Showcasing your vulnerability disclosure policy to the world

Every business needs a vulnerability disclosure policy. Thankfully, a growing number of organisations have one. Yet, those programs are not always a click away. Here’s to a unique plugin for both Chrome and Firefox, because making it easy to report issues need not be much work.

We are all too familiar with the quotidian data breach debacle that organisations go through more often than not. Besides, the initial notice frequently comes from an “anonymous report” or a disgruntled ethical hacker tweeting about your mishandling their repeated vulnerability notifications.

Those are situations we observe, yet many still struggle with preparing for them and the PR mess that inevitably follows. Shooting the messager, coming up with statements that look pretty much like they have been randomly generated , or not responding for months, are all symptoms that you are ill-prepared to handle reports from the broader security community.

The good news: I can haz a VDP

One robust approach to preventing stinky headlines and loss of trust from customers and partners is a vulnerability disclosure policy (VDP). That policy is a commitment that your organisation will receive, evaluate, and if need be, fix vulnerabilities notified by security folks external to the business.
A VDP also clarifies that you will not go after ethical hackers willing to help you improve the security of your service or product.

For a VDP to be efficient, it needs a few essential elements:

  1. Scope: clearly state what is what, identifying assets that your VDP covers.
  2. Safe harbour: specifically directed at ethical hackers, this bit confirms your commitment to not prosecuting well-intentioned researchers who report a vulnerability. That part is particularly important as legal clarity across organisations and countries is extremely challenging to achieve.
  3. How To: the precise mechanism your organisation has set up and, ideally, the details you would want to see added to a vulnerability report. The aim here is to make said report the most useful possible to the organisation’s technical team.
  4. DO’s and DON’Ts: anything you find relevant to smoothen communication.

You get it right: setting up such a policy implies you have thought out roles and responsibilities internally. Rather than a burden, setting a VDP and organising it is a way of developing talent, breaking silos and improving security altogether.

The better news: Showcasing your VDP has never been easier

You have a VDP; you need to feature it prominently on the organisation’s website so it is accessible to anyone who needs it. One way of doing so is creating a dedicated webpage, such as F-Secure.

Another way is thanks to a simple tool that comes in handy, namely security.txt. You fill in the form, download the file and upload it to the business’s website. Your security.txt can contain contact details, or else the link to your ongoing Bug Bounty programme. Indeed, a Bug Bounty programme is a vulnerability disclosure policy with a monetary reward system.

Whichever way you choose, you will want it to be known. Well, now, there is a plugin for that! Enter YesWeHack VDP Finder, the go-to Chrome and Firefox plugin . Whenever you browse the web, the plugin indicates whether a VDP exists. Because making it easy to report issues does not need to be much work!

Download the firefox plugin
from Mozilla.org
Wanna go for a cool – and secure – carpooling service?
We have marked cases where a VDP exists without a security.txt as “room for improvement” to highlight that security.txt is a (draft, for now) standard. As such, it makes locating a VDP policy even easier since one needs no extra browsing to find the contact detail: the security.txt file is always present at www.mywebsite.tld/.well-known/security.txt
Like, really?

DevSecOps : how to increase your agility with Bug Bounty

Digital transformation requires security at the core of DevOps culture and processes.

Under pressure from business lines, DevOps teams need concision, speed and security to ensure continuous integration and delivery. Security unfortunately is -too often- considered as an constraint to agility and it has to be demystified for a better and faster takeover by DevOps teams.

Given the recent stories about data breaches that blackened famous corporations like Facebook and Equifax, the time has come to empower your DevOps Team with security.

We will try to cover the organizational and cultural challenges in order to set up effective DevSecOps and how, as a manager, you can develop security awareness and skills in your agile teams. 

Last but not least, we will try to point out how Crowd Sourced Security is a key enabler of your DevSecOps strategy to success.

Source https://tech.gsa.gov

What is at stake ?

+ Read More

Yes We Hack and its Partners, or how to get the best out of Bug Bounty ?

What does a YesWehack partner do ?

Every organization is concerned by cybersecurity and most of them can see that traditional solutions (penetration testing & scanners) are not sufficient anymore. As a result, whatever the size or industry, they are increasingly numerous to opt for Bug Bounty.

By 2022, crowdsourced security testing platform products and services will be employed by over 50% of enterprises, up from less than 5% in 2018.

Gartner 2018 Market Guide on Crowdtesting

Indeed, Bug Bounty is the only solution that can pretend to exhaustiveness, responsiveness and continuity in the tests. More importantly, Bug Bounty meets organizations growing need for agility > https://www.yeswehack.com

For all that, any organization that wishes to set up/implement Bug Bounty programs is not ready to manage by itself yet; indeed the Bug Bounty process involves:
• The program‘s creation : determination of the scope, rules, researchers’ reward grid, etc.
• The program’s day-to-day management and interaction with the researchers
• Vulnerabilities and researchers’ test reports validation and management

Lacking time, resources, skills and process, some organizations can be intimidated by the implementation of a Bug Bounty Program in spite of unrivaled benefits they could get out of it.

This is where our partners step in.

Why Becoming of YesWeHack Partner?

+ Read More

The Dark Side of XSS revealed

Cross-site scripting (XSS) is one of the most common web application vulnerabilities and is still present in the OWASP Top 10-2017.

The goal of this paper is not to explain how to bypass antiXSS filter in browser or WAF protection, but to figure out what possibilities are offered by XSS vulnerabilities.

CISOs like Bug Bounty Managers need to pay attention to this kind of vulnerability which -at times- can be critical through the first steps of chaining.

+ Read More

Cybersecurity & Bug Bounty: Attack is the best form of defence

By Guillaume Vassault-Houlière | CEO of YesWeHack

Through our European platform YesWeHack.com, Bug Bounty is gaining respectability in France and Europe.

Bug Bounty is an innovative and operational practice from the United States that rewards security experts who find security flaws in IT systems.

Within a complex geopolitical context, Europe and France can compete in defending a European model of digital sovereignty.

In the light of new threats and given reports of organizations that are victims of piracy and irreversible damage, some innovative cyber security policies and approaches need to be adopted.

Cybersecurity is a powerful ally for leading digital transformation.

+ Read More

YesWeHack : What about the legal features ?

YesWeHack.com – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, YesWeHack.com presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

+ Read More

The Internet of Elevators, of Cars, of Weapons !

lift

Have you ever watched The Lift ? A Dutch horror movie by director Dick Maas about an intelligent ( or smart ?) and murderous elevator starting a killing spree. (Source : wikipedia)

Scary, isn’t it ?

Beyond fiction, the film “The Lift” aimed at questioning technology, systems you can not regain control over.

Nowadays, we are told about the benefits of design thinking, internet of things and their tremendous power in terms of digital and economic development… Oh wait.

Unfortunately, the Internet of Things is driven by marketing ravenous hyenas and very few IoT companies are inspired by – what we could call – the Security Design Thinking.

nebula_of-things

Today, within the Internet of Things, Auto Industry has to struggle to prevent itself from being hacked both by criminals and by their inner blind appetite for market at the expense of their duty in the field of security.

Imagine the antithesis of the legendary film “Rebel without a cause” where the hero no longer rides a car as a symbol of freedom but he’s the prisoner of a runaway wagon.

The revelations concerning the recent fraud on the behalf of  Volkswagen – by the way VW is not an isolated case – highlighted what is at stake in terms of security in the fabulous world of the Internet of Cars.

Before reaching the point of no return, Cars companies and end users should deeply consider the following thoughts :
+ Read More

Our Crowd Security Way

This video below presents the genuine and trustworthy commitment of our YesWeHack Bug Bounty Platform.