As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.
In the early 2010's, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.
In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.
Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.
Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.
In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.
In January 2016, we met with Korben and Freeman. They presented YesWeWack's roadmap to launch the first European bug bounty platform.
The timing was perfect and we decided together to launch OVH's public program on the occasion of "la Nuit du Hack" in June 2016.
In this exercise we have the support of the management and technical teams.
Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.
At the beginning of this private phase, we received many reports, up to 10 a day, and a large majority was qualitatively very good.
The good surprise, it is that the first reports and in particular those of SaXX were relevant and valuable, well tied up and written with a good spirit thanks to his sense of humor !
Generally the reports received did not exceed a score of 5 on CVSS 3 against 10% of reports with a score between 5 and 8.
Public phase & Stats
Since the opening of the public phase, we have, on average, 1 report per day. Let's be clear, here we are talking about calendar days because vulnerability reporting does not stop on weekends and holidays.
Over two years of exercise we count about 700 reports. A quarter of them resulted in a change in our systems and (therefore) a cash reward.
The range of researchers is wide and this is what makes the bug bounty so attractive: we have worked with more than 120 people from all over the world with various and varied research methods.
Fortunately for us, we never had an RCE or SQLI even when we opened the scope.
However, we had reports of code injection (OWASP cat 1).
A vulnerability that is often raised is the lack of limitation on the number of requests on our API.
This risk is accepted by OVH as necessary for certain customers. We have compensation mechanisms in place.
To sum up, I can give the following statistics:
- 50% wont fixed
- 20% duplicate
- 15 % spam / out of scope
- 25 % fixed & resolved
Moreover, at OVH, as far as the allocation of the big rewards is concerned, there is a consultation with the teams in order to avoid approximations and to give a well calibrated reward, evaluated in the light of the prejudice that we could have suffered. It's important to be fair when you know that some rewards have reached € 10,000.
In total over two years OVH paid several tens of thousands euros to reward bug hunters on a case-by-case basis.
In organizational terms
I think you have to be ready and well-organized. We had opened a special internship on the subject at the launch in 2015. After finishing his studies, this intern is now employed in the security team and takes care of the OVH bug bounty.
I do consider that to be properly managed, a bug bounty program requires one hour of attention daily.
The decision making is guided by the collegiality between the devs and the CISO because the most sensitive part is the evaluation of reported bugs.
The hunter on our program is in a legal and professional process that deserves our capacity to communicate well with him/her in order to explain our decisions regarding the qualification of a submitted vulnerability. At any time our program managers were able to consult the YesWeHack team to avoid misunderstanding or to discuss some tricky points. Researchers are evaluated on the quality of their findings but also on the relevance of their reporting.
In terms of management I recommend at least a pair staff for a better management of the program. Keep in mind that Bug monitoring, communication and evaluation is demanding and tiring. Leaving only one person on this post is not desirable.
Today I am very proud to have entrusted the management of the program to Nassim, Alessandro and Hugo!
Recruitment and Outlooks
Recruitment approaches via the bug bounty were conducted because I discovered with great interest that it is a dimension where you can instantly feel the good vibes, the ability to communicate, the spirit of editorial synthesis of the people who evolve within bug bounty programs.
Often, in a job interview, the winning pair combines feeling and competence. It's often direct and pro: you talk to technical teams without the Human Resources filter.
As a manager I have met interesting profiles and as a hunter/researcher it is also a godsend because a researcher can perceive the atmosphere, the team spirit that reigns within a team.
In terms of perspective, an ongoing discussion could drive us to open the scope to everything that affects OVH directly or indirectly including the software developed in-house or even the hardware.
Regarding OVH's ability to open source, OVH wanted to open source its manager for a long time and consolidated by our bug bounty program we did it all logically without haste and we will continue on a case by case basis with this philosophy.
On a more personal level, I therefore handed over the reins of the program because I agreed to go and take care of the security of the launch of OVH's American subsidiary. But with this experience of the bug bounty, I hope to quickly launch a program dedicated to our activities in the United States.