OVH Bug Bounty RetEx by Vincent Malguy

As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.

***

The genesis

In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.

In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.

Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.

Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.

In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.

In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.

The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.

Private phase

In this exercise we have the support of the management and technical teams.

Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.

Read More

Bug Bounty: Take the leap – [ITW] Alain Tiemblo @BlaBlaCar

Alain Tiemblo – BlaBlaCar Web Security Lead Engineer

Since September 2017, BlaBlaCar has been managing with a select number of security experts a private Bug Bounty program to enhance the operational security of its platform.

Previously accessible only by invitation via BountyFactory.io, YesWeHack’s bug bounty platform, this program has enabled BlaBlaCar to remain proactive on the cyber security of its services.

Thursday April 19, BlaBlaCar’s program is public

What is your role at BlaBlaCar?

I am a backend developer profile, today overseeing application security. When I was joined BlaBlaCar, I was in charge of the platform’s performance and security. In mid-2015 and early 2016, our operational security needed to level up significantly, especially following our major fund-raising campaigns, which put BlaBlaCar under the light, pressure. So at that period of time, i took the lead of a small team to mitigate these attacks, and audit/consolidate the platform.

What is your approach to security, including coordinated vulnerability disclosure?

We have kept application security in-house for a long time. Previously, we used classical audits conducted by various companies, by several basic pentest applications, by using static analysis tools, etc. I think it helped to rough out a lot of little things that would have been detected by bug hunters.

In addition, we received a few troll messages on Twitter reporting vulnerabilities without notice and without any details… We also have some emails via customer support about potential security holes, but nothing was disclosed by these contacts, they first wanted to be paid and this, without proof of the existence of a security flaw, so it was impossible for us to enter the game.

Read More

Bug Bounty : Franchir le pas – ITW d’Alain Tiemblo @ BlaBlaCar

Alain Tiemblo - Bug Bounty - Vulnerability Coordination

Depuis septembre 2017, BlaBlaCar propose à un nombre d’experts en sécurité triés sur le volet, un
programme de Bug Bounty privé afin de renforcer la sécurité opérationnelle de sa plateforme. Accessible
jusqu’alors uniquement sur invitation via BountyFactory.io, la plateforme de bug bounty de YesWeHack, ce programme a permis à BlaBlaCar de rester proactif sur la cybersécurité de ses services.

Entretien avec Alain Tiemblo Web Security Lead Engineer – @BlaBlaCar – manager du programme de Bug Bounty.

Jeudi 19 avril le programme de BlaBlaCar est public

Quel est votre rôle au sein de BlaBlaCar ?

Je suis un profil développeur backend, aujourd’hui chapeautant la sécurité applicative. Lorsque je suis arrivé à BlaBlaCar, je m’occupais de la performance et la sécurité de la plateforme. Mi 2015 début 2016, nos besoins en sécurité opérationnelle ont augmenté de manière significative notamment à la suite de nos grosses levées de fonds qui ont suscité quelques convoitises. J’ai alors pris le lead d’une petite équipe afin de mitiger ces attaques, et auditer / consolider la plateforme.

Quelle est votre démarche en termes de sécurité et notamment de divulgation coordonnée de vulnérabilités?

Nous avons pendant longtemps gardé la sécurité applicative en interne. Auparavant, nous faisions appel à des audits classiques menés par diverses entreprises, par plusieurs applications de pentest, en utilisant des outils d’analyses statiques, etc. Je pense que ça a permis de dégrossir beaucoup de petites choses qui auraient été détectées par des chasseurs de failles.

Par ailleurs, on a reçu quelques messages de trolls sur Twitter signalant des failles sans préavis et sans aucun détails…

Read More

SaXX, number one of Bounty Factory’s all time ranking.

This month, we publish an interview with one of the best researchers of our  Bounty Factory called SaXX who is only 27 years old.

In the all time ranking, SaXX culminates in the first place and he intends to defend his ranking well. Like Rafael Nadal, SaXX never gives up and works hard to exercise his passion with his true mischievous side!

1. Where did you get your nickname?

Well, that’s a question a lot of people ask.
I only tell the genesis of this nickname in certain circles.

2. What’s your background?

I have a career path that some would describe as classic. I had a BAC S (maths specialization) then a BTS IG at that period of time. After the BTS, I didn’t really know what to do so I let myself be tempted by an Information Systems Management school in Lorient – France.

Read More

YesWeHack rejoint l’Alliance pour la Confiance Numérique

Depuis février 2018, YesWeHack est membre de l’ACN (Alliance pour la Confiance Numérique).

Déjà membre de la FNTC, YesWeHack vient grossir les rangs de l’Alliance pour contribuer à la consolidation d’un écosystème industriel en France dont les priorités sont : la sécurité, la souveraineté, la compétitivité et l’influence.

