Author: YesWeHack Team | NicoladiaZ (Page 1 of 3)

Le Réseau Thématique French Tech #Security #Privacy

Guillaume Vassault Houlière, CEO de YesWeHack, est un des ambassadeurs du Réseau Thématique French Tech #Security #Privacy .

Ce réseau a pour objectifs d’organiser un Tour de France sur la thématique “security & privacy” afin de fédérer l’écosystème, de développer et valoriser à l’international le savoir-faire des acteurs français en matière de cybersécurité.

Ce tour permettra notamment de continuer la sensibilisation des utilisateurs en entreprise (PME, ETI et Grands Groupes) à la sécurité et à la protection des données personnelles. C’est là une des clefs de la réussite de la transformation numérique.

Une des missions principale du réseau est l’identification des startups axées sur la cyber-Securité et la protection des données personnelles. L’idée c’est de procéder à un inventaire des besoins et de motiver des entrepreneurs « emblématiques » pour qu’ils deviennent des business angels et/ou des mentors.

Enfin, le réseau et tous ses acteurs ont pour activité la promotion du fonds French Tech Accélération aux entrepreneurs pouvant réinvestir dans l’écosystème.

En savoir plus sur la feuille de route

Open Source, NGOs & Hackers : Unity is strength

YesWeHack is definitely a group of passionate people who all have become professionals. As passionate people, we do have principles and it is precisely these principles that keep us on the right path of our social, economic and financial development.

For some of you, you’ve been noticing that we are operating in a competitive world without forgetting our fundamentals.
We are willing to defend the common goods mainly the Internet neutrality, Press Freedom, Open Source (software & hardware).

To us, those 3 pillars – amongst others – are strong allies for Civil Society and especially for NGOs to defend and promote Human Rights.

This is the reason why we do care about helping NGOs and non-profit organizations who share the same principles.

Cooperation is good for all of us !

In 2017, our community of security researchers participated in 3 bug bounty programs powered by our Bounty Factory :

In june 2017, the first program was launched by OCCRP and it exposed one tool of the organization :

As a matter of fact, OCCRP is involved in the original Panama Papers, Paradise Papers amongst many other projects.

As one of the world’s largest investigative reporting organizations, OCCRP is very concerned with security of their journalists and sources.

With this in mind, OCCRP started a bug bounty program with YesWeHack !

In October 2017, OCCRP did it again by submitting another scope made of Open Source components namely : Django, Ember.js, Bootstrap 3, PostgreSQL , Oauthlib.

    • The Investigative Dashboard (ID) is a platform of tools and services that help journalists to follow the money and uncover corruption. At its core are IDresearch requests, a request tracking mechanism that allows journalists to get help from one of OCCRP’s experienced researchers.

We have chosen YesWeHack based on a recommendation, and we are happy to say that YesWeHack went beyond what we had expected or hoped for.
Michał “rysiek” Woźniak, Chief Information Security Officer from

Collaboration between OCCRP and YesWeHack results in this page 🙂


As for the third bug bounty program, it was launched in October 2017 thanks to Reporters Without Borders and aimed at hardening a brand new project for investigative journalism called

    • Forbiddenstories is a collaborative journalism network devoted to keep stories alive and to publish the work of journalists if they are no longer able to do it themselves. At times, journalists have been killed, jailed or threatened.

Investigative journalism is about providing information on crucial issues such as the fight against corruption, environmental protection and human rights. To accomplish this mission and in particular through ForbiddenStories, cooperation with YesWeHack has proven to be obvious because ethical hackers help us to better secure our means of communication and therefore our data.
Laurent Richard | Spokesperson of

So truly, YesWeHack is honored and proud to help ForbiddenStories for this project is willing to use above all Open Source Software like WordPress, SecureDrop, GNUPG, Signal.


Unity is Strength and beyond those examples, YesWeHack has been working with several organizations that improve Open Source. For security reasons, as you may guess, we cannot give details concerning those private bug bounty programs 🙂

No worries, if your project is non-profit and made of Open Source bricks we would be glad to drop all the fees we charge for usual bug bounty program.

Give it a try & please drop a line to 🙂


Incentive Policy for Coordinated Vulnerability Disclosure


For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.

Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure?

The concept of responsible disclosure has too often been at the root of endless discussions:

On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.

During this precious time when both sides argue, the system concerned is at the opponent’s mercy.

In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Theory & Definitions

Coordinated Vulnerability Disclosure (CVD) is a process aimed at reducing risk and ultimately mitigating potential damage caused by a vulnerability affecting an information system. CVD is a process that cannot be reduced to the deployment of a patch or publication of a report, even though these events are indicators of the efficiency of cooperation.

A bounty bug platform such as facilitates this process by encouraging the cooperation of thousands of security experts and organizations.
Cooperation: it is a key element of Cyber Governance.

Guillaume Vassault Houlière | YesWeHack CEO

Coordinated Vulnerability Disclosure is therefore the process of collecting information from Security Researchers, coordinating the sharing of this information among actors, and disclosing the existence of vulnerabilities (software or even hardware) and their mitigation measures to various stakeholders, including the public.

