Xavier Leune, CCM Benchmark Group, on the benefits of bug bounty

Xavier Leune - CCM Benchmarck group -

Xavier Leune – CCM Benchmarck group –

What is your role in CCM benchmark ?
I am deputy CTO and i’m in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.

What were the reflexion and the needs assesment that brought about a bug bounty program ?
Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The bug bounty Program we opened was a very important step complementary of others methods we set up (pentests, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code.

Why did you guys choose Bounty Factory : What made the difference compared to other bug bounty platforms ?
We paid attention to several criteria provided by Bountyfactory.io. First advantage was the fact that it is based in France and it strongly facilitated the set up because we had a good feeling throughout the discussion with YesWehack teams. They did prove their capacity in mobilizing some high-level hunters for a program such as ours. Eventually, The European approach and the way the rewards are run were both arguments that can assure us to fight against the financing of terrorism.

Did you ask for an help for setting up of your program (in terms of scope, timing, invitations) ?
Since the launching of our bug bounty program on the 28th of September, we’ve been helped by Bounty Factory dedicated Team from the very beginning and on the regular basis. We did profit from their experiences in order to better write up our program and better define our scope so that hunter were precisely informed of our expectations. Moreover, we have been accompanied to define our rewarding policy to treat properly the feedback given by hunters who are spending long time for securing our platforms.
Last but not least, we benefited from Bounty Factory dedicated team in order to select and send invitations to high-ranked hunters.

How many hunters did you invite for the private step ?
For the private step we have invited the whole YesWehack private team made of 10 people.

During the private time, what did you notice out in terms of reported vulnerabilities ?
Obviously at the very beginning of the program simple and common vulnerabilities were reported, especially XSS vulnerabilities. As time went by, more sophisticated vulnerabilities appeared , we were really surprised by some findings. We have felt a very good implication on the behalf of each hunter who was driven by their appetite for being the first to report a critical vulnerability.
The features : 58 reported bugs, 34 were subject to corrective measures. Others were mainly duplicates 18 out of 24.
The number of critical vulnerabilities were up to 5.
The best reward  for one and only bug was up to 1000 €.

Did you appreciate the level of communication between you and the hunters ?
The level of communication with the hunters was really appreciated by our team. At times we experienced some difficulties concerning some vulnerabilities for reproducing them or understanding the prejudice they implied. So the hunters were really good at answering our questions and at double-checking the patches we delivered.

Why did you choose to go public ?
To us, going public is a natural evolution of our bug bounty program. We wanted to be able to understand correctly the art of running a bug bounty through Bountyfactory.io especially by dealing with a restricted number of reported bugs in a first movement and along with hunters whom we wanted to communicate with. Now we are far more confident in terms of procedures and in terms of patching policy, so it makes sense going public and be exposed to a max of skills to keep on securing our platform .

In terms of profits, can you say that beyond the financial aspect there are issues of communication and reputation ? How would CCM deal with these aspects ?
It is important for us to show a proactive approach on such crucial issues. However it is not planned at the moment to promote the opening of our bounty bug program towards our audience. Above all, we decided to go public for ourselves and our visitors.

***

So, Hunters 

Hack and take the cash

via BountyFactory

***

Portrait of a hunter : Ylujion

ylujionYesWeHack is glad to introduce you to its best hunters performing on BountyFactory.io

This week, it’s @Ylujion‘s turn, Check his portrait below !

***

  1. How old are you  ?
    I’m 32
  1. Where does your nickname come from ?
    The reason why i’ve chosen Ylujion as nickname is really simple : i wanted to invent a genuine nickname that does not exist on the Internet to see how it will propagate through search engines as i started posting on twitter and co. Generally speaking, i am told that my nickname is shitty 🙂 and i do agree somehow ! … Apart from that, the correct way of pronouncing “Ylujion” is like the way you pronounce the English word “illusion”. This kind of phonetic trick amuses me 🙂
  1. How long have you been hunting ?
    I have been hunting for more than one year.
  1. How did you discover bug bounty hunting ?
    Thanks to a friend who told me to test different bug bounty platforms.
  1. When do you spend most of your time hunting bugs ?
    Mainly during the night and the week-end, sometimes at lunch break when i am at work.
  1. As a Bug Bounty hunter, What are you driven by ?
    What i do appreciate in Bug Bounty is the diversity of scopes and technologies. It enables you to test up-to-date technologies by the prism of information security. Above all, there is a sort of freedom of action, you can go hunting whenever you want, from wherever you are, without being under pressure. Last but not least, you can earn money if you get good results.
    I often do recommend beginners interested by pentesting to dive into bug bounty platforms as a training discipline. It enables you to increase your skills in information security with real targets but within a full legal framework !
  1. Can you tell us one funny story about Bug Bounty Hunting ? (epic win and/or fail)
    I had spent more than 20 hours on exploiting one vulnerability in the scope of a rather famous startup’s program. Thanks to this vulnerability, i gained access to almost the entire information system so i decided to submit a report. Meanwhile, i was excited in terms of reward : usually this kind of vulnerability can be rewarded between 1,000$ & 10,000$ !
    Eventually, i won a  t-shirt ^^
    Driven by excitement and performance, i forgot the program clearly mentioned there was no reward but only gifts 🙂 too bad !
  1. What’s the best reward for one vulnerability you got thanks to Bounty Factory ?
      5 000 € (Ed.

