Qwant.com & BountyFactory.io to harden companies’ systems

Qwant.com‘s Security & Privacy Fund is now real and it aims at hardening companies’ systems through our BountyFactory.io !

Qwant has always believed that the development of online services should be done with maximum protection of the confidentiality of users personal data. That is why Qwant took a “privacy by design” and a “data minimization” approach from day one, which requires to think preventively of the technical means and business models that generate as little risks as possible for the privacy of users.

Since 2014, thanks to YesWeHack founders, Qwant has created its bug bounty program.

Each year Qwant offers bounties to the vulnerabilities hunters gathered at La Nuit du Hack, in Paris. Those programs run by HackerzVoice & YesWeHack teams have significantly helped Qwant to build up skills, and to even better protect their users personal data.

And for the 15th edition of La Nuit du Hack, Qwant wants to offer other startups and organizations – thanks to its fund – the opportunity to challenge and increase the security of their services with the best hackers in Europe and in the world, to improve privacy on the Internet.

Qwant grants 10,000 euros to this fund, that will allow to pay bounties to hackers who will discover vulnerabilities on the services of startups or associations that share Qwant’s ethical values.

Organizations that are selected to benefit from this fund will of course be accompanied to put the bug bounty program together.

You can find all the necessary details to apply for this Privacy & Security Fund at the operation’s official website: https://hackmeimfamous.com/

Shall We Play A Game ? Yes We Shall ⠵

Yes We Hack is proud to be platinium Sponsor for the 15th “la Nuit du Hack” next June 24 & 25 \o/

The forthcoming Nuit Du Hack is about to gather more than 2000 people from all over Europe !

Check the schedule !

☠ ☠ ☠

A bit of History :

Originally, la Nuit du Hack was created by Paulo Pinto aKa CrashFR.

“La Nuit Du Hack” is one of the oldest French underground hackers’ event which bring together, professionals and amateurs of any skill level, around lectures and challenges.

At the very beginning of la Nuit du Hack in 2003, the budget was lower than 1 k€.

Started with 20 persons, the event never stopped growing up by gathering more and more people from amateurs to professionals.

Now, it has reached 170 k€ thanks to the HackerzVoice Team, Géraldine and almost 100 volunteers 🙂

Since the very beginning in 2003, YesWeHack founders have been working tightly with Hackerzvoice for organizing La Nuit du Hack.

In 2011, it saw several international renowned speakers and gripped more than 950 guests including more than 50 challengers. During this edition we had the privilege to host world-famous speakers.

In 2014, Qwant.com organized its first bug bounty in the framework of la NDH. At that time, a prototype of BountyFactory.io was used to manage bug bounty programmes.

At that period of time the founders of YesWeHack were part of the Jury 🙂 please appreciate the picture below !

For that 2014 and 2015 editions, the rewards were, let’s say, exotic : Real Bounty Chocolate Bars and actually reward checks were signed on stage by Guillaume Vassault-Houlière aka Free_Man (President of HackerzVoice & YesWeHack CEO).

Each year, a common pot is set up to pay the bounties and if there is any money left then it is donated to the association HackerzVoice.

2015 was the year of Skyrock, Denyall, Qwant underwent all together bug bounty programmes .

2016 was a landmark for YesWeHack for it was the first time la NDH Bug Bounty programmes were handled by an official version of BountyFactory.io !

On that occasion, fees were disabled especially for the event and the dedicated bug bounty programmes namely the ones of Qwant.com / OVH.com / Orange / Protektoid were physically restricted to NDH attendees located in Disney’s scope and as usual managed by HackerzVoice . Meanwhile, the Jury was strengthened by recruiting a new member : Mr. Skunk !

2017 is a special edition of la NDH and as platinium sponsor, YesWeHack Team is willing to make things bigger for the sake of game and fun !

On the occasion of the 15th edition of la Nuit Du Hack, There will be about 10 bug bounty programmes restricted to ‘la Nuit du Hack’ attendees.

Only attendees inside DisneyLand will be allowed to play. Don’t forget to register on BountyFactory.io

Stay Tuned !

For duplicates, we planned everything if you wanna cry :P

For duplicates, we planned everything if you wanna cry 😛

 ☠ ☠ ☠

YesWeHack also provides a dedicated HackDating Zone for recruiters to spot talents during la Nuit du Hack !