Coordinated Vulnerability Disclosure significantly increases the likelihood of success of any vulnerability response process. Contributions are often vulnerability reports written by security researchers.

CVD reports for a product (software or hardware) typically include patches as well as vulnerability report documentation or recordings in a vulnerability database.

NB: many operational vulnerabilities can be corrected by the operator and do not necessarily result in public disclosure.

Vulnerability disclosure is a process by which vendors and people who discover vulnerabilities can work collaboratively to find solutions that reduce the risks associated with a vulnerability.

ISO/IEC 29147 standard defining Vulnerability Disclosure

This process includes actions such as the reporting, coordination and publication of information on one vulnerability, its mitigation or, ideally, its remediation.

Let’s zoom in the concept :


  • Reduce the risk of damage
  • Believe in good deeds, believe in good Samaritans
  • Avoid randomness
  • Boost cooperation
  • Follow the code of ethics
  • Learn from the OODA loop
  • Consider CVD as a process navigating between the “best” and the “worst”.


  • Ensure that identified vulnerabilities are – well – addressed;
  • Reduce the risk of vulnerability;
  • Provide users with sufficient information to assess the risks associated with the vulnerabilities of their systems;


Coordinated Vulnerability Disclosure commonly begins with the detection of a vulnerability and ends with the deployment of patches or mitigation.

Therefore, several actors are involved in the CVD process:

  • Security researcher – the person or organization that identifies vulnerability.
  • Reporter – the person or organization who notifies the vendor
  • Vendor – the individual or organization that created or maintains the product that is vulnerable
  • System Administrator – an individual or organization that must implement a corrective action or take other corrective actions.
  • Coordinator – an individual or organization that facilitates the coordinated response process


  • Discovery – Someone discovers a vulnerability in a product.
  • Report – The product vendor or a third party coordinator receives a vulnerability report.
  • Qualification – The recipient of a report validates it to ensure its accuracy before prioritizing it for further action.
  • Remediation – A remediation plan (ideally a software patch) is developed and tested.
  • Public Awareness – Vulnerability and corrective measures are disclosed to the public.
  • Deployment – Corrective measures are applied to the systems concerned.

The reporting step is important because it requires the creation of secure channels to ensure that transmitted information is not intercepted by a third party.

However, there are some obstacles within the process:

  • No vendor contact available – This may occur because a contact could not be found or because the contact is not reactive.
  • Termination of cooperation – participants in the CVD process may have other priorities that attract their attention.
  • Information leakage – Whether intentional or unintentional, information for a small group of actors can be passed on to others who are not involved in the CVD process.
  • Independent Discovery – Any vulnerability that can be found by one individual can be found by another, and not everyone will tell you about it.
  • Active Exploitation – Evidence that a vulnerability is being actively exploited by adversaries requires accelerating the CVD process to reduce users’ exposure to risk.
  • Communication is deteriorating – CVD is a process of coordinating human activities. As such, its success depends on the quality of the relationships between the participants.
  • Marketing – In some cases, vulnerabilities can be used as a marketing tool. This is not always conducive to the smooth running of the CVD process.

To sum up:

Vulnerability disclosure practices are no longer restricted to web applications. The Internet of Things and the constellation of SCADA systems, connected health devices, CCTV, Connected cars, etc. have become so dependent on software and the Internet that they increase the exposure perimeter and will inevitably be exposed to new attacks.

The Coordinated Vulnerability Disclosure is a major ally to federate the largest number of cyberspace actors and stimulate the exchange of knowledge to ensure both security and privacy protection by design.

By encouraging cooperation, CVD will enable all stakeholders not only to defend their common information assets but also to fight more effectively against the black market and the resale of Zerodays.


The set is now planted, so let’s switch from theory to practice.

Security.txt: the promising RFC!

In order to respond to the lack of contacts available to disclose a vulnerability on a website, security researcher EdOverflow, well inspired by the role of the famous robots. txt, suggested since the beginning of August 2017 to include in each website the file security.txt as a reference file containing the procedure to be followed to disclose more effectively to the editor of a site a bug, a vulnerability.

This approach has the merit of establishing clear guidelines for security researchers on how to report security issues and allows bug bounty programs to use them as a basis for defining the attack perimeter for future researchers.

security.txt is a draft that has been submitted to the RFC for review. This means that security.txt is still in the early stages of development. You can contribute on github!

Bug Bounty as part of your disclosure policy

As part of agile development on their own products, more and more vendors are choosing to be proactive by stimulating and cooperating with IT researchers:

  • by relying on in-house resources and expertise;
  • by contracting directly with external researchers;
  • via a platform that will connect researchers and one vendor. The latter will therefore pay for the result and will be able to choose between various options such as program management or even patch management if its internal resources are not sufficient.

NB: The creation and long-term implementation of a Bug Bounty program is considered as an indicator of the maturity of publishers’ E-governance in terms of vulnerability.

