How Deezer protects their artists & users with Bug Bounty ?

Interview with Romain Lods, Head of Engineering, Deezer

Download the PDF – EN
Télécharger l’interview – FR

What made you decide to get into Bug Bounty

About two years before we launched our Bounty Bug Program, we started internal security audits on our code, which had never been done before at Deezer. These tests allowed us to make a first pass and fix some obvious vulnerabilities.

Then we got interested in Bug Bounty and YesWeHack. The ease of use of the platform convinced us of launching a program. Following the launch, we very quickly received interesting vulnerabilities, everything went smoothly, so we decided to continue and expand our perimeters. 

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. penetration testing)?

We usually perform one yearly audit on several of our services, which lasts from one to three weeks. But this approach is expensive, focuses each time on a few services only, and over time, doesn’t really deliver interesting results anymore. Bug Bounty allows us to have permanent feedbacks throughout the year, on various scopes, and to detect bugs very quickly. 

In terms of ROI, Bug Bounty is also very interesting: we decide ourselves the reward we assign to each vulnerability.

Moreover, Bug Bounty also guarantees us a diversity of testing skills. With penetration testing, each consultant is ultra-specialized, so we kind of guide him on what we want him to test.

With Bug Bounty, we were clearly surprised by some researchers’ reports who gave us results of quite original scenarios, never seen before. 

Finally, I appreciate the quality of the reports on the flaws reported via YesWeHack: we can feel that the researchers are really trying to offer a functional and reproducible POC, that we will easily be able to retest. 

The reports of our usual audits are generally quite accurate, but we also find equivalent quality with Bug Bounty, when the researchers are good and “play the game” : it’s very pleasant to receive reports illustrated with screenshots and videos, which greatly facilitates their understanding, validation and also their communication to the teams concerned. 

Check out Deezer’s private Bug Bounty program

Do you get help from researchers to analyze and fix the bugs received? 

Indeed, the researchers can help us in the bug reproduction phase. In some cases, we ask them to check whether vulnerability has been fixed. But this remains punctual as we have a large team of developers in-house who can take care of this patch management.

Is Bug Bounty the death of the penetration testing or is it complementary?

For me it remains absolutely complementary. Bug Bounty is a tool that goes further and deeper than the audit. As I was saying earlier, we use penetration testing on new services, or on scopes where we already know there are problems.

Have you been able to observe any internal changes in your teams since you are on Bug Bounty?

We clearly see an increased security awareness. Bug bounty reports helped us trigger some major security projects. Our vision and posture regarding cyber security has evolved, and Bug Bounty is one of the drivers of this change. 

In terms of organization, we adapted our process in order to collect, sort and validate reports. Then, based on the elements of each validated report, an internal ticket is created and assigned to the relevant team for processing with a certain degree of priority.

Do you consider Bug Bounty as a sign of confidence towards the market? 

From my point of view, yes: through a Public Bug Bounty program, we demonstrate and highlight our concerns about security and transparency. We also assume the fact of exposing ourselves to “controlled” attacks, and to consider the valuable feedback from the researchers’ community.

At Deezer, we also have a team dedicated to fraud: indeed, artists and labels are paid according to the audience of the tracks, and in order to guarantee their income, we have to protect them from any fraud or on the platform. So, this is a crucial part of our cybersecurity strategy – and within the scope of our Bug Bounty program.

The next step?

For the time being, we are pursuing our current strategy, regularly reviving the program when activity is declining. Generally speaking, the number of feedbacks often depends on how visible Deezer is in the news. When we communicate more, launch campaigns, etc., researchers get attracted to our program. 

As a next step, we will consider an increase in bounties to encourage researchers to find more complex vulnerabilities. 

Do you have any advice for CISOs or startups that would get into Bug Bounty?

As a general rule, it’s better to know your security flaws when you start a project, rather than wait until there are too many to deal with, after you’ve made (bad) choices of architectures. 

When I see what our Bug Bounty program brought us, I think it could have been even better if we had taken these insights into account as early as possible. 

So, I would recommend not waiting too long to implement tools such as Bug Bounty, in order to minimize the dependency on legacy systems, which are more complex to secure afterward.


If you want more informations about Bug Bounty & YesWeHack, drop us a line.

Success stories : Two years of the Blablacar Bug Bounty program

What made you decide to get into Bug Bounty?