Recruiting entities are :

  • Ministère de la Défense (France)
  • Orange Cyberdefence
  • Synaktiv
  • Sysdream
  • Sogeti
  • Outscale
  • Digital Security
  • Vade Secure
  • ANSSI
  • OVH
  • Qwant
  • Airbus
  • DoctoLib

So, post your CV on Jobs.YesWeHack.com !

 ☠ ☠ ☠

La Nuit du Hack is a unique event where curious people have fun, no matter their skills are !

HackerzVoice Will Never Die !

☠ ☠ ☠

European Regulation for the Protection of Personal Data and Data Security


By

Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
&
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice


The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

GDPR Article 32 on the security of data processing lists the various criteria that a controller and a processor must take into account to determine the level of security required, namely, the state of the art, the costs of implementing security, the processing in question, including its purpose and context, the probability and the severity of the risks for individual rights and freedoms The logic consists in customizing security measures to the risks identified with respect to the processing of personal data.
Major change: the Regulation provides for an assessment of risks to privacy from data processing. Subsequently, it is up to the controller to perform a PIA (privacy impact assessment) for all the processing actions likely to result in a high degree of privacy risk for the individuals in question. According to GDPR, some types of processing are deemed to constitute risks and are subject to a PIA because of the nature of the data being processed (large-scale processing of sensitive or criminal record data) or the purpose of such processing (profiling, large-scale monitoring of public areas, etc.).
Given that this is about safeguards to be put in place, Article 32 lists certain measures that are to be implemented by the controller and/or the processor, such as data pseudonymization or encryption, the implementation of methods capable of ensuring system confidentiality, integrity, availability, and resilience, the implementation of techniques capable of restoring availability and access to personal data in the event of a physical or technical incident, regular verification of such measures. The Code of Conduct (GDPR Article 40) and certification (GDPR Article 42) are also solutions that are likely to be considered with respect to security.
Pursuant to GDPR Article 36, whenever a PIA identifies a high level of risk, it becomes mandatory to consult the CNIL prior to proceeding with the data processing in question. This requires, for instance, that the CNIL be advised of any measures having to do with the security of processing for the CNIL to evaluate whether they are sufficient to allow the processing to proceed.
Pursuant to GDPR, data security also requires that a notification of a personal data breach be made initially to the supervisory authority (CNIL) within 72 hours of it becoming known (Article 33) and to the data subject (Article 34) if CNIL believes the security measures to have been inadequate. This obligation extends to the processor who must notify the controller of any data breaches as soon as it becomes aware of them. These data breaches result from one or more security incidents (unauthorized access to an IT system, data extraction, reproduction, or distribution). Advance incident detection and correction help obviate the need to notify since there is no breach.
We understand that the new regulation requires that locations where data are processed within an organization (mapping) be brought to a condition that will help determine specific priorities for bringing into compliance as well as the relevant support. As for security, implementation of Bug Bounty practices appears to us to be highly recommended to detect security incidents early, thereby preventing them.

GDPR leads us to the following motto:

When security works, everything works!

Interview of Gilles Cadignan – CEO & Co-Founder of Woleet

First of all, can you introduce us to Woleet?

Woleet.io was founded in Rennes in 2016. Woleet is a data anchoring platform using the Bitcoin blockchain. To sum up, we provide a SaaS platform that receives digital fingerprints of data and proceeds to anchor them in Bitcoin by linking these fingerprints to a transaction having a certain date. To achieve this, Woleet builds a cryptographic structure that allows multiple fingerprints to be put together in a single transaction.

The use of Woleet has many benefits:

Once anchored in the blockchain, verification of proof of existence dated and free for anyone with data, anchor receipt and Internet access to retrieve the relevant Bitcoin transaction.
Confidentiality is preserved, Woleet only deals with digital fingerprints, which can be improved with meta-data for information purposes.
No need to have bitcoins to use our service, as Woleet takes care of interacting with the blockchain by building transactions.

Ok but why does the partnership Woleet and YesWeHack make sense?

Well, Yes We Hack is actually a nice team : they like to chat and laugh around a beer 😉

More seriously, the Woleet and YesWeHack partnership came quite logically following a meeting held in Rennes in December 2016 on the framework of the EuroCyberWeek.

The technology and the start-up spirit offered by Woleet fit perfectly with YesWeHack’s know-how. You know the concept of blockchain is too often used as a buzz word. Too often, so called experts talk about it but very few know what it is really. Concretely, the synergy between Woleet, YesWeHack and its partner Digital Security took place in record time (less than 3 weeks), that synergy made it possible very effectively to integrate all the skills to the benefit of the project Zerodisclo.com.