Ylujion’s total rewards for December reached 15 000 €

    !)
  1. To you, What are the benefits of  Bug Bounty compared to pentesting?
    For a company, a bug bounty program enables you to test without time restriction moreover your system will be tested by various and numerous hunters. The company can also define the different level of reward and thus know the required budget to have a successful bug bounty program. Beyond that, it does not replace a traditional and classical pentest.
  1. What’s your favorite language ?
    Python
  1. What’s your favorite OS  ?
    Arch Linux but i guess there is no relation between this OS and bug hunting
  1. Beyond bugbounty, what are your hobbies ?
    I am really good at drinking, eating and sleeping of course 🙂

***

follow @Ylujion on twitter !

&

Come on and play on BountyFactory.io

YesWeHack winner of the Jury’s Favorite Prize #FIC2017

https://www.forum-fic.com/site/GB,C59984,I59984.htm?KM_Session=15efbfef1e084b087bdc5a5e39919cdb

YesWeHack Team is honored to have received the #FIC2017 Jury’s Favorite Prize

This Jury’s Favorite Prize proves that our products meet the challenges of today: the hiring of talents and the need for agile security. This award will allow us to strengthen our leadership in France and above all to boost us to conquer the Euro zone, that is our priority for 2017 !

Guillaume Vassault-Houlière, Yeswehack CEO

brad_pit

Congratulations to the winners :

  • Prove & Run
  • GateWatcher 

img_2044

We do thank all members of the Jury

  • François Lavaste, Président CyberSecurity, Airbus Defence and Space
  • Alain Bouillé, RSSI, Caisse des Dépôts et Président du CESIN (Club des experts de la sécurité de l’information et du numérique)
  • Gilles Daguet, General Partner, ACE Management
  • Thierry Delville, Inspecteur général de la Police nationale, Délégation ministérielle aux industries de sécurité
  • Laurent Dumas Crouzillac, Associé, CapHorn Invest
  • Thomas Fillaud, Chef de bureau, Politique industrielle et Assistance (PSS), ANSSI
  • Philippe Gaillard, Associé, CyberD Capital
  • Joseph Graceffa, R&D-SSI, CLUSIR Nord de France
  • Jacques Hébrard, Commandant, Région gendarmerie Hauts de France
  • Geoffroy Hermann, Chef du bureau Réseaux & Sécurité, DGE
  • Jacques-Benoît Le Bris, DSI, Solvay
  • Olivier Ligneul, RSSI, Groupe EDF
  • Thierry Olivier, RSSI, Société Générale
  • Frédéric Valette, Responsable du pôle SSI, Direction générale de l’armement, Ministère de la Défense
  • Yves Veret, Senior Advisor Sécurité Numérique & Technologie de l’information CALAO Finance

***

For those who do not know the FIC aka International Cybersecurity Forum (Hosted in Lille – France)

The International Cybersecurity Forum is a platform aiming at promoting a pan-european vision of cybersecurity as well as to strengthen the fight against cybercrime.

In order to do so, the FIC relies on :

• The trade show, to share knowledge and ideas, recruit new employees and maintain contacts
• The forum, to discuss and debate with experts, to gather ideas and to share professional lessons
• The Observatory, to continue exchanging views and information after the FIC, to explore topics in greater depth and to consolidate our network of experts and like minded throughout the year

***

See you soon #FIC2017 !

fic2017_ban_horizontal

 

Bountyfactory.io : What about the legal features ?