Since 2013, YesWeHack has been developing tools that greatly facilitate the implementation of an incentive policy for CVD.

YesWeHack, its community and ecosystem of services enable organizations and IT security researchers to better cooperate.

Thanks to the tools developed by YesWeHack, beneficiary organizations can more easily overcome the obstacles encountered by their CVD policy. In addition, organizations gain reputation by demonstrating their appetite and willingness for continuously improving their systems. as the first European platform of Bug bounty.

Differentiating criteria

  • Cooperation with European partners and providers as a matter of sovereignty.
  • Legal and technical infrastructure that meets the highest security requirements.
  • Security and confidentiality of communications based on encryption and compliance with ISO standards.
  • Securing financial transactions between organizations and security researchers.
  • Payment platform compliant with European anti-money laundering and anti-terrorist financing arrangements.
  • Support throughout the entire process: from the drafting of the program to assistance with corrective measures.
  • Operational ranking of the best researchers: Management of a security research community.
  • Reactivity that enables the best researchers to be mobilized in record time.
  • Ability to organize different types of Bounty bug programs (Private / Public / In situ / Hardware and/or Software).

Give it a try ! Register on

What should I do if a product does not offer Bug Bounty or Security.txt?

A simple and effective tool to avoid full disclosure of vulnerabilities in the wild.

It is important to note that some products (software or hardware) do not have their own Bug Bounty program. Thus, it is difficult for a security researcher to report a vulnerability to a vendor. Not all countries have a law allowing this kind of practice, as is the purpose of Article 47 of the Law for a Digital Republic initiated by ANSSI.

YesWeHack has created to facilitate the escalation of vulnerabilities in a secure and even anonymous way and put in touch the different actors working for a safer Internet.

Thanks to Zerodisclo several obstacles are removed: no login, anonymization of the report via the Tor (.onion) network and mandatory and automatic encryption of the report content with the public PGP key of the CERT chosen.

The list of CERTs included in

Please find below the infographic of

Politique Incitative à la Divulgation Coordonnée de Vulnérabilités.

 ☄ Constat

Depuis une dizaine d’années, les organisations tentent de mettre en place des politiques opérationnelles pour éviter les rapports sauvages de failles ou autre “Full Disclosure” ou “Open Bug Bounty” dont les méthodes laissent à désirer en terme d’honnêteté et de responsabilité.

A propos de responsabilité, vous connaissez peut-être la notion “Divulgation Responsable” ( Responsible Disclosure – chez nos amis anglophones) et vous vous demandez en quoi elle est différente de la Divulgation Coordonnée de Vulnérabilités?

Le concept de divulgation responsable a trop souvent été au cœur de discussions sans fin :

  • d’un côté les vendeurs/éditeurs s’insurgent “Divulguer une vulnérabilité sans fournir de patchs n’est pas responsable”
  • et de l’autre “Ne pas corriger cette vulnérabilité au plus vite n’est pas responsable”, rétorquent les chercheurs en sécurité.

Pendant ce temps précieux où les parties se chamaillent, le système concerné est à la merci de l’adversaire et ce dernier en profite pour commettre ses méfaits.

Afin de tendre vers plus d’efficacité et sortir des débats stériles, il convient donc d’éviter de parler de “divulgation responsable”. C’est la raison pour laquelle de nombreuses organisations plaident en faveur du concept de “Divulgation Coordonnée de Vulnérabilités” (DCV) afin de promouvoir et renforcer la coopération entre les différents acteurs de la cybersécurité qui tous ont un objectif commun : rendre l’Internet plus sûr.

Coordinated Vulnerability Disclosure

☄ Théorie & Définitions

La Divulgation Coordonnée de Vulnérabilités ( DCV ) est un processus visant à réduire les risques et in fine à atténuer les dommages potentiellement causés par une vulnérabilité ciblant un système d’information. La DCV ( CVD en anglais ) est un processus que l’on ne peut pas réduire au déploiement d’un correctif ou à la publication d’un rapport quand bien même ces événements sont des indicateurs de l’efficience de la coopération.

Une plateforme de bug bounty telle que facilite ce processus en incitant à la coopération des milliers d’experts en sécurité et des organisations.
La coopération : c’est une pièce maîtresse de la Cyber-Gourvernance.

Guillaume Vassault Houlière | YesWeHack CEO

La divulgation coordonnée des vulnérabilités est donc le processus qui consiste à collecter des informations auprès des chercheurs de vulnérabilités, à coordonner le partage de ces informations entre les acteurs et à divulguer l’existence de vulnérabilités (logicielles voire matérielles) et leurs mesures d’atténuation à diverses parties prenantes, y compris le grand public.

La divulgation coordonnée des vulnérabilités accroît de manière significative les chances de réussite de tout processus de réponse à vulnérabilité. Les contributions sont souvent des rapports de vulnérabilité rédigés par des chercheurs en sécurité.

Les rapports DCV concernant un produit (logiciel ou matériel) comprennent généralement des correctifs ainsi que des documents de rapport de vulnérabilité ou des enregistrements dans une base de données de vulnérabilités.