Thanks to the meeting of Woleet and YesWeHack, the blockchain finally finds a relevant and concrete use-case to better secure the Internet.

Woleet is very proud to have contributed to its measure to this useful initiative for the public interest. Obviously, it is a smart and good way for Woleet to promote our skills and vision.

So from your point of view : why is zerodisclo.com a good usecase?

Yes We Hack wanted for its Zerodisclo.com service to have irrefutable proof of integrity and time-stamping for vulnerability reports transmitted via the Zerodisclo.com. An open and verifiable proof by all without intermediary. The choice of anchoring the integrity and time-stamp data for these vulnerability reports was self-evident. By anchoring them in the blockchain, the service offered full transparency without revealing any information about the source or content about the discovered vulnerability. The anchoring of data in the blockchain coupled with the electronic signature thus ensures an increased degree in terms of irrefutable traceability for each party, both for the security researcher and for the company concerned by the vulnerability.

Zerodisclo.com was launched during the FIC2017 and it showed very genuinely that an idea can become operational and efficient when all the stakeholders involved contribute with a common interest. This notable exercise reveals the quality of startups in France and furthermore in Europe.

Zerodisclo is therefore an ambitious project aimed at strengthening information systems by facilitating the reporting of vulnerabilities by some good Samaritans. Innovation is at this stage rather unique, Zerodisclo.com is a non-profit tool to better protect bug reporters by putting in the loop the official CERTs that will have the responsibility to warn the organizations concerned.

By the way, next march 29 in Paris for Hackpero.com at Ecole 42, i will take the floor with Guillaume from YesWeHack to present the synergy we made within the project : ZeroDisclo.com !

Can you tell us more about the evolutions of Woleet?

After a year of various experiments with several customers, Woleet is entering a phase of production of the various projects. By focusing solely on mature low-level uses, we differentiate ourselves from the only experimental approach of the majority of current blockchain projects. Beyond the implementation of the projects based on the Woleet platform, we owe many projects such as the standardization work on proofs, carried out jointly with several other international startups with authorities such as the W3C. At R&D level, we are working on the next primitives that we intend to provide as an alternative to the digital signature based on the Bitcoin protocol, we also provide tools for the management of digital assets, always on Bitcoin. To lead all these projects, we will have to make our team grow and welcome passionate people who want to participate in – what we think is – a revolution at least as big as the Internet revolution.

YesWeHack is now member of FNTC’s business incubator

YesWeHack is now an official member of FNTC (The Federation of the Digital Trusted Third Parties) ‘s business incubator.

We, YesWeHack, were used to mentioning during our conferences the real need for building trust for our Bug bounty platform namely Bountyfactory and this membership is a milestone for our company.

The FNTC Board met in December to validate our application to its business incubator.

Thanks to the FNTC Board for having accepted us in its business incubator.

FNTC has a three-pronged mission :

  • Promote techniques and methods for guaranteeing trust in digital technology and foster knowledge of best practices.
  • Build trust in the digital technology of tomorrow.
  • Assist public institutions.

We hope to be able to contribute to all projects within FNTC’s business incubator by putting our expertise and our vision in terms of computer security at the service of new and future actors.

ZeroDisclo.com : IT Security Researchers finally Protected

In constant contact with its community of security researchers, YesWeHack has noted that it is complex for a security researcher and therefore, for a whistle-blower to report security flaws -in a  coordinated way – to impacted organizations. Especially if those organizations do not have a Bounty Bounty program registered on BountyFactory.io !

Vulnerability discoverers often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.

A long-time partner of the security research community through its founders, YesWeHack launches ZeroDisclo.com.

This platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as “Coordinated Vulnerability Disclosure“.

The platform, which can be accessed directly or via the Tor network, offers any Internet user the opportunity to report a vulnerability to CERTs™ via an on-line form, providing the necessary information to understand and evaluate its severity through its CVSS score. The researcher can then choose to remain anonymous or provide his identity if he/she wishes to be contacted, or even thanked in return.

The report will be encrypted via OpenPGP plus the key of the CERT™ in the very browser, time-stamped, signed by the Blockchain and forwarded automatically to the CERTs™ chosen from an exhaustive list.

In exchange, the researcher receives a certificate attesting to his/her submission.