Load European Cybersecurity

Bountyfactory.io – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, Bountyfactory.io presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

  • BountyFactory uses OVH dedicated cloud that is subject to Service Organization Controls namely SOC 1 type II (SSAE 16 et ISAE 3402) & SOC 2 type II
  • Our infrastructure is ISO 27001 certified
  • Each vulnerability, each report, each comment is encrypted before being stored in our database and only identified actors are access granted.
  • In terms of financial transactions : BountyFactory complies with the following norm > The Payment Card Industry Data Security Standard (PCI DSS)
  • In terms of Privacy, BountyFactory is subject to EU Data Protection Reform (January 2012) While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
  • Our payment system, MangoPay, is tightly compliant to EU legal framework in terms of anti Money laundering and anti financing terrorism

mangopay_european_legal_framework

***

Beyond that essential standards, let’s go deeper into BountyFactory.io in order to discover some useful and relevant features :

As a customer – once logged in as Admin-manager – you will be able to digitally sign the General Terms & Conditions of Use thanks to YouSign Company based in France and subject to both French and European Law.

The GTU signing process

Send Bug Bounty Confirmation Code

Validation of the signing Process

signing process

Still as a customer, you are free to Credit and Refund your account any time you need.

Bug Bounty Credit and Refund

By default, your bug bounty program will be private so you can select the hunters (max 50 people) you want to invite.

For instance, you can choose BountyFactory core Team made of 10 people.

Yes We Hack Bug Bounty Private Team

And let the game begin !

The chosen hunters will start searching for vulnerabilities within the scope you defined with BountyFactory Manager.

Bug Bounty Program Management is a differentiating criterion and this feature will be the topic of the a forthcoming and dedicated post.

In order to win efficiency and time : only confirmed true vulnerabilities are taken into account.

Therefore, you will see the amount of bugs found in your dashboard . Each Bug is categorized according to OWASP criteria.

The screenshot below shows more details about the gamification feature focusing on the quality of reports submitted by Bug Bounty Hunters.

The admin-manager is able to rate and allocate one or several points to a well written report on one vulnerability .

Validation of the Vulnerability Report

Over Communicate

Comments are very useful to discuss some details with the researcher and it strengthens significantly the level of communication between the requester and the hunters.

Comments of the Vulnerability Report

One important step is the following : The way you will be able to reward a good hunter.

Thanks to MangoPay technology and security, one hunter can be paid by credit card or through your wallet. MangoPay is a service provided by the French Bank > Crédit Mutuel Arkéa

Rewarding Bug Bounty Hunter

The Dashboard gives you an overview of bug types and statuses

Dashboard

types_of_bug_bounty

As a Game Master : manage your Budget, your Timing, your Hunters

For instance, the screenshot shows you can keep an eye on your budget by checking statistics of the ongoing bug hunting (average and max rewards out of your total budget)

budget_average_reward_bug_bounty

Any time, you can choose to switch from a private program to a public program.

Switching from Private to Public Status

This step is specifically critical so BountyFactory Manager will be notified.

In order to avoid failure, YesWeHack Program manager will double check with the requester if it is a legitimate move.

To sum up, BountyFactory.io provides original features that will help customers managing their Bug Bounty Programs with all the specs, layers of security and trustworthy norms.

rihannaRegister and open your own bug bounty program !

***

/!\ Keep in mind /!\

We Have More Features to Show You

We will keep You posted folks !


Read More > Our FAQ

The Internet of Elevators, of Cars, of Weapons !

lift

Have you ever watched The Lift ? A Dutch horror movie by director Dick Maas about an intelligent ( or smart ?) and murderous elevator starting a killing spree. (Source : wikipedia)

Scary, isn’t it ?

Beyond fiction, the film “The Lift” aimed at questioning technology, systems you can not regain control over.

Nowadays, we are told about the benefits of design thinking, internet of things and their tremendous power in terms of digital and economic development… Oh wait.

Unfortunately, the Internet of Things is driven by marketing ravenous hyenas and very few IoT companies are inspired by – what we could call – the Security Design Thinking.

nebula_of-things

Today, within the Internet of Things, Auto Industry has to struggle to prevent itself from being hacked both by criminals and by their inner blind appetite for market at the expense of their duty in the field of security.

Imagine the antithesis of the legendary film “Rebel without a cause” where the hero no longer rides a car as a symbol of freedom but he’s the prisoner of a runaway wagon.

The revelations concerning the recent fraud on the behalf of  Volkswagen – by the way VW is not an isolated case – highlighted what is at stake in terms of security in the fabulous world of the Internet of Cars.

Before reaching the point of no return, Cars companies and end users should deeply consider the following thoughts :

  • Cars like drones and planes are not harmless devices

In terms of security and safety, Auto and aeronautics industries have to be exemplary and they constantly have to improve again and again their technology, their protocol. Unlike many devices of the Internet of things, cars and planes are massive vehicles. They can cause real and serious damages when they are out of control. They unfortunately can be used as weapons. Therefore, smart and connected cars could be potential massive killing machines.

