Can you tell us why you decided to implement a Bug Bounty program?
Edouard Camoin – CISO – 3DS Outscale :
We’ve been ISO 27001 certified since 2014 and are thus required to look for vulnerabilities using pentration testing. At first, the penetration testings were useful; but as time went by, they produced fewer exciting things. We quickly realised that in the limited duration of an audit (2 to 3 weeks), the pentester didn’t have the time to find more severe vulnerabilities. At best, he had hunches, but then we needed to work on them.
We also saw that, for several years, Bug Bounty had been working well in the US, where household names were using the approach.
At first, we hesitated between the Red Team and Bug Bounty, with researchers coming from diverse backgrounds to test our perimeters and discover new vulnerabilities.
If we’d gone with Red Team, we’d have encountered the same problem we had with the classic penetration testing I mentioned before. So, we chose to launch a Bug Bounty in the belief that, although the pentesters were no longer finding anything, that didn’t mean there weren’t other problems.
We started with a private program collaborating with around fifteen hunters because we weren’t “sure” about our applications. The hunters identified some significant vulnerabilities. We gradually invited more hunters before finally going public with two perimeters: our infrastructure service and our customer portal.
Can you describe the evolution and development of your program since the beginning?
It was reasonably quick (one year). When we went public, we didn’t experience a sharp spike in vulnerability: we started with a grid of very reasonable bonuses, which we gradually increased to reactivate hunter activity on our program to reach our current “cruising speed”.
Did the notion of sovereignty factor into your choice to work with YesWeHack?
Definitely so. When we considered Bug Bounty, we were aiming for both the ANSSI SecNumCloud qualification and the HDS certification, so it seemed more opportune for us to work with a French player, giving us solid guarantees on the handling of our data.
Is working with a sovereign platform also an asset for you in the way you approach your market?
Yes, the concept of sovereignty is essential to our French and European customers. Those include public and para-public organisations, as well as organisations of strategic importance (OIV or Operators of Vital Importance; abbreviated as per its French naming), that are sensitive to the issues of sovereignty and control of their data. In the context of Cloud services provisioning, partnering with a sovereign platform like YesWeHack assures our customers that the entire vulnerabilities processing chain is adequately controlled.
In a broader sense, Bug Bounty is a competitive advantage for Outscale for the simple reason that it guarantees active security: where we once performed biannual penetration testing and periodic scans, we’re now looking for vulnerabilities continuously. And as soon as the hunter signals a vulnerability, we’re able to include it in our correction cycle automatically. Our customers are reassured, knowing that we don’t wait for updates from vendors to fix our vulnerabilities. Also, we’re able to detect and fix vulnerabilities in our the products we develop in-house.
In your opinion, what is Bug Bounty’s added value?
First, hunters don’t face any time constraints. They can take the time they need to detect sophisticated vulnerabilities, further develop an exploit, suggest remediation and write up a detailed report. Whereas pentests often result in a few scans and two or three CVEs, without any concrete proof of exploitations.
Then, there’s also the diversity of the community: I can exchange with hunters specialising in UI, others in Application Services, etc. – and each of them brings me different, complicated things that a “non-specialised” auditor could never find. Sometimes, I think you have to be crazy to see stuff like that. (Laughing) They find things that no one else could and take the time to enhance/ highlight/ exploit them–-I have access to a wealth of expertise.
There are also many spurious; many people attempt Bug Bounty and aren’t relevant in their approach. But that also allows my teams to become familiar with different approaches, to talk to people of various knowledge levels and to be able to put themselves on all levels. We sometimes have to explain that a finding isn’t a vulnerability, but rather a misuse on their end and so on.
Last but not least, a kind of bond builds up with individual hunters over time. If a researcher has found significant vulnerabilities, and he wants to test more complex things, then we’re going to give him the resources or specific access that enable him to do more exciting stuff. This kind of collaborative approach and in-depth work is impossible to achieve with pentesters who are always overwhelmed and caught up with their tight deadlines.
For you, does Bug Bounty mean the demise of the penetration testing, or are they complementary? And if so, how?
In my opinion, they are two completely different approaches: I use penetration testing for their certifying value and their compliance with specific standards, which allows me to satisfy customers requiring these certifications. Bug Bounty meets the need for more operational security and to focus on all the things that penetration testing and classic scans aren’t able to detect.
Since you’ve launched Bug Bounty, have you seen changes within your teams? How does it work at Outscale?
At the SOC (Security Operations Center), we manage the existing programs, bonuses, and relationships with the hunters, the creation of new programs, and any changes in the perimeters. The Bug Bounty reports come to my SOC (Security Operations Center) team, which then qualifies each vulnerability.
In 90 per cent of the cases, they are non-critical vulnerabilities that are quickly qualified. If there is any doubt, we discuss it in-house. If the vulnerability is particularly interesting, the person in charge of handling it presents it to the team; we talk about its potential impact, the solutions to provide, the hunter’s recommendations, how we can ensure it doesn’t come up again. These exchanges increase the skills of the entire team.
So, does that also mean that your teams get closer?
Yes, because it stimulates curiosity; people are interested and want to understand, which is a good thing. It’s always more concrete to show a real vulnerability that has taken place on the platform.
And in terms of agility?
We work in continuous integration, and Bug Bounty lent itself to our agile methods.
When we receive a vulnerability report, we qualify the CVSS score and, based on that score, we determine the remediation deadline. Then, the report is sent directly to the relevant teams for correction. The same goes for the dependencies used in the code; they’re sent to R & D for analysis and version upgrade. In all cases, Bug Bounty is an entry point like any other, and as such, vulnerabilities are managed via tickets.
We adapt the processing according to the urgency: if a quick correction is required, we deliver a patch immediately, to be reinstated in the next version. In this case, we create (or modify) a user story using these new elements, which will serve as a basis for developments.
What’s the next step?
We’re going to try and expand our perimeters in the programs. And to encourage hunters to “go deep” inside of our product (beyond the web-based front-end), we’re going to increase the bonus grid.
I’d also like to give them access to our private platforms for them to perform more stringent tests. We’ve already tried this once, and it produced insightful results, with hard-coded data extraction scenarios, on our test platforms. But this involves providing hunters with specific testing perimeters, which is time-consuming.
About YesWeHack : YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 15 000 cyber-security experts (ethical hackers) across 140 countries with organizations, to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices. Founded in 2013, YesWeHack is today the #1 Bug Bounty European platform. www.yeswehack.com