Case Study: Groupe ADP’s Public Bug Bounty Program

What made you decide to launch the Bug Bounty program? 

Daniel Diez Head of the Digital Factory Division, Groupe ADP

Daniel Diez – Head of the Digital Factory Division, Groupe ADP :
“The Group Security team took the lead on this project. I had no prior experience of Bug Bounty, but we very quickly saw the model’s advantages and power. And although I never had any particular doubts or worries, now all I see is the benefits. The bugs reported by hunters are vulnerabilities that we and our auditors may not have seen otherwise, and which could therefore be exploited by bad guys.” 

Eric Vautier – Groupe CISO, Group ADP :  In cyber security, anticipation is everything. You need to stay a step ahead of the hackers. This means keeping a close eye on market innovations.

In the digital world, doing “old-style” protection means you are clearly behind the game. And a good way to catch up is to work directly with security researchers who use hackers’ methods and think like them.”

Daniel Diez: “We started Bug Bounty wondering if we could successfully adapt the model to our way. Today, it is one of the pillars of our web security strategy. Of course, it’s vital to set the program’s rules carefully: you have to structure the tests in the right way so that the hunters don’t “disperse” their efforts. You need to identify the right “boundaries”, and this is where the program setup is essential. We started with a tightly drawn scope and expanded it as we went along.”

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. pen test)?

Daniel Diez : “Continuous testing – this is Bug Bounty’s big strength. Pen tests are run at a given point in time – not following every minor delivery. While with Bug Bounty, we have hunters working continuously, remaining alert to anything new, which means they can detect whether any change creates potential vulnerabilities.”

Eric Vautier: “In a perfect world we should systematically test each update on our website. This would mean running a pentest every week, or even more often… And everyone knows that’s not feasible. Bug Bounty makes such continuous verification possible.”

Daniel Diez: “I’ve been getting reports we never got from our pen tests – way more in-depth reports, particularly on the website navigation experience. Auditors don’t necesserily have this approach. What’s more, a pentest has a limited timeframe, whereas hunters take the time they need to go as far as possible. As time goes by, they also get increasingly familiar with our scope, which means they can go even more in depth.”

Eric Vautier:  “A Bug Bounty program can also be used to report more functional, not just technical, application vulnerabilities. For me, this is what genuinely differentiates it from the pentest. It is a completely different angle. A pen test often relies on automated tools, while Bug Bounty builds on these tools with a more human approach.”

Daniel Diez : “What is also interesting is the interactions with hunters. They help us understand the vulnerabilities they’ve found and how to fix them effectively. In this way we can leverage their expertise. 
For sure, Bug Bounty demands some investment. You have to be available to understand what the hunters have tried to do, to talk to them…

But they force us to ask ourselves fresh questions: How a bad guy would get round our protection measures?”

Is Bug Bounty the end of pen testing? Or will it always remain complementary?

Daniel Diez: “For me, neither works without the other. For one thing, we are not necessarily testing the same things with both. And we cannot set off into the unknown without having some minimum level of certainty in advance. Bug Bounty comes in at a more mature stage in the logical flow of events. You need to leverage a minimum base level of security before launching Bug Bounty. That said, today, within the current scope, we no longer need to run pentests. Bug Bounty is enough on its own. You need to set the bar at the right level at the outset, and it then becomes a recurring process.”

Eric Vautier, Group CISO, Groupe ADP

How does Bug Bounty fit with your agile approach?

Daniel Diez: “Like everyone, we have tools to manage sources, builds, projects and performance analytics. We also use tools to log and track each new vulnerability report from the Bug Bounty program. For each sprint we verify which relevant data we can include, so we can deal with issues as they come.”

Why have you gone public? How has that changed your approach with Bug Bounty?

Eric Vautier: “The main advantage is to maximise our risk coverage by multiplying the number of potential tests. Also, it gives us a single channel for reporting vulnerabilities in our website.”

What comes next?

Eric Vautier: “We are going to open up new scopes, on other applications and with other business entities using the same model: private program first, then going public.”