Currently, the CERTs™ selected by ZeroDisclo.com are the CERT-EU, CERT-FR, and the CERT-UBIK created by Digital Security dedicated to the Internet of things. Moreover, organizations can subscribe to ZeroDisclo.com in order to monitor in real time, the flaws concerning their systems and -if necessary- to contact the relevant CERTs™ in order to know the details.

ZeroDisclo.com aims at empowering the community, for security researchers to prove their good faith. ZeroDisclo.com offers an efficient and ethical alternative to services disclosing vulnerabilities on the Internet and on the black market.

Founded in 2013, YesWeHack connects organizations or projects with IT security needs with skilled people.

4 interdependent platforms are available:

– YesWeHack Jobboard: the first job site specializing in computer security.
– Bounty Factory: Bug Bounties’ first European platform.
– FireBounty: Bug Bounties aggregator.
– ZeroDisclo: Vulnerability Reporting Platform.


References


Press contact: presse@yeswehack.com


Edouard Camoin, CISO of Outscale.com, on the bug bounty switching process from private to public status

https://twitter.com/skelkey

Edouard Camoin, CISO of Outscale.

– What’s your role as CISO within Outscale?

First of all, Outscale deals with IaaS : like AWS we provide API and we have Branch offices in France, USA and China. Each Branch office is subject to a specific digital sovereignty.

I’ve been wearing two hats : Guarantor of the internal security and guarantor of the security for the customers.
Globally speaking the human resources are at the core of my job.

– What was the need assessment that led to the opening of a bug bounty program?

We provide cloud computing services with certification 27001.

Regularly, we order pentesting sessions led by IT security companies. The results are pretty good but that did not satisfy us enough and we wanted to go deeper to better secure our products.

We made up our mind to expanse our culture in terms of security. Clearly, bug bounty is another approach because the payment is bound to the result, only the result counts, and bug bounty is not limited in time.

– Why did you opt for BountyFactory and more precisely, what criteria convinced you compared to other US and European platforms?

We needed a platform based in France and so in Europe strictly because it was a strong demand on the behalf of our management because we are very sharp on the sovereignty of the data.

So de facto, the US platforms have been disqualified.

BountyFactory offers much better responsiveness with the integration of features within the platform and the process of creating the program is clear. We were seduced and convinced by the high quality of the responsiveness and relevance of the YesWeHack team.

– Did you ask for assistance in setting up your program?

BountyFactory provides a real and efficient support and follow-up.

As a matter of fact, we managed to publish our program in just a single day!

I was sent an example of a program and in no time I was able to finalize, define our scope properly. Last step was the adjusting of the overall amount for the rewards.

– For the private step how many hunters did you select?

From the hall of fame, I just selected the hunters that I knew of reputation (5 or 8) and completed with some of the yeswehack private team.

– During the private program what did you notice in terms of reporting of vulnerabilities?

Indeed, we had two private programs.
One focused on our IaaS and Api and the other one focused on our web application .

As for our Web interface : we’ve got 10 reported bugs in one month, and 5 were validated. Only 3 of them were critical.
Concerning our API : nothing critical so far .

– Have you enjoyed the quality of communication between you and the hunters via the Bountyfactory platform? What improvement would you need?

The ticketing system via email is ok beyond that, we often discuss with hunters via twitter and more generally via the famous IRC so it would be a good idea to have a secure and built-in Instant messaging feature.
The hunters are very correct, they ask before attacking. The level of discussion and consultation is really good, prevention upstream before testing the perimeter because the platform was in production. They are careful and responsible, they want to have the customer’s approval before trying various methods.

– Why did you decide to go public?

First beginning by a Private program was highly needed for we had no experience in managing a bug bounty program.
The private step has a clear advantage : a private bug bounty is like a pentest without time limit.
Going Public will allow us to test in real conditions our IaaS + Api.
This first pass throughout the private mode is important to lucidly approach the switching from private to public status.
Now we are glad to announce : Everyone can play !

The real attacker does not care about standards so only Bug Bounty can simulate this brutal truth !

– In short, are you satisfied with your choice?

Bug Bounty is really appreciated in communities, we wanted to set an example, in our humble opinion, the pentesting will have to question itself. The Hunter is involved in bug bounty to find. Unfortunately, no normative aspects (PASSI) look at the benefits and we can confirm that the real attacker does not care about standards so only bug bounty can simulate this brutal truth !
With our customers, we will promote this exercise widely via twitter, and moreover our security approach via bug bounty will be explained to our partners and customers in the forthcoming appointments.

***

The Hunt is ON !

