Customers Stories

Case Study : How Outscale secures its sovereign cloud with YesWeHack

Can you tell us why you decided to implement a Bug Bounty program?

Edouard Camoin – CISO – 3DS Outscale :

We’ve been ISO 27001 certified since 2014 and are thus required to look for vulnerabilities using pentration testing. At first, the penetration testings were useful; but as time went by, they produced fewer exciting things. We quickly realised that in the limited duration of an audit (2 to 3 weeks), the pentester didn’t have the time to find more severe vulnerabilities. At best, he had hunches, but then we needed to work on them.

We also saw that, for several years, Bug Bounty had been working well in the US, where household names were using the approach.

At first, we hesitated between the Red Team and Bug Bounty, with researchers coming from diverse backgrounds to test our perimeters and discover new vulnerabilities.

Customers Stories

How Deezer protects their artists & users with Bug Bounty ?

Customers Stories

Success stories : Two years of the Blablacar Bug Bounty program

What made you decide to get into Bug Bounty?

Alain Tiemblo, Web Security Lead Engineer, Blablacar : 

We used to rely on “traditional” audits: vulnerability scans, penetration testing, code analysis, etc. which already allowed us to find a lot of things. 

Customers Stories

Case Study – Global Insurance Group

Customers Stories


Interview with Kevin Dubourg, Bug Bounty Program Manager, Yousign

Customers Stories

Case study of a Trust Service Provider (TSP) on private Bug Bounty program

What made you decide to launch a Bug Bounty program? 

We mainly launched a bug bounty because of our short delivery cycles. We were used to doing “traditional” pentests once a year, but as we have a lot of changes every month on our scopes, we simply could not wait 12 months for the next audit. Bug Bounty enables us to carry out continuous checks, for each release, update, new delivery, etc.

Customers Stories

Case Study: Paris Airports’s Public Bug Bounty Program

What made you decide to launch the Bug Bounty program? 

Daniel Diez – Head of the Digital Factory Division, Groupe ADP :
“The Group Security team took the lead on this project. I had no prior experience of Bug Bounty, but we very quickly saw the model’s advantages and power. And although I never had any particular doubts or worries, now all I see is the benefits. The bugs reported by hunters are vulnerabilities that we and our auditors may not have seen otherwise, and which could therefore be exploited by bad guys.” 

Eric Vautier – Groupe CISO, Group ADP :  In cyber security, anticipation is everything. You need to stay a step ahead of the hackers. This means keeping a close eye on market innovations.

In the digital world, doing “old-style” protection means you are clearly behind the game. And a good way to catch up is to work directly with security researchers who use hackers’ methods and think like them.”

Daniel Diez: “We started Bug Bounty wondering if we could successfully adapt the model to our way. Today, it is one of the pillars of our web security strategy. Of course, it’s vital to set the program’s rules carefully: you have to structure the tests in the right way so that the hunters don’t “disperse” their efforts. You need to identify the right “boundaries”, and this is where the program setup is essential. We started with a tightly drawn scope and expanded it as we went along.”

What value can Bug Bounty add compared to traditional cyber security solutions (e.g. pen test)?

Daniel Diez : “Continuous testing – this is Bug Bounty’s big strength. Pen tests are run at a given point in time – not following every minor delivery. While with Bug Bounty, we have hunters working continuously, remaining alert to anything new, which means they can detect whether any change creates potential vulnerabilities.”

Eric Vautier: “In a perfect world we should systematically test each update on our website. This would mean running a pentest every week, or even more often… And everyone knows that’s not feasible. Bug Bounty makes such continuous verification possible.”

Daniel Diez: “I’ve been getting reports we never got from our pen tests – way more in-depth reports, particularly on the website navigation experience. Auditors don’t necesserily have this approach. What’s more, a pentest has a limited timeframe, whereas hunters take the time they need to go as far as possible. As time goes by, they also get increasingly familiar with our scope, which means they can go even more in depth.”

Eric Vautier:  “A Bug Bounty program can also be used to report more functional, not just technical, application vulnerabilities. For me, this is what genuinely differentiates it from the pentest. It is a completely different angle. A pen test often relies on automated tools, while Bug Bounty builds on these tools with a more human approach.”

Daniel Diez : “What is also interesting is the interactions with hunters. They help us understand the vulnerabilities they’ve found and how to fix them effectively. In this way we can leverage their expertise. 
For sure, Bug Bounty demands some investment. You have to be available to understand what the hunters have tried to do, to talk to them…

But they force us to ask ourselves fresh questions: How a bad guy would get round our protection measures?”

Is Bug Bounty the end of pen testing? Or will it always remain complementary?

Daniel Diez: “For me, neither works without the other. For one thing, we are not necessarily testing the same things with both. And we cannot set off into the unknown without having some minimum level of certainty in advance. Bug Bounty comes in at a more mature stage in the logical flow of events. You need to leverage a minimum base level of security before launching Bug Bounty. That said, today, within the current scope, we no longer need to run pentests. Bug Bounty is enough on its own. You need to set the bar at the right level at the outset, and it then becomes a recurring process.”

How does Bug Bounty fit with your agile approach?