NB: de nombreuses vulnérabilités opérationnelles peuvent être corrigées par l’opérateur et elles ne se traduisent pas forcément par une divulgation publique.

La divulgation des vulnérabilités est un processus par lequel les fournisseurs et les personnes qui découvrent des vulnérabilités peuvent travailler en collaboration pour trouver des solutions qui réduisent les risques associés à une vulnérabilité.

Norme ISO/CEI 29147 définissant la Divulgation de Vulnérabilités

Ce processus comprend des actions telles que le signalement, la coordination et la publication d’informations sur une vulnérabilité, son atténuation voire, dans l’idéal, sa résolution.

A ce stade, décortiquons la DCV :

Les principes:

  • Réduire les risques donc les dommages
  • Croire aux bonnes actions donc aux bons samaritains
  • Éviter le hasard
  • Stimuler la coopération
  • Suivre la déontologie
  • Apprendre de la boucle OODA
  • Considérer la DCV comme un processus naviguant entre le “meilleur” et le “pire”.

Les objectifs :

  • veiller à ce que les vulnérabilités identifiées soient prises en compte;
  • réduire au minimum le risque de vulnérabilité;
  • fournir aux utilisateurs suffisamment d’informations pour évaluer les risques liés aux vulnérabilités de leurs systèmes;

Les acteurs :

La Divulgation Coordonnée de Vulnérabilités commence communément par la détection d’une vulnérabilité et se termine par le déploiement de correctifs ou d’atténuation.

Par conséquent, plusieurs acteurs sont impliqués dans le processus de CVD :

  • Chercheur en sécurité – la personne ou l’organisation qui identifie la vulnérabilité.
  • Rapporteur – la personne ou l’organisation qui avise le fournisseur de la vulnérabilité.
  • Fournisseur – la personne ou l’organisation qui a créé ou entretient le produit vulnérable.
  • Administrateur système – personne ou organisation qui doit déployer un correctif ou prendre d’autres mesures correctives.
  • Coordinateur – personne ou organisation qui facilite le processus d’intervention coordonnée.

Les étapes :

  • Découverte – Quelqu’un découvre une vulnérabilité dans un produit.
  • Rapport – Le fournisseur du produit ou un tiers coordinateur reçoit un rapport de vulnérabilité.
  • Qualification – Le destinataire d’un rapport le valide pour s’assurer de son exactitude avant de le prioriser en vue d’une action ultérieure.
  • Remédiation – Un plan d’assainissement (idéalement un correctif logiciel) est élaboré et mis à l’essai.
  • Sensibilisation du public – La vulnérabilité et les mesures correctrices sont divulguées au public.
  • Déploiement – Les mesures correctrices sont appliquées aux systèmes concernés.

La phase de rapport est importante car elle requiert de créer des canaux sécurisés pour éviter que les informations transmises soient interceptées par une tierce partie.

Ce processus connaît cependant des obstacles :

  • Aucun contact du fournisseur disponible – Ceci peut se produire parce qu’un contact n’a pas pu être trouvé ou parce que le contact n’est pas réactif.
  • Cessation de coopération – les participants au processus de DCV pourraient avoir d’autres priorités qui attirent leur attention.
  • Fuites d’information – Qu’elles soient intentionnelles ou non, les informations destinées à un groupe restreint d’acteurs, peuvent être transmises à d’autres personnes qui ne participent pas au processus de DCV.
  • Découverte indépendante – Toute vulnérabilité qui peut être trouvée par un individu peut être trouvée par un autre, et tous ne vous en parleront pas.
  • Exploitation active – Les preuves qu’une vulnérabilité est activement exploitée par des adversaires nécessitent d’accélérer le processus de DCV pour réduire l’exposition des utilisateurs au risque.
  • La communication se détériore – La DCV est un processus de coordination d’activités humaines. En tant que tel, son succès dépend de la quatité des relations entre les participants.
  • Marketing – Dans certains cas, les vulnérabilités peuvent être utilisées comme un outil de marketing. Cela n’est pas toujours propice au bon déroulement du processus de DCV.

En synthèse :

Les pratiques de divulgation des vulnérabilités ne se limitent plus aux applications web. L’Internet des objets et la constellation de systèmes SCADA, d’appareils de santé connectés, de caméras de surveillance, de voitures connectées, de drones, etc. sont devenus tellement dépendants des logiciels et de l’Internet qu’ils augmentent le périmètre d’exposition et, de ce fait, seront inéluctablement exposés à de nouvelles attaques.

La Divulgation Coordonnée de Vulnérabilités est une alliée majeure pour fédérer le plus grand nombre d’acteurs du cyberespace et stimuler l’échange de savoirs pour mieux assurer dès la conception : la sécurité et la protection de la vie privée.

En incitant à la coopération, la DCV permettra à tous les acteurs de la cybersécurité non seulement de défendre leurs bastions et leurs patrimoines informationnels mais aussi de lutter plus efficacement contre le marché noir et/ou la revente de Zerodays.