Alain Tiemblo, Web Security Lead Engineer, Blablacar : 

We used to rely on “traditional” audits: vulnerability scans, penetration testing, code analysis, etc. which already allowed us to find a lot of things. 

Then, we started receiving messages from trolls on social networks, reporting potential vulnerabilities, without notice and without any details. We also received some emails via customer support regarding vulnerabilities, but again, without precise or exploitable information. These people wanted to be paid before telling more, but in the absence of any “proven” flaw, it was impossible for us to pay them.

These messages became more and more numerous, up to the point where we decided to take the Bug Bounty step, in order to channel this flow of noisy reports.

We compared different Bug Bounty platforms in Europe and chose YesWeHack mainly for regulatory and data sovereignty reasons. Another decision criteria was the number of active hunters on the platform: it doesn’t make much sense to put money and energy into a Bug Bounty program if there isn’t a sufficient number of hunters to effectively search for vulnerabilities.

Conversely, we integrated security.txt on our website to guide hunters to the YesWeHack platform, a Bug Bounty program being a good way to encourage Coordinated Vulnerabilities Disclosure. 

Can you describe the evolution and progress of your program from the beginning?

Alain Tiemblo Web Security Lead Engineer – Blablacar: 

We launch our private program end of 2017, with an important running-in phase: when we opened, we first received many reports, then we gradually refined our program; we defined our scopes better, the type of vulnerabilities we wanted to see reported, etc.

From the beginning we received “real” and potential critical vulnerabilities, which convinced us of the relevance of the model and the effectiveness of the platform.

After a week, the number of reports started to decrease overall, but the ones that came up were more and more interesting, because the hunters “got into” our product and produced reports that were really specific to our business.

After a first month, it became more quiet, so we invited new hunters on the program to get new eyes and other skills on specific aspects of our program. 

The private program also allowed our teams to learn how to manage reports, classify and qualify them, and adjust the program rules.

Seven months after the opening of the private program, we decided to switch to a public program. We were really satisfied with the quality of the interactions with the hunters during the private phase, and were therefore not worried about this transition… We just wanted more hunters on our program!

We also wished to send a strong message to the community: anyone who finds a flaw can bring it back to us! Of course, we received more reports after the switch to a public program, but it was totally manageable. 

Antonin Le Faucheux – CISO – Blablacar: 

Today, we are striving for quality reports on increasingly complex vulnerabilities that require more operating time for hunters and more experienced hunter profiles. In this context, we have notably increased the amount of our rewards for critical and high vulnerabilities. The challenge is, with the support of YesWeHack, to attract researchers who find great stuff without “exploding” our rewards budget.

What do you think are the added values of Bug Bounty compared to traditional solutions like pentest? 

Antonin Le Faucheux – CISO – Blablacar : 

For me, every tool has its uses. The advantage of Bug Bounty is, first of all, crowdsourcing: with an audit they have a couple consultants at your disposal, whereas with Bug Bounty, we potentially have hundreds or thousands of researchers working on our program. 

Then there is continuity, 365/24/7, while a penetration testing usually takes place over a limited period of time and brings a “snapshot” at a specific moment. This continuity is critical to detect bugs as early as possible, as we update our applications very frequently. 

Another key differentiator is that Bug Bounty implies an obligation of result (you pay only for what you get), while penetration testing only implies an obligation of means.

This also helps to get security budgets internally: we can explain that we only pay people who find exploitable vulnerabilities, rather than pay auditors “to see” whether they will find something, without any obligation of results. 

Bug Bounty is also a strong message to hackers. Many companies have long threatened to prosecute hackers who reported vulnerabilities. As a result, there is a kind of trauma among some bug hunters who find vulnerabilities and hesitate to contact the organizations concerned, for fear of being badly treated.

With our public program, we’re sending this very strong message to the community: we want you to report flaws to us and for that, we give you a legal and secure framework, with a trusted third party between us to make sure everything goes well. 

We want hunters to think : “I found a vulnerability on BlaBlaCar, I can be rewarded for this work legally and without taking any risks”. Rather than some people ending up selling the vulnerabilities on the black market… 

How do you handle bug reports internally? 

