electronic tools to illegally open and drive cars. Those kind of tools can -easily- capture and reproduce voice spectrum, wireless signal and so on and so forth. Therefore, Encryption and physical tokens are still good layers of security for Multi-factor authentication (MFA).

Indeed, it has been said that multi-factor authentication is the worst form of security except all those other forms that have been tried from time to time. – The Churchill Way of IT security 🙂

  • Security is a continuous process

First, Security through obscurity is no cure because it hides potential and critical bugs.

Definitely, Car Industry should strengthen its proof of concept by testing continuously the robustness of their technology. Open Source code enables companies to improve their protocol.

By Open Sourcing and submitting the code to communities (IT security Experts, hackers, FLOSS developers) AutoMakers will increase significantly the degree of their products’ security,  especially thanks to bug bounty programs.

There was a landmark : for the first time in the history of automotive, Fiat-Chrysler did invite hackers to test their cars in the framework of bug bounty programs with clear boundaries made of legal, financial norms such as BountyFactory.io

To sum up, Car industry has to find its Way within the IT security experience by questioning itself  and applying the OODA loop scheme.

the Way is not an end but a process, a journey… The connections, the insights that flow from examining the world in different ways, from different perspectives, from routinely examining the opposite proposition, were what were important. The key is mental agility.
– John Boyd

ooda-loop-1-1(Source : The Tao of Boyd: How to Master the OODA Loop )

Page 1 of 2

YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press