 ☄Le décor est maintenant planté,

alors passons de la théorie à la pratique.

Security.txt : la prometteuse RFC !

Afin de répondre au manque de contacts mis à disposition pour divulguer une vulnérabilité sur un site web , le chercheur en sécurité EdOverflow, bien inspiré par le rôle du fameux robots.txt, a suggéré depuis début août 2017 d’inclure dans chaque site web le fichier security.txt comme fichier de référence contenant la marche à suivre pour divulguer plus efficacement à l’éditeur d’un site un bug, une vulnérabilité.

Cette méthode a le mérite d’établir des lignes directrices claires pour les chercheurs en sécurité sur la façon de signaler les problèmes de sécurité et permet aux programmes de bug bounty de s’en inspirer pour mieux définir le périmètre d’attaque proposé aux futurs chercheurs.

Security.txt est une ébauche qui a été soumise à l’examen de la RFC. Cela signifie que security.txt en est encore aux premiers stades de développement. Vous pouvez y contribuer sur github !


Le Bug Bounty comme composant de votre politique de divulgation

Dans le cadre d’un développement agile sur leurs propres produits, de plus en plus de fournisseurs choisissent d’être pro-actifs en stimulant et en coopérant avec les chercheurs de vulnérabilités :

  • soit en misant sur les ressources et expertises en interne.
  • soit en contractant directement avec des chercheurs externes
  • soit en passant par une plateforme qui va mettre en relation des chercheurs et l’éditeur de la solution. Ce dernier paiera donc au résultat et pourra choisir différentes formules et options payantes telles que le management de programme voire le patch management si ses ressources en interne ne sont pas suffisantes.

NB : La création et l’instauration dans la durée d’un programme de Bug Bounty sont considérées comme des indicateurs de maturité de la cybergouvernance des éditeurs en matière de vulnérabilité.

Depuis 2013, YesWeHack travaille au développement d’outils qui facilitent grandement la mise en place d’un politique incitative à la divulgation coordonnée de vulnérabilités.

YesWeHack, sa communauté et son écosystème de services permettent aux organisations et aux chercheurs en sécurité informatique de mieux coopérer.

Grâce aux outils développés par YesWeHack, les organisations bénéficiaires peuvent contourner plus aisément les obstacles rencontrés par leur politique de DCV. De plus, les organisations gagnent en notoriété en démontrant leur appétence et leur volonté d’améliorer en continu leurs systèmes.

Bountyfactory.iola première plateforme Européenne de Bug bounty.

Les critères différenciants

  • un recours à des partenaires et prestataires Européens pour des questions de souveraineté.
  • une infrastructure légale et technique qui répond aux exigences de sécurité les plus élevées.
  • la sécurité et la confidentialité des communications basées sur le chiffrement et le respect des normes ISO.
  • une sécurisation des transactions financières entre les organisations et les chercheurs en sécurité.
  • une plateforme de paiement conforme aux dispositifs européens de lutte contre le blanchiment d’argent et contre le financement du terrorisme.
  • un accompagnement tout au long du processus : de la rédaction du programme jusqu’à l’aide aux correctifs.
  • un classement opérationnel des meilleurs chercheurs : Gestion d’une communauté de chercheurs en sécurité.
  • une réactivité qui permet de mobiliser les meilleurs chercheurs en un temps record.
  • une capacité d’organisation de différents types de programmes de bug Bounty (Privé / public / In situ / Hardware et/ou Software).

Pour vous inscrire c’est par là >

Quelle démarche adopter si un produit ne propose ni Bug Bounty ni Security.txt ?

Un outil simple et efficace pour éviter les remontées sauvages de vulnérabilités.

Il est important de noter que certains produits (logiciel ou physique) ne disposent pas de leur propre programme de Bug Bounty. Il est ainsi délicat pour un chercheur en sécurité de pouvoir remonter une vulnérabilité à une société éditrice. Tous les pays ne disposent pas d’une loi permettant ce type de pratique comme c’est l’objet de l’article 47 de la Loi pour une République numérique initiée par l’ANSSI.

YesWeHack a crée pour faciliter les remontées de vulnérabilités de façon sécurisée voire anonyme et ainsi mettre en relation les différents acteurs œuvrant pour un Internet plus sûr.

Grâce à Zerodisclo plusieurs obstacles sont levés : pas de login, anonymisation du rapport via le réseau Tor (.onion) et chiffrement obligatoire et automatique du contenu du rapport avec la clef PGP publique du CERT choisi.

La liste des CERTs inclus dans

A titre d’exemple : vous pouvez rapporter directement au CERT FR en cliquant sur le lien suivant >

Ci-dessous une infographie qui résume le processus :


Cybersecurity & Bug Bounty: Attack is the best form of defense

uillaume Vassault-Houlière President of Yes We HackBy Guillaume Vassault-Houlière | CEO of YesWeHack

Through our European platform, Bug Bounty is gaining respectability in France and Europe.

Bug Bounty is an innovative and operational practice from the United States that rewards security experts who find security flaws in IT systems.