Outscale Bug Bounty Program

***

Xavier Leune, CCM Benchmark Group, on the benefits of bug bounty

Xavier Leune - CCM Benchmarck group -

Xavier Leune – CCM Benchmarck group –

What is your role in CCM benchmark ?
I am deputy CTO and i’m in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.

What were the reflexion and the needs assesment that brought about a bug bounty program ?
Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The bug bounty Program we opened was a very important step complementary of others methods we set up (pentests, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code.

Why did you guys choose Bounty Factory : What made the difference compared to other bug bounty platforms ?
We paid attention to several criteria provided by Bountyfactory.io. First advantage was the fact that it is based in France and it strongly facilitated the set up because we had a good feeling throughout the discussion with YesWehack teams. They did prove their capacity in mobilizing some high-level hunters for a program such as ours. Eventually, The European approach and the way the rewards are run were both arguments that can assure us to fight against the financing of terrorism.

Did you ask for an help for setting up of your program (in terms of scope, timing, invitations) ?
Since the launching of our bug bounty program on the 28th of September, we’ve been helped by Bounty Factory dedicated Team from the very beginning and on the regular basis. We did profit from their experiences in order to better write up our program and better define our scope so that hunter were precisely informed of our expectations. Moreover, we have been accompanied to define our rewarding policy to treat properly the feedback given by hunters who are spending long time for securing our platforms.
Last but not least, we benefited from Bounty Factory dedicated team in order to select and send invitations to high-ranked hunters.

How many hunters did you invite for the private step ?
For the private step we have invited the whole YesWehack private team made of 10 people.

During the private time, what did you notice out in terms of reported vulnerabilities ?
Obviously at the very beginning of the program simple and common vulnerabilities were reported, especially XSS vulnerabilities. As time went by, more sophisticated vulnerabilities appeared , we were really surprised by some findings. We have felt a very good implication on the behalf of each hunter who was driven by their appetite for being the first reporting a critical vulnerability.
The features : 58 reported bugs, 34 were subject to corrective measures. Others were mainly duplicates 18 out of 24.
The number of critical vulnerabilities were up to 5.
The best reward  for one and only bug was up to 1000 €.

Did you appreciate the level of communication between you and the hunters ?
The level of communication with the hunters was really appreciated by our team. At times, we experienced some difficulties concerning some vulnerabilities in reproducing them or understanding the prejudice they implied. So the hunters were really good at answering our questions and at double-checking the patches we delivered.

Why did you choose to go public ?
To us, going public is a natural evolution of our bug bounty program. We wanted to be able to understand correctly the art of running a bug bounty through Bountyfactory.io especially by dealing with a restricted number of reported bugs in a first movement and along with hunters whom we wanted to communicate with. Now, we are far more confident in terms of procedures and in terms of patching policy, so it makes sense going public and being exposed to a max of skills to keep on securing our platform .

In terms of profits, can you say that beyond the financial aspect there are issues of communication and reputation ? How would CCM deal with these aspects ?
It is important for us to show a proactive approach on such crucial issues. However, it is not planned at the moment to promote the opening of our bounty bug program towards our audience. Above all, we decided to go public for ourselves and our visitors.

***

So, Hunters 

Hack and take the cash

via BountyFactory

***

Portrait of a hunter : Ylujion

ylujionYesWeHack is glad to introduce you to its best hunters performing on BountyFactory.io

This week, it’s @Ylujion‘s turn, Check his portrait below !