Daniel Diez: “Like everyone, we have tools to manage sources, builds, projects and performance analytics. We also use tools to log and track each new vulnerability report from the Bug Bounty program. For each sprint we verify which relevant data we can include, so we can deal with issues as they come.”

Why have you gone public? How has that changed your approach with Bug Bounty?

Eric Vautier: “The main advantage is to maximise our risk coverage by multiplying the number of potential tests. Also, it gives us a single channel for reporting vulnerabilities in our website.”

What comes next?

Eric Vautier: “We are going to open up new scopes, on other applications and with other business entities using the same model: private program first, then going public.”

Customers Stories YesWeHack News

YesWeHack provides its bug bounty platform and expertise to the French Armed Forces Ministry.

YesWeHack is delighted to support the French Cyber Defence Command (COMCYBER), in order to leverage its 3,400 cyber-combatants+ force.

YesWeHack, a French start-up and bug bounty leader in Europe, equips COMCYBER with an innovative concept and tool to boost cooperation with all the Ministry’s cyber entities.

This bold initiative is part of the Ministry opening up towards the civil society and private actors.

Florence Parly, the French Armed Forces Minister, announced on the 22nd of January :

A partnership has been established between COMCYBER and a start-up, YesWeHack. So, yes, I do announce: we will launch the first bug bounty of the French Armed Forces Ministry at the end of February 2019. Ethical hackers, recruited within the cyber operational reserve, will be able to search for vulnerabilities in our systems and, if successful, be as they should be, rewarded.

Florence Parly, the French Armed Forces Minister

With the signing of this partnership, the Armed Forces Ministry becomes the first French Ministry to launch a bug bounty program. COMCYBER will leverage YesWeHack bug bounty platform to meet the growing challenge posed by new cyber threats.

With the YesWehack bug bounty platform, COMCYBER will be able to best use its trusted community of reservists, in order to improve global security of the ministry’s entities

Guillaume Vassault-Houlière, YESWEHACK CEO

This bug bounty program opens new perspectives for the management of the operational cyber reserve. Ultimately, such initiative will make possible to train reservists and increase their skills to significantly and durably improve the Ministry’s level of security.

Customers Stories

[ITW] High value bugs : like the hunters, these are the bugs we find most exciting !

Quentin Berdugo CISO @dailymotion

Can you describe dailymotion and the role you have within the organization?

Since 2005, dailymotion has been pioneering video streaming and delivery and is now making its comeback as a major video destination platform. I’m dailymotion’s CISO.

What is dailymotion’s history in terms of coordinated vulnerability disclosure and what milestones have you been through?

When we saw our first user notification *on Facebook*, we realized that we were lacking a proper channel for our users and the security community to notify us of potential issues.

For our users, we created a security category on our support portal, with instructions for the support team as to how to route these specific inquiries. For the security researchers, we had a address created.

This went a long way and we had some surprisingly interesting notifications from the users, the InfoSec community and academia.

Since we later introduced a private bug bounty program, we were able to use it to reward these spontaneous notifications.

This didn’t really prevent the occasional researcher from tweeting about an issue before they even gave us a head’s up, but it really helped us build a strong experience on vulnerability disclosure that turned out to be very useful when writing our disclosure policy, that we published at the same time as we opened the bug bounty to the public.

We have made this disclosure policy available in our “security.txt” file, an draft internet standard aiming at facilitating the disclosure of security issues.

You have recently opened up your bug bounty program to the public, what’s your feedback?

Customers Stories

“Ein Bug Bounty Programm ist eine gute Möglichkeit, um die eigene Arbeit auf den Prüfstand zu stellen”, bekräftigt Yves Berquin, Mitbegründer von MatrixReq.

Bitte stellen Sie Matrix Requirements und Ihre Rolle im Unternehmen kurz vor

Bevor wir 2014 Matrix Requirements ( gründeten, waren wir Projektmanager bei einem Medizintechnikunternehmen und hatten erkannt, dass wir für die Rückverfolgbarkeit des Designs ein besseres Tool benötigten. Daher entwickelten wir MatrixALM zunächst für den Eigenbedarf.

Die Gründung von Matrix Requirements zur unabhängigen Vermarktung dieser Anwendung erfolgte erst später.

Matrix Requirements ist ein vierköpfiges Team, das bereits 100 Kunden mit insgesamt 700 Nutzern akquiriert hat, was für ein so kleines Team eine beachtliche Leistung darstellt.
30% unserer Kunden kommen aus den USA und ähnlich viele aus Deutschland, der Rest entfällt auf die übrigen europäischen Länder sowie Israel, Australien, Indien und Kanada.
Meine Aufgabe im Team bezieht sich vorwiegend auf Back-Office, Netzwerke, Datenbanken und Linux-Server. Es versteht sich von selbst, dass Sicherheit bei mir höchste Priorität hat.

Was hat Sie dazu bewogen eine Bug-Bounty-Übung anzusetzen?

Auch wenn wir ein kleines Unternehmen sind, haben wir die ISO13485:2016 Zertifizierung erhalten und streben auch die Zertifizierung nach ISO27001 an. Diese Standards erfordern die eingehende Untersuchung der mit unseren Prozessen verbundenen Risiken. Ein offensichtliches Risiko in Unternehmen wie dem unseren ist natürlich das unbefugte Eindringen Fremder in unsere IT-Systeme.