Antonin Le Faucheux – CISO – Blablacar : 

The security team is in charge of handling bug reports, provides a first qualification, in order to set the severity of the bug, whether it requires immediate attention or not. If the flaw is complex, we discuss about it with our team. Once the vulnerability has been qualified internally, the dev team concerned is notified using a ticketing system provided by the YesWehack platform. This ticketing system allows us to monitor the progress of the teams in their patching process and to get back to them if needed.

We then move on to the step of checking the fix with the hunter. It’s often a formality because we’ve usually checked ourselves, but it’s always interesting to have an outside eye, and sometimes we have surprises: the hunter tells us that it’s not correctly fixed! 

Have you been able to observe any internal changes in your teams since you are on Bug Bounty?

Today, the security aspect is much more taken into account. In our internal training, we no longer talk about potential flaws, but we show concrete cases, flaws that have been brought to our attention as part of our program, which has a much greater impact. 

How does Bug Bounty fit into your agile approach?

Bug Bounty is integrated into each team workflow via a ticketing system, the idea being that security breaches are tasks just like any other, which we assign to each team concerned with the right level of priority.

As we deliver continuously, the ability to extend our program scope in one click, and to detect things quickly on these new scopes also makes us more agile: as soon as an application is updated, we can have it tested, take the results into account, and easily set up a feedback loop.

What is the next step in your Bug Bounty strategy?

Next step is to continue to fine-tune our program to continuously improve the quality of our reports and attract better hunters.

Case Study – Global Insurance Group

Can you introduce yourself quickly?

I am the Group CISO of a multinational insurance firm. My team’s mission is to set up a “cyber shield” for the Group and all its subsidiaries, by offering new security services to our subsidiaries – including Bug Bounty.

What made you decide to launch a Bug Bounty program?

I discovered Bug Bounty by discussing with several CISOs from major financial institutions. The recommendation of such demanding organizations in terms of security was obviously a key factor in my decision. We started small and the results were conclusive, so we gradually opened several Bug Bounty programs. It’s a new approach, which implies a learning curve.

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. penetration testing)?

First of all, the guarantee of continuous checking – and not just punctual, as with “traditional” penetration testing. If I run a two-week penetration testing every year, it implies that we remain “unprotected” for the other 50 weeks, which is no longer acceptable these days. As a complement, automated tests can also be useful, but are not sophisticated enough. With Bug Bounty, I have researchers working permanently on my scopes.

+ Read More

INSIDE THE YOUSIGN PRIVATE BUG BOUNTY PROGRAM

Interview with Kevin Dubourg, Bug Bounty Program Manager, Yousign

Why did you decide to go for such a new and disruptive solution as Bug Bounty?

There are a number of platforms out there, which – mostly US based. We asked for certain guarantees on the hunters invited to our programs, and it seemed to us that YesWeHack offered those guarantees and the confidence to launch a Bug Bounty program.

What value you think Bug Bounty can add compared to traditional cyber security solutions (e.g. pen test)?

Kevin Dubourg, Bug Bounty Program Manager, Yousign

Diversity in terms of perspectives and skills. Every hunter has his own approach, his way of doing thing, a unique approach that makes a particular attack. This is different from pentesting, and it provides a much stiffer challenge. With Bug Bounty, we kind of left behind the pentest world, in order to benefit from 10, 20 or 30 different views and really challenge our teams.

What is really interesting, is that not all hunters are necessarily “cyber security professionals”. The entire ecosystem is represented here, and we can pick up individuals based on their nationality, skill set, ranking on the platform, etc.

+ Read More

Case study of a Trust Service Provider (TSP) on private Bug Bounty program

What made you decide to launch a Bug Bounty program? 

We mainly launched a bug bounty because of our short delivery cycles. We were used to doing “traditional” pentests once a year, but as we have a lot of changes every month on our scopes, we simply could not wait 12 months for the next audit. Bug Bounty enables us to carry out continuous checks, for each release, update, new delivery, etc.

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. pen testing)?

ROI: being able to pay for results only is very important for a small organisation like ours with limited budgets. With traditional pentests, we have to pay even if nothing if nothing has been found. Our last pentest cost around €8,000 and no major vulnerabilities were reported. 

After two months running our program, dozens of security flaws had been reported, including some critical vulnerabilities never reported through previous audits, for a reward budget totalling around half of the cost of a single audit. 

I would also mention diversity – pen testing is too “academic” and just don’t meet our real needs. Most pentesters run tools and tick boxes: as a result there are too many things, too many vulnerabilities, that aren’t found. The diversity of hunters and their range of skillset make a big difference.