  • Millions of cars as One Botnet

Like any device of the Internet of things, a car can be pirated and subject to a botnet. In this case, a huge number of cars can be orchestrated as one  and only system driven by just one freak, Remember Skynet ! Needless to say that a terrorist attack could be coordinated via this kind of botnet.

  • Top priority : Privacy and Security By Design

IoT companies seem far from tackling the highly critical issue : How to secure the entire chain of their business including their precious customers (known as end users), their reputation, their data.

The Internet of Cars could be, somehow, a strong ally for security (reducing car accidents) and environmental issues (reducing the CO² emissions footprint) but Automakers don’t seem to prioritize acutely despite some attempts like the Automotive Cybersecurity Best Practices.

Auto industry has to embrace privacy and security by design, they must think and implement these concepts before moving on to the unbridled production of hackable products.

Examples of compromised connected cars are legions such as Tesla, Range Rover etc.

To address these concerns and data compliance issues, car manufacturers need to address privacy and security issues and legislative requirements at the design stage – and not as an afterthought – and, in the EU at least, will need to develop technological solutions to empower individuals to track and manage their own data.
Privacy by design – essential for the growth of the Internet of Things? by Taylor Wessing

  • The vital need for an offline button.

In case of emergency, every single connected car should be provided with a kill-switch feature meaning at any time one could switch a smart car from a full connected mode to a full manual and off-line mode including the old-school and reliable steering wheel.

  • Fighting the diktat of Obsolescence

Tackling the issue of Obsolescence is highly relevant especially when the world is facing the global climate change. Beyond security, Car Manufacturers have to improve the reputation of their products and thus adapt their marketing policy by promoting the sustainable quality of their vehicles.

  • The fallacious comfort of voice controlling, key-less and wireless features

Internet of Things is a constellation of connected devices, it requires user-friendly innovation to  improve its appropriation by speaking human beings. It turns out to be clear that voice controlling, key-less and wireless features are to be core parts of IoT UX namely User experience.

That Generalization of wireless and key-less features is a real curse for it is exposing more and more IoT and therefore smart cars to encryption_is_not_a_crimecriminals. There are numerous testimonies asserting that thieves use cloning electronic tools to illegally open and drive cars. Those kind of tools can -easily- capture and reproduce voice spectrum, wireless signal and so on and so forth. Therefore, Encryption and physical tokens are still good layers of security for Multi-factor authentication (MFA).

Indeed, it has been said that multi-factor authentication is the worst form of security except all those other forms that have been tried from time to time. – The Churchill Way of IT security 🙂

  • Security is a continuous process

First, Security through obscurity is no cure because it hides potential and critical bugs.

Definitely, Car Industry should strengthen its proof of concept by testing continuously the robustness of their technology. Open Source code enables companies to improve their protocol.

By Open Sourcing and submitting the code to communities (IT security Experts, hackers, FLOSS developers) AutoMakers will increase significantly the degree of their products’ security,  especially thanks to bug bounty programs.

There was a landmark : for the first time in the history of automotive, Fiat-Chrysler did invite hackers to test their cars in the framework of bug bounty programs with clear boundaries made of legal, financial norms such as BountyFactory.io

To sum up, Car industry has to find its Way within the IT security experience by questioning itself  and applying the OODA loop scheme.

the Way is not an end but a process, a journey… The connections, the insights that flow from examining the world in different ways, from different perspectives, from routinely examining the opposite proposition, were what were important. The key is mental agility.
– John Boyd

ooda-loop-1-1(Source : The Tao of Boyd: How to Master the OODA Loop )

YesWeHack Team will attend “les Assises de la sécurité”

From 5 to 8 October 2016, join us for the 16th edition of Les Assises.

“Les Assises de la sécurité” is a key annual event for any professional who is keen on Information Systems Security.

Les Assises will gather more than 2000 people in Monaco to discuss what is at stake in terms of IT security.

YesWeHack Team will be represented by Manuel Dorne aKa Korben & Guillaume VASSAULT-HOULIÈRE aKa Freeman. On October 5 at 5 pm, Guillaume will participate in a round table “Are the search for security breaches and the collaborative economy compatible ?”

YesWeHack Team has a strong experience within Hackers’ communities and the way they deal with legal and accountable disclosure of vulnerabilities.

 

Goals and means of a bug bounty hunter.

These days, Bug bounty Hunters are trending within the IT security ecosystem, but very few articles deal with the DNA of a Bug Bounty Hunter.

At Bountyfactory.io, we consider, unlike Hackers, Bug Bounty Hunters  have to respect and fit legal frameworks and norms.