Le hacking éthique est une composante de plus en plus importante du vaste domaine de la confiance numérique dont l’ACN a vocation à assurer la représentation institutionnelle au niveau national et européen. C’est pourquoi nous sommes très heureux qu’un acteur aussi emblématique que YesWeHack se joigne à l’ACN pour participer à l’action collective de notre secteur.

Yoann KASSIANIDES, Délégué Général de l’ACN

YesWeHack oeuvre pour stimuler la coopération entre les divers acteurs de la sécurité. En rejoignant la communauté de l’ACN, YesWeHack participera activement au travail d’identification et de clarification des besoins de la confiance numérique, de promotion de la vision de l’ACN au niveau Européen tout en facilitant la discussion, les échanges avec toutes les communautés et les entreprises de toutes tailles.

Nous sommes fiers de faire partie de l’ACN car nous adhérons complètement aux valeurs de l’Alliance et nous serons force de proposition pour l’aider à mener ses actions concrètes de développement de marchés et de solutions en Europe.

Guillaume Vassault-Houlière CEO de YesWeHack
https://douwedeboer.pixieset.com/

Interview of EdOverFlow : Bug Hunter & mastermind of security.txt

Photo Courtesy of Douwe De Boer

What is your background ?

I am a web developer, security researcher, and a computer science student at the ETH Zürich. In my spare time, I like to contribute to open-source projects, hunt for security vulnerabilities, and triage reports. For a long time, one of my biggest goals has been to learn something new as often as possible and get to know people who share a similar passion for what they do.

How long have you been bug hunting and what are you driven by ?

I have been bug bounty hunting for roughly one and a half years, but I have been interested in security for quite a while. Curiosity and learning something new are what drive me the most. I find myself constantly wanting to try something new and learn as much about the topic as possible.

Can you explain the genesis of security.txt ?

Read More

Datavisualization : CrowdSecurity in Europe by YesWeHack

2017 was an important year for YesWeHack, especially for our Bug Bounty service !

Below you will find a data-visualization from our BountyFactory.io platform over the past year.

As the first Bug Bounty platform in Europe, this is the first time key figures have been published.

We are proud to announce that 67% of the YesWeHack bug hunters’ community is made up of Europeans.

In 2017, thanks to our community of experts, more than 2000 bugs were reported, of which 40% were considered critical with a CVSS score of 7 or more.

Read More

The Dark Side of XSS revealed

Cross-site scripting (XSS) is one of the most common web application vulnerabilities and is still present in the OWASP Top 10-2017.

The goal of this paper is not to explain how to bypass antiXSS filter in browser or WAF protection, but to figure out what possibilities are offered by XSS vulnerabilities.

CISOs like Bug Bounty Managers need to pay attention to this kind of vulnerability which -at times- can be critical through the first steps of chaining.

Read More

Datavisualisation : la Crowdsecurity en Europe par YesWeHack

2017 a été une année importante pour YesWeHack, notamment en ce qui concerne le Bug Bounty.

Vous trouverez ci-dessous une infographie qui reprend des données clés tirées de notre plateforme BountyFactory.io durant l’année passée.

En tant que 1re plateforme de Bug Bounty en Europe, c’est la première fois que des chiffres sont publiés.

Nous sommes fiers de vous annoncer que la communauté d’experts YesWeHack se compose à 67% d’Européens.

En 2017, grâce à notre communauté d’experts,  plus de 2000 bugs ont été remontés dont 40% étaient considérés comme critiques avec un score CVSS supérieur ou égal à 7.

Read More

Pépinière d'entreprises _ Atalante Beaulieu

YesWeHack ouvre des bureaux à Rennes et contribue à l’écosystème cybersec en Bretagne

Depuis 2013, YesWeHack n’a cessé de croître et se renforce aujourd’hui avec de nouveaux locaux, au sein de la pépinière numérique à Cesson-Sévigné, en Bretagne, deuxième région « cybersec » après l’Ile-de France.

Le marché de la cybersécurité, particulièrement attractif, attire aussi bien une clientèle nationale qu’internationale. Afin de répondre aux attentes de cette clientèle exigeante, notre équipe s’agrandit et prend ses quartiers à la pépinière numérique à Cesson-Sévigné.

L’équipe YesWeHack bénéficie désormais de locaux dédiés où Romain LECOEUVRE (CTO), Laurent JOUANNIC (Business Development) et Nicolas DIAZ (Communication) auront un accès plus aisé pour coopérer et échanger avec les décideurs et les porteurs de projets bretons.

Read More

Page 1 of 4

Powered by WordPress & Theme by Anders Norén