Lastly, the model is super flexible. In terms of scope evolution for example: with a traditional pentest, scope is defined in advance – if you want to change anything, you have to pay again for another audit. Now, with Bug Bounty, I can fine-tune the program over time, I can add products or URLs to the scope – which is key to us.

Is Bug Bounty the end of pen testing? Or will it always remain complementary? 

As a trusted digital service provider, we have to run pentests to meet regulatory requirements. So, we have no choice but to continue doing traditional audits. However, if we were in an industry not subject to such regulations, there’s no question we would only use Bug Bounty. 

This year, we are going to mention bug bounty in our certification process, making the case that Bug Bounty is equivalent to intrusion testing – and actually more effective.

What’s next? 

Expanding the program to our APIs and mobile apps. 

Is there anything else you’d like to mention? 

Bug Bounty is also a key selling point for our sales team – especially with large accounts that require the most stringent security guarantees. Bug Bounty is now automatically included in our sales presentations to large accounts. 

Case Study: Groupe ADP’s Public Bug Bounty Program

What made you decide to launch the Bug Bounty program? 

Daniel Diez Head of the Digital Factory Division, Groupe ADP

Daniel Diez – Head of the Digital Factory Division, Groupe ADP :
“The Group Security team took the lead on this project. I had no prior experience of Bug Bounty, but we very quickly saw the model’s advantages and power. And although I never had any particular doubts or worries, now all I see is the benefits. The bugs reported by hunters are vulnerabilities that we and our auditors may not have seen otherwise, and which could therefore be exploited by bad guys.” 

Eric Vautier – Groupe CISO, Group ADP :  In cyber security, anticipation is everything. You need to stay a step ahead of the hackers. This means keeping a close eye on market innovations.

In the digital world, doing “old-style” protection means you are clearly behind the game. And a good way to catch up is to work directly with security researchers who use hackers’ methods and think like them.”

Daniel Diez: “We started Bug Bounty wondering if we could successfully adapt the model to our way. Today, it is one of the pillars of our web security strategy. Of course, it’s vital to set the program’s rules carefully: you have to structure the tests in the right way so that the hunters don’t “disperse” their efforts. You need to identify the right “boundaries”, and this is where the program setup is essential. We started with a tightly drawn scope and expanded it as we went along.”

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. pen test)?

Daniel Diez : “Continuous testing – this is Bug Bounty’s big strength. Pen tests are run at a given point in time – not following every minor delivery. While with Bug Bounty, we have hunters working continuously, remaining alert to anything new, which means they can detect whether any change creates potential vulnerabilities.”

Eric Vautier: “In a perfect world we should systematically test each update on our website. This would mean running a pentest every week, or even more often… And everyone knows that’s not feasible. Bug Bounty makes such continuous verification possible.”

Daniel Diez: “I’ve been getting reports we never got from our pen tests – way more in-depth reports, particularly on the website navigation experience. Auditors don’t necesserily have this approach. What’s more, a pentest has a limited timeframe, whereas hunters take the time they need to go as far as possible. As time goes by, they also get increasingly familiar with our scope, which means they can go even more in depth.”

Eric Vautier:  “A Bug Bounty program can also be used to report more functional, not just technical, application vulnerabilities. For me, this is what genuinely differentiates it from the pentest. It is a completely different angle. A pen test often relies on automated tools, while Bug Bounty builds on these tools with a more human approach.”

Daniel Diez : “What is also interesting is the interactions with hunters. They help us understand the vulnerabilities they’ve found and how to fix them effectively. In this way we can leverage their expertise. 
For sure, Bug Bounty demands some investment. You have to be available to understand what the hunters have tried to do, to talk to them…

But they force us to ask ourselves fresh questions: How a bad guy would get round our protection measures?”

Is Bug Bounty the end of pen testing? Or will it always remain complementary?

Daniel Diez: “For me, neither works without the other. For one thing, we are not necessarily testing the same things with both. And we cannot set off into the unknown without having some minimum level of certainty in advance. Bug Bounty comes in at a more mature stage in the logical flow of events. You need to leverage a minimum base level of security before launching Bug Bounty. That said, today, within the current scope, we no longer need to run pentests. Bug Bounty is enough on its own. You need to set the bar at the right level at the outset, and it then becomes a recurring process.”

