What is your role in CCM benchmark ?
I am deputy CTO and i’m in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.
What were the reflexion and the needs assesment that brought about a bug bounty program ?
Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The bug bounty Program we opened was a very important step complementary of others methods we set up (pentests, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code.
Why did you guys choose Bounty Factory : What made the difference compared to other bug bounty platforms ?
We paid attention to several criteria provided by Bountyfactory.io. First advantage was the fact that it is based in France and it strongly facilitated the set up because we had a good feeling throughout the discussion with YesWehack teams. They did prove their capacity in mobilizing some high-level hunters for a program such as ours. Eventually, The European approach and the way the rewards are run were both arguments that can assure us to fight against the financing of terrorism.
Did you ask for an help for setting up of your program (in terms of scope, timing, invitations) ?
Since the launching of our bug bounty program on the 28th of September, we’ve been helped by Bounty Factory dedicated Team from the very beginning and on the regular basis. We did profit from their experiences in order to better write up our program and better define our scope so that hunter were precisely informed of our expectations. Moreover, we have been accompanied to define our rewarding policy to treat properly the feedback given by hunters who are spending long time for securing our platforms.
Last but not least, we benefited from Bounty Factory dedicated team in order to select and send invitations to high-ranked hunters.
How many hunters did you invite for the private step ?
For the private step we have invited the whole YesWehack private team made of 10 people.
During the private time, what did you notice out in terms of reported vulnerabilities ?
Obviously at the very beginning of the program simple and common vulnerabilities were reported, especially XSS vulnerabilities. As time went by, more sophisticated vulnerabilities appeared , we were really surprised by some findings. We have felt a very good implication on the behalf of each hunter who was driven by their appetite for being the first reporting a critical vulnerability.
The features : 58 reported bugs, 34 were subject to corrective measures. Others were mainly duplicates 18 out of 24.
The number of critical vulnerabilities were up to 5.
The best reward for one and only bug was up to 1000 €.
Did you appreciate the level of communication between you and the hunters ?
The level of communication with the hunters was really appreciated by our team. At times, we experienced some difficulties concerning some vulnerabilities in reproducing them or understanding the prejudice they implied. So the hunters were really good at answering our questions and at double-checking the patches we delivered.
Why did you choose to go public ?
To us, going public is a natural evolution of our bug bounty program. We wanted to be able to understand correctly the art of running a bug bounty through Bountyfactory.io especially by dealing with a restricted number of reported bugs in a first movement and along with hunters whom we wanted to communicate with. Now, we are far more confident in terms of procedures and in terms of patching policy, so it makes sense going public and being exposed to a max of skills to keep on securing our platform .
In terms of profits, can you say that beyond the financial aspect there are issues of communication and reputation ? How would CCM deal with these aspects ?
It is important for us to show a proactive approach on such crucial issues. However, it is not planned at the moment to promote the opening of our bounty bug program towards our audience. Above all, we decided to go public for ourselves and our visitors.
Hack and take the cash