Within a complex geopolitical context, Europe and France can compete in defending a European model of digital sovereignty.

In the light of new threats and given reports of organizations that are victims of piracy and irreversible damage, some innovative cyber security policies and approaches need to be adopted.

Cybersecurity is a powerful ally for leading digital transformation.

Like the United States, France and Europe must capitalize on the IT security talents of the European zone for those are the talents who will consolidate the digital fortresses of tomorrow.

Today, thanks to, the first European Bug Bounty platform developed by YesWeHack, organizations have an additional tool in their defensive arsenal. Based on a community of more than 3,000 IT security researchers, organizations can significantly increase the security degree of their information systems.

Commonly, organizations are used to planning audits or penetration tests led by a limited number of IT experts during a restricted time window. Although this kind of audit is recommended, it is far from sufficient for protecting information assets.

Keep in mind that cyber criminals do not ask for clearance to damage one targeted infrastructure.

Through a Bug Bounty program, an organization can thus simulate the real conditions of an attack while imposing IT researchers a legal framework. is the appropriate tool to harden information systems and build a relationship of trust between organizations and the IT security experts., with the striking force of our community, allows any type of organization to test a web site, a mobile application, web services, connected things or embedded systems in order to reduce risks and increase data protection.

As soon as a vulnerability is discovered, the expert reports in details to the initiator of the program. Once the reported vulnerability has been confirmed and validated, the organization can fix the issue and can ideally reward the expert.

In the framework of a Bug Bounty program, the organization only pays for the result and the more critical the flaw, the higher the reward. provides its clients with total control over the entire process: control over the scope, rules, budget, accreditation of experts and, of course, the program can be stopped at any time.

Bug Bounty programs constructively increase developers’ skills.

Furthermore, thanks to Bug Bounty Practice, one organization can communicate positively on its capacity to keep the best level of security, as demonstrated by the US Army and Pentagon in 2016. assists you in the creation of totally private or public Bug Bounty programs. We count among our clients, which we can mention, companies such as Orange, OVH, Qwant or ERCOM.


Confronting reality is the duty of every IT security professional

Interview of Stéphane Bourou | Technical Project Manager at Ercom

For 30 years, Ercom has developed a leadership position in the communications, data and terminal security markets.
This position is based on complementary technological expertise in Telco/cloud infrastructure, cryptography and software and on shared values: innovation, expertise, commitment and confidentiality.

Our products and expertise are recognized in France and internationally by major companies, customers, partners and certification entities.

All our solutions are certified or in the process of certification by ANSSI.

Two examples that illustrate Ercom’s expertise:

  • Ercom equipped the Presidential aircraft with a secure telephone in 2002, thus offering the first highly secure mobile communication solution.
  • Ercom’s Cryptosmart (secure communications and mobile terminals) is the first ANSSI-certified solution to be restricted for distribution to consumer terminals, facilitating users to adopt it.

Our offer is based on three products : CryptoPass, CryptoSmart and CryptoBox.

What did you learn from the private phase of your bug bounty program?
The Bug Bounty in general complements the ANSSI certifications to which we submit each of our security solutions.
Our primary goal was to confront our CryptoBox solution with a relevant range of attackers who we might encounter during its use, in order to have a continuous evaluation of the level of resistance of our solution.

Several bug reports were provided to us and one in particular proved out to be a significant level. This enabled us to improve our product and demonstrate the thoroughness of our development teams about security.

Why going public is a good move ?
Private mode limits the number of bug bounty hunters therefore, it does not really confront us with what we would definitely encounter during an operational deployment. By Going Public, we expect to have Bug Bounty Hunters with more focused, varied and specialized skills on specific surfaces, such as web and smart-phone applications. Through this important and true exercise, we will be able to increase the level of assurance obtained during the private phase.

What would be your arguments for convincing reluctant organizations to cross the threshold ?
It’s always good to face reality, and this is especially important for a security solution. We are making the effort to use the Bug Bounty with the dual objective of improving our solution and having greater visibility and credibility. A Bug Bounty program makes it possible to mobilize a large number of IT security researchers for a limited period of time in an economical and repetitive way.
Our experience being very positive, we will soon open a second program for our new product : CryptoPass.

Join the hunt on ! & to harden companies’ systems‘s Security & Privacy Fund is now real and it aims at hardening companies’ systems through our !

Qwant has always believed that the development of online services should be done with maximum protection of the confidentiality of users personal data. That is why Qwant took a “privacy by design” and a “data minimization” approach from day one, which requires to think preventively of the technical means and business models that generate as little risks as possible for the privacy of users.

Since 2014, thanks to YesWeHack founders, Qwant has created its bug bounty program.

Each year Qwant offers bounties to the vulnerabilities hunters gathered at La Nuit du Hack, in Paris. Those programs run by HackerzVoice & YesWeHack teams have significantly helped Qwant to build up skills, and to even better protect their users personal data.

And for the 15th edition of La Nuit du Hack, Qwant wants to offer other startups and organizations – thanks to its fund – the opportunity to challenge and increase the security of their services with the best hackers in Europe and in the world, to improve privacy on the Internet.