Eric Vautier, Group CISO, Groupe ADP

How does Bug Bounty fit with your agile approach?

Daniel Diez: “Like everyone, we have tools to manage sources, builds, projects and performance analytics. We also use tools to log and track each new vulnerability report from the Bug Bounty program. For each sprint we verify which relevant data we can include, so we can deal with issues as they come.”

Why have you gone public? How has that changed your approach with Bug Bounty?

Eric Vautier: “The main advantage is to maximise our risk coverage by multiplying the number of potential tests. Also, it gives us a single channel for reporting vulnerabilities in our website.”

What comes next?

Eric Vautier: “We are going to open up new scopes, on other applications and with other business entities using the same model: private program first, then going public.”

YesWeHack provides its bug bounty platform and expertise to the French Armed Forces Ministry.

YesWeHack is delighted to support the French Cyber Defence Command (COMCYBER), in order to leverage its 3,400 cyber-combatants+ force.

YesWeHack, a French start-up and bug bounty leader in Europe, equips COMCYBER with an innovative concept and tool to boost cooperation with all the Ministry’s cyber entities.

This bold initiative is part of the Ministry opening up towards the civil society and private actors.

Florence Parly, the French Armed Forces Minister, announced on the 22nd of January :

A partnership has been established between COMCYBER and a start-up, YesWeHack. So, yes, I do announce: we will launch the first bug bounty of the French Armed Forces Ministry at the end of February 2019. Ethical hackers, recruited within the cyber operational reserve, will be able to search for vulnerabilities in our systems and, if successful, be as they should be, rewarded.

Florence Parly, the French Armed Forces Minister

With the signing of this partnership, the Armed Forces Ministry becomes the first French Ministry to launch a bug bounty program. COMCYBER will leverage YesWeHack bug bounty platform to meet the growing challenge posed by new cyber threats.

With the YesWehack bug bounty platform, COMCYBER will be able to best use its trusted community of reservists, in order to improve global security of the ministry’s entities

Guillaume Vassault-Houlière, YESWEHACK CEO

This bug bounty program opens new perspectives for the management of the operational cyber reserve. Ultimately, such initiative will make possible to train reservists and increase their skills to significantly and durably improve the Ministry’s level of security.

[ITW] High value bugs : like the hunters, these are the bugs we find most exciting !

Quentin Berdugo CISO @dailymotion

Can you describe dailymotion and the role you have within the organization?

Since 2005, dailymotion has been pioneering video streaming and delivery and is now making its comeback as a major video destination platform. I’m dailymotion’s CISO.

What is dailymotion’s history in terms of coordinated vulnerability disclosure and what milestones have you been through?

When we saw our first user notification *on Facebook*, we realized that we were lacking a proper channel for our users and the security community to notify us of potential issues.

For our users, we created a security category on our support portal, with instructions for the support team as to how to route these specific inquiries. For the security researchers, we had a security@dailymotion.com address created.

This went a long way and we had some surprisingly interesting notifications from the users, the InfoSec community and academia.

Since we later introduced a private bug bounty program, we were able to use it to reward these spontaneous notifications.

This didn’t really prevent the occasional researcher from tweeting about an issue before they even gave us a head’s up, but it really helped us build a strong experience on vulnerability disclosure that turned out to be very useful when writing our disclosure policy, that we published at the same time as we opened the bug bounty to the public.

We have made this disclosure policy available in our “security.txt” file, an draft internet standard aiming at facilitating the disclosure of security issues.

You have recently opened up your bug bounty program to the public, what’s your feedback? + Read More

“Ein Bug Bounty Programm ist eine gute Möglichkeit, um die eigene Arbeit auf den Prüfstand zu stellen”, bekräftigt Yves Berquin, Mitbegründer von MatrixReq.

Bitte stellen Sie Matrix Requirements und Ihre Rolle im Unternehmen kurz vor

Bevor wir 2014 Matrix Requirements (Matrixreq.com) gründeten, waren wir Projektmanager bei einem Medizintechnikunternehmen und hatten erkannt, dass wir für die Rückverfolgbarkeit des Designs ein besseres Tool benötigten. Daher entwickelten wir MatrixALM zunächst für den Eigenbedarf.

Die Gründung von Matrix Requirements zur unabhängigen Vermarktung dieser Anwendung erfolgte erst später.

