YesWeHackEDU, a fully-fledged educational platform, mobilises real-world hacking techniques for training purposes. YesWeHackEDU provides a reliable approach for reporting vulnerabilities and is a tangible evaluation tool. The platform offers free subscriptions for two months starting from 1 April to help universities during the COVID19 outbreak.
Can you tell us why you decided to implement a Bug Bounty program?
Edouard Camoin – CISO – 3DS Outscale :
We’ve been ISO 27001 certified since 2014 and are thus required to look for vulnerabilities using pentration testing. At first, the penetration testings were useful; but as time went by, they produced fewer exciting things. We quickly realised that in the limited duration of an audit (2 to 3 weeks), the pentester didn’t have the time to find more severe vulnerabilities. At best, he had hunches, but then we needed to work on them.
We also saw that, for several years, Bug Bounty had been working well in the US, where household names were using the approach.
At first, we hesitated between the Red Team and Bug Bounty, with researchers coming from diverse backgrounds to test our perimeters and discover new vulnerabilities.
Every business needs a vulnerability disclosure policy. Thankfully, a growing number of organisations have one. Yet, those programs are not always a click away. Here’s to a unique plugin for both Chrome and Firefox, because making it easy to report issues need not be much work.
YesWeHack organises bug bounty programmes to disclose and correct vulnerabilities before malicious tools get in. A year after joining the Paris Call, we look back at how have we contributed to furthering peace in the cyberspace.