Qwant grants 10,000 euros to this fund, that will allow to pay bounties to hackers who will discover vulnerabilities on the services of startups or associations that share Qwant’s ethical values.

Organizations that are selected to benefit from this fund will of course be accompanied to put the bug bounty program together.

You can find all the necessary details to apply for this Privacy & Security Fund at the operation’s official website:

Shall We Play A Game ? Yes We Shall ⠵

Yes We Hack is proud to be platinium Sponsor for the 15th “la Nuit du Hack” next June 24 & 25 \o/

The forthcoming Nuit Du Hack is about to gather more than 2000 people from all over Europe !

Check the schedule !

☠ ☠ ☠

A bit of History :

Originally, la Nuit du Hack was created by Paulo Pinto aKa CrashFR.

“La Nuit Du Hack” is one of the oldest French underground hackers’ event which bring together, professionals and amateurs of any skill level, around lectures and challenges.

At the very beginning of la Nuit du Hack in 2003, the budget was lower than 1 k€.

Started with 20 persons, the event never stopped growing up by gathering more and more people from amateurs to professionals.

Now, it has reached 170 k€ thanks to the HackerzVoice Team, Géraldine and almost 100 volunteers 🙂

Since the very beginning in 2003, YesWeHack founders have been working tightly with Hackerzvoice for organizing La Nuit du Hack.

In 2011, it saw several international renowned speakers and gripped more than 950 guests including more than 50 challengers. During this edition we had the privilege to host world-famous speakers.

In 2014, organized its first bug bounty in the framework of la NDH. At that time, a prototype of was used to manage bug bounty programmes.

At that period of time the founders of YesWeHack were part of the Jury 🙂 please appreciate the picture below !

For that 2014 and 2015 editions, the rewards were, let’s say, exotic : Real Bounty Chocolate Bars and actually reward checks were signed on stage by Guillaume Vassault-Houlière aka Free_Man (President of HackerzVoice & YesWeHack CEO).

Each year, a common pot is set up to pay the bounties and if there is any money left then it is donated to the association HackerzVoice.

2015 was the year of Skyrock, Denyall, Qwant underwent all together bug bounty programmes .

2016 was a landmark for YesWeHack for it was the first time la NDH Bug Bounty programmes were handled by an official version of !

On that occasion, fees were disabled especially for the event and the dedicated bug bounty programmes namely the ones of / / Orange / Protektoid were physically restricted to NDH attendees located in Disney’s scope and as usual managed by HackerzVoice . Meanwhile, the Jury was strengthened by recruiting a new member : Mr. Skunk !

2017 is a special edition of la NDH and as platinium sponsor, YesWeHack Team is willing to make things bigger for the sake of game and fun !

On the occasion of the 15th edition of la Nuit Du Hack, There will be about 10 bug bounty programmes restricted to ‘la Nuit du Hack’ attendees.

Only attendees inside DisneyLand will be allowed to play. Don’t forget to register on

Stay Tuned !

For duplicates, we planned everything if you wanna cry :P

For duplicates, we planned everything if you wanna cry 😛

 ☠ ☠ ☠

YesWeHack also provides a dedicated HackDating Zone for recruiters to spot talents during la Nuit du Hack !

Recruiting entities are :

  • Ministère de la Défense (France)
  • Orange Cyberdefence
  • Synaktiv
  • Sysdream
  • Sogeti
  • Outscale
  • Digital Security
  • Vade Secure
  • OVH
  • Qwant
  • Airbus
  • DoctoLib

So, post your CV on !

 ☠ ☠ ☠

La Nuit du Hack is a unique event where curious people have fun, no matter their skills are !

HackerzVoice Will Never Die !

☠ ☠ ☠

European Regulation for the Protection of Personal Data and Data Security


Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice

The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

GDPR Article 32 on the security of data processing lists the various criteria that a controller and a processor must take into account to determine the level of security required, namely, the state of the art, the costs of implementing security, the processing in question, including its purpose and context, the probability and the severity of the risks for individual rights and freedoms The logic consists in customizing security measures to the risks identified with respect to the processing of personal data.
Major change: the Regulation provides for an assessment of risks to privacy from data processing. Subsequently, it is up to the controller to perform a PIA (privacy impact assessment) for all the processing actions likely to result in a high degree of privacy risk for the individuals in question. According to GDPR, some types of processing are deemed to constitute risks and are subject to a PIA because of the nature of the data being processed (large-scale processing of sensitive or criminal record data) or the purpose of such processing (profiling, large-scale monitoring of public areas, etc.).
Given that this is about safeguards to be put in place, Article 32 lists certain measures that are to be implemented by the controller and/or the processor, such as data pseudonymization or encryption, the implementation of methods capable of ensuring system confidentiality, integrity, availability, and resilience, the implementation of techniques capable of restoring availability and access to personal data in the event of a physical or technical incident, regular verification of such measures. The Code of Conduct (GDPR Article 40) and certification (GDPR Article 42) are also solutions that are likely to be considered with respect to security.
Pursuant to GDPR Article 36, whenever a PIA identifies a high level of risk, it becomes mandatory to consult the CNIL prior to proceeding with the data processing in question. This requires, for instance, that the CNIL be advised of any measures having to do with the security of processing for the CNIL to evaluate whether they are sufficient to allow the processing to proceed.
Pursuant to GDPR, data security also requires that a notification of a personal data breach be made initially to the supervisory authority (CNIL) within 72 hours of it becoming known (Article 33) and to the data subject (Article 34) if CNIL believes the security measures to have been inadequate. This obligation extends to the processor who must notify the controller of any data breaches as soon as it becomes aware of them. These data breaches result from one or more security incidents (unauthorized access to an IT system, data extraction, reproduction, or distribution). Advance incident detection and correction help obviate the need to notify since there is no breach.
We understand that the new regulation requires that locations where data are processed within an organization (mapping) be brought to a condition that will help determine specific priorities for bringing into compliance as well as the relevant support. As for security, implementation of Bug Bounty practices appears to us to be highly recommended to detect security incidents early, thereby preventing them.