Matrix Requirements ist ein vierköpfiges Team, das bereits 100 Kunden mit insgesamt 700 Nutzern akquiriert hat, was für ein so kleines Team eine beachtliche Leistung darstellt.
30% unserer Kunden kommen aus den USA und ähnlich viele aus Deutschland, der Rest entfällt auf die übrigen europäischen Länder sowie Israel, Australien, Indien und Kanada.
Meine Aufgabe im Team bezieht sich vorwiegend auf Back-Office, Netzwerke, Datenbanken und Linux-Server. Es versteht sich von selbst, dass Sicherheit bei mir höchste Priorität hat.

Was hat Sie dazu bewogen eine Bug-Bounty-Übung anzusetzen?

Auch wenn wir ein kleines Unternehmen sind, haben wir die ISO13485:2016 Zertifizierung erhalten und streben auch die Zertifizierung nach ISO27001 an. Diese Standards erfordern die eingehende Untersuchung der mit unseren Prozessen verbundenen Risiken. Ein offensichtliches Risiko in Unternehmen wie dem unseren ist natürlich das unbefugte Eindringen Fremder in unsere IT-Systeme. + Read More

“A bug bounty program is a practical way to put your work to the test” states Yves Berquin – CoFounder of MatrixReq

Yves Berquin, Cofounder of MatrixReq – GmbH

Presentation of Matrix Requirements and your position

Before we co-founded our German company, Matrix Requirements (matrixreq.com) in 2014, we were project managers in a medical devices company and it was clear to us that we needed a better tool to manage the traceability of the design. We built MatrixALM for ourselves and later on we created Matrix Requirements to launch our application independently.

Matrix Requirements team is 4 people which is quite honorable compared to our results so far: we have about 100 customers totaling about 700 users.

30% of our customers come from the US, about 30% from Germany and the remaining in rest of Europe, Israel, Australia, India, Canada.

My role in the team is more on the back-office, network, databases, Linux servers. Needless to say I’m very concerned about security.

What are the reasons that led you to embark in the bug bounty exercise ?

Even though we are quite small, we are certified ISO13485:2016 and on the way to be ISO27001, and this type of standards mandate that we study the risks of our processes. Of course one obvious risk in our type of business is the intrusion of our information systems.

We’ve had intrusion attempts in the past an we protected ourselves with quite elaborated active rules on our firewalls. We’ve had an audit from a group in KULeuven, and one of their recommendations was to go through a bug bounty exercise.

Why did you chose YesWeHack ?

We first asked a well known US bug bounty company but the pricing was out of reach for us. Then we discovered YesWeHack, through the OVH DLP accelerator (we are also members). We contacted them and found out quickly that their offer matched what we were looking for: a group of researchers that could investigate our security in BlackBox mode. In particular we wanted to be able to talk to the researchers in English and that is a given on that platform.

What are the results of your private phase ?

The private phase was achieved with a group of 10 researchers, and they came back with 5 vulnerabilities. Frankly, we were relieved that none of the reported vulnerabilities were severe, which confirmed that we already had quite a good security maturity.

Of course we can never rest in this field, but what were returned to us were subtle weaknesses that wouldn’t allow by themselves anyone to actually enter our site.

We rewarded the researchers anyway, understanding that sometime a combination of small weaknesses could lead to an actual attack vector. The exchange with the researchers were very fruitful and they gladly checked that our fixes were efficient as well.

That dialogue is really the positive aspect of the exercise: we forced ourselves to reply quickly to the remarks, and they were very quick to answer back and offer suggestions to solve the issues if needed.

What are you waiting from the public phase ?

Opening the bounty to all the ethical hackers on the platforms in YesWeHack should lead to much more return for us, and should help us solidify even more our application and its API. I hope nothing too bad will come out of it but of course I prefer hearing about it this way: we have to detect potential security issues as soon as possible.

A bug bounty program is a practical way to put your work to the test. We hope to learn a lot from this public phase – through ways that we wouldn’t have thought about ourselves.

Today more than ever (think Facebook, British Airways, …) we must stay humble and remember that ‘Security through obscurity’ doesn’t exist and it’s only by putting your cards on the table and be pro-active that you can ensure a decent level of security.

***

Go to MatrixAlm’s Bug Bounty Public Program !

***

1 2