***

  1. How old are you  ?
    I’m 32
  1. Where does your nickname come from ?
    The reason why i’ve chosen Ylujion as nickname is really simple : i wanted to invent a genuine nickname that does not exist on the Internet to see how it will propagate through search engines as i started posting on twitter and co. Generally speaking, i am told that my nickname is shitty 🙂 and i do agree somehow ! … Apart from that, the correct way of pronouncing “Ylujion” is like the way you pronounce the English word “illusion”. This kind of phonetic trick amuses me 🙂
  1. How long have you been hunting ?
    I have been hunting for more than one year.
  1. How did you discover bug bounty hunting ?
    Thanks to a friend who told me to test different bug bounty platforms.
  1. When do you spend most of your time hunting bugs ?
    Mainly during the night and the week-end, sometimes at lunch break when i am at work.
  1. As a Bug Bounty hunter, What are you driven by ?
    What i do appreciate in Bug Bounty is the diversity of scopes and technologies. It enables you to test up-to-date technologies by the prism of information security. Above all, there is a sort of freedom of action, you can go hunting whenever you want, from wherever you are, without being under pressure. Last but not least, you can earn money if you get good results.
    I often do recommend beginners interested by pentesting to dive into bug bounty platforms as a training discipline. It enables you to increase your skills in information security with real targets but within a full legal framework !
  1. Can you tell us one funny story about Bug Bounty Hunting ? (epic win and/or fail)
    I had spent more than 20 hours on exploiting one vulnerability in the scope of a rather famous startup’s program. Thanks to this vulnerability, i gained access to almost the entire information system so i decided to submit a report. Meanwhile, i was excited in terms of reward : usually this kind of vulnerability can be rewarded between 1,000$ & 10,000$ !
    Eventually, i won a  t-shirt ^^
    Driven by excitement and performance, i forgot the program clearly mentioned there was no reward but only gifts 🙂 too bad !
  1. What’s the best reward for one vulnerability you got thanks to Bounty Factory ?
      5 000 € (Ed.

Ylujion’s total rewards for December reached 15 000 €

    !)
  1. To you, What are the benefits of  Bug Bounty compared to pentesting?
    For a company, a bug bounty program enables you to test without time restriction moreover your system will be tested by various and numerous hunters. The company can also define the different level of reward and thus know the required budget to have a successful bug bounty program. Beyond that, it does not replace a traditional and classical pentest.
  1. What’s your favorite language ?
    Python
  1. What’s your favorite OS  ?
    Arch Linux but i guess there is no relation between this OS and bug hunting
  1. Beyond bugbounty, what are your hobbies ?
    I am really good at drinking, eating and sleeping of course 🙂

***

follow @Ylujion on twitter !

&

Come on and play on BountyFactory.io

YesWeHack winner of the Jury’s Favorite Prize #FIC2017

https://www.forum-fic.com/site/GB,C59984,I59984.htm?KM_Session=15efbfef1e084b087bdc5a5e39919cdb

YesWeHack Team is honored to have received the #FIC2017 Jury’s Favorite Prize

This Jury’s Favorite Prize proves that our products meet the challenges of today: the hiring of talents and the need for agile security. This award will allow us to strengthen our leadership in France and above all to boost us to conquer the Euro zone, that is our priority for 2017 !

Guillaume Vassault-Houlière, Yeswehack CEO

brad_pit

Congratulations to the winners :

  • Prove & Run
  • GateWatcher 

img_2044

We do thank all members of the Jury

  • François Lavaste, Président CyberSecurity, Airbus Defence and Space
  • Alain Bouillé, RSSI, Caisse des Dépôts et Président du CESIN (Club des experts de la sécurité de l’information et du numérique)
  • Gilles Daguet, General Partner, ACE Management
  • Thierry Delville, Inspecteur général de la Police nationale, Délégation ministérielle aux industries de sécurité
  • Laurent Dumas Crouzillac, Associé, CapHorn Invest
  • Thomas Fillaud, Chef de bureau, Politique industrielle et Assistance (PSS), ANSSI
  • Philippe Gaillard, Associé, CyberD Capital
  • Joseph Graceffa, R&D-SSI, CLUSIR Nord de France
  • Jacques Hébrard, Commandant, Région gendarmerie Hauts de France
  • Geoffroy Hermann, Chef du bureau Réseaux & Sécurité, DGE
  • Jacques-Benoît Le Bris, DSI, Solvay
  • Olivier Ligneul, RSSI, Groupe EDF
  • Thierry Olivier, RSSI, Société Générale
  • Frédéric Valette, Responsable du pôle SSI, Direction générale de l’armement, Ministère de la Défense
  • Yves Veret, Senior Advisor Sécurité Numérique & Technologie de l’information CALAO Finance

***

For those who do not know the FIC aka International Cybersecurity Forum (Hosted in Lille – France)

The International Cybersecurity Forum is a platform aiming at promoting a pan-european vision of cybersecurity as well as to strengthen the fight against cybercrime.

In order to do so, the FIC relies on :

• The trade show, to share knowledge and ideas, recruit new employees and maintain contacts
• The forum, to discuss and debate with experts, to gather ideas and to share professional lessons
• The Observatory, to continue exchanging views and information after the FIC, to explore topics in greater depth and to consolidate our network of experts and like minded throughout the year

***

See you soon #FIC2017 !

fic2017_ban_horizontal

 

Page 1 of 2

YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press