GDPR leads us to the following motto:

When security works, everything works!

Interview of Gilles Cadignan – CEO & Co-Founder of Woleet

First of all, can you introduce us to Woleet? was founded in Rennes in 2016. Woleet is a data anchoring platform using the Bitcoin blockchain. To sum up, we provide a SaaS platform that receives digital fingerprints of data and proceeds to anchor them in Bitcoin by linking these fingerprints to a transaction having a certain date. To achieve this, Woleet builds a cryptographic structure that allows multiple fingerprints to be put together in a single transaction.

The use of Woleet has many benefits:

Once anchored in the blockchain, verification of proof of existence dated and free for anyone with data, anchor receipt and Internet access to retrieve the relevant Bitcoin transaction.
Confidentiality is preserved, Woleet only deals with digital fingerprints, which can be improved with meta-data for information purposes.
No need to have bitcoins to use our service, as Woleet takes care of interacting with the blockchain by building transactions.

Ok but why does the partnership Woleet and YesWeHack make sense?

Well, Yes We Hack is actually a nice team : they like to chat and laugh around a beer 😉

More seriously, the Woleet and YesWeHack partnership came quite logically following a meeting held in Rennes in December 2016 on the framework of the EuroCyberWeek.

The technology and the start-up spirit offered by Woleet fit perfectly with YesWeHack’s know-how. You know the concept of blockchain is too often used as a buzz word. Too often, so called experts talk about it but very few know what it is really. Concretely, the synergy between Woleet, YesWeHack and its partner Digital Security took place in record time (less than 3 weeks), that synergy made it possible very effectively to integrate all the skills to the benefit of the project

Thanks to the meeting of Woleet and YesWeHack, the blockchain finally finds a relevant and concrete use-case to better secure the Internet.

Woleet is very proud to have contributed to its measure to this useful initiative for the public interest. Obviously, it is a smart and good way for Woleet to promote our skills and vision.

So from your point of view : why is a good usecase?

Yes We Hack wanted for its service to have irrefutable proof of integrity and time-stamping for vulnerability reports transmitted via the An open and verifiable proof by all without intermediary. The choice of anchoring the integrity and time-stamp data for these vulnerability reports was self-evident. By anchoring them in the blockchain, the service offered full transparency without revealing any information about the source or content about the discovered vulnerability. The anchoring of data in the blockchain coupled with the electronic signature thus ensures an increased degree in terms of irrefutable traceability for each party, both for the security researcher and for the company concerned by the vulnerability. was launched during the FIC2017 and it showed very genuinely that an idea can become operational and efficient when all the stakeholders involved contribute with a common interest. This notable exercise reveals the quality of startups in France and furthermore in Europe.

Zerodisclo is therefore an ambitious project aimed at strengthening information systems by facilitating the reporting of vulnerabilities by some good Samaritans. Innovation is at this stage rather unique, is a non-profit tool to better protect bug reporters by putting in the loop the official CERTs that will have the responsibility to warn the organizations concerned.

By the way, next march 29 in Paris for at Ecole 42, i will take the floor with Guillaume from YesWeHack to present the synergy we made within the project : !

Can you tell us more about the evolutions of Woleet?

After a year of various experiments with several customers, Woleet is entering a phase of production of the various projects. By focusing solely on mature low-level uses, we differentiate ourselves from the only experimental approach of the majority of current blockchain projects. Beyond the implementation of the projects based on the Woleet platform, we owe many projects such as the standardization work on proofs, carried out jointly with several other international startups with authorities such as the W3C. At R&D level, we are working on the next primitives that we intend to provide as an alternative to the digital signature based on the Bitcoin protocol, we also provide tools for the management of digital assets, always on Bitcoin. To lead all these projects, we will have to make our team grow and welcome passionate people who want to participate in – what we think is – a revolution at least as big as the Internet revolution.

Page 1 of 3

YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press