So, if you are willing to become a bounty hunter, please take the following items into account :

Here are the goals you should be driven by :

  • Keep on having Fun
  • Make the Internet more secure for your beloved and in extenso for all end users. Regarding the rise of two main concepts “Privacy by design” and “Security by design” your role is far more important than ever.  By instinct, you are strongly devoted in protecting people from crooks and all sorts of criminal mercenaries.
  • Share and improve your knowledge and skills. Get wisdom and empowerment.
  • The more, the merrier : Open and strengthen your circle of acquaintances and friends.
  • Get rewards especially cash (not only t-shirts and miles for instance).
  • Forge your reputation, fame and defend your ranking like  a professional Tennis player. Eventually be hunted by recruiters for a well-paid and interesting position in the best IT security company you had been dreaming of. Check Bounty Factory’s ranking page.

Here are the means you should deploy to pursue your goals :

  • Keep learning languages you are supposed to work with.
  • Spot and exploit what the main weakness of each language is .
  • Trust your knowledge : Use your existing skills, especially as a programmer, to spot and find vulnerabilities.
  • Focus on concise reporting : once you found one vulnerability your duty as a hunter is to provide a clear and relevant report so that one could reproduce it properly.
  • Explore new dimensions : After you’ve learnt how to deal with basic vulnerabilities  (eg. IDOR, CSRF) you should move a step forward and look into XSS ones.
  • Reverse Engineering you should cherish and practice.

Being core-hunter of Bounty Factory Private Team

core bug bounty hunter

onemoreMy nickname is Onemore and I am a core-hunter of the BountyFactory.io private Team.

I’ve been hunting for bug bounties since 2012.

As a core-hunter for BountyFactory.io, my job is to spot talents and ask them to join us.

Even if our recruitment is subject to a co-optation process, i do have some criteria that help me spotting and rating new applicants.

In order to level-up the degree of trust, we need to apply some criteria for recruiting of our core hunters.

Those criteria are based on skill, level, openness, ethics, without omitting the ability to produce clear and relevant reports.

In terms of languages, the basic expected knowledge trio is the following : Python, PHP and JS. Obviously, this implies that hunters are to keep on learning other languages and techniques.

Before going public, the bug bounty programs are supposed to be private because our very important customers demand legal framework and concise scope.

The very core of our private team respects the following motto :

Legal conditions demand loyal and trustworthy people.

Based on this code of conduct : only 10 hunters are part of our Private team out of 1200 hunters registered on Bountyfactory.io : 7 are professional pentesters and 3 are from different backgrounds.

Our expertise is not focused on massive hunting but on our efficiency :

Quality Of Service is prior to a huge amount of hunters

Last but not least, our platform responds to norms like ISO 27001. Moreover, our General Conditions of Contract have been reviewed and approved by legal team from namely OVH and Orange.

So, if you wanna try to enter our first circle, then Cross the threshold and smell the coffee honey ! > https://bountyfactory.io/register/hunter

Our Crowd Security Way

This video below presents the genuine and trustworthy commitment of our Bounty Factory.

BountyFactory.io : the first European platform for Bug Bounty

Computer security is a strategic challenge for all organizations and companies. Carrying out an inventory is essential to have an overall view of the situation. Security audits should be performed regularly and the costs are high.

Bug Bounty Programs allow companies to outsource seeking vulnerabilities by collecting a significant number of security breakdowns that will be reproduced and analyzed. This does improve the code, preventing from new risks.

With a good Bug Bounty program, a company can continuously check the security of its site or its applications. Hundreds of experts will test sites, and be rewarded (financial or else).

Submit your site to a Bug Bounty program is affordable. You can communicate about its security, also be proactive and reactive in case of vulnerabilities.

By participating in Bug Bounties, security researchers apply their knowledge legally, are paid, enrich their network and enhance their expertise YesWeHack launches the first European platform for Bug Bounty : BountyFactory.io.

BountyFactory.io is an easy way to secure your platforms.

To create their own Bug Bounty program, the startups, the large enterprise groups or the project holders have to register on our platform. They have to define a scope, a reward and whether it will be private or public.

Security researchers that are registered on Bountyfactory.io then take note of the bug bounty program’s details.

When one of the hunters find a bug inside the scope, it shall have to be validated by the bug bounty initiator. Once recognized, the hunter will instantly be rewarded and credited skill points that would highlight him on Yeswehack.


About YesWeHack :

YesWeHack, launched in 2013, connect organizations or projects with IT security needs with qualified people.

Three interrelated platforms are available :

YesWeHack Jobboard : the first job site specializing in computer security.

Bounty Factory : first European platform for Bug Bounties

FireBounty : Bug Bounties aggregator.

YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press