Category: Disclosure Page 1 of 4

FIC 2019: YesWeHack’s community, NGOs & CivicTech unite through a unique Bug Bounty Campaign.

For this edition of FIC 2019, YesWeHack is organizing, for the first time in the history of FIC, a special event dedicated to Bug Bounty.

The International Cybersecurity Forum: the European reference event bringing together all stakeholders in digital trust will take place on 22 and 23 January.

This unprecedented bug bounty campaign will take place in an original space reserved for dozens of security researchers so that they can operate over several scopes, and where applicable, earn rewards according to the criticality of the reported vulnerabilities.

For this Premiere, the scopes are submitted by NGOs and CivicTech projects wishing to harden their systems and thus better protect their information assets and their reputation.

YesWeHack has chosen this year to help NGOs and Civictech as a priority, because many European citizens use tools developed by this sector to contribute to the common good, democracy, associative and charitable projects.

“For all actors, customers, developers and researchers, this Bug Bounty campaign within the 2019 FIC is a great and useful opportunity to exchange and confront the reality of threats in order to significantly increase the level of security and privacy by design”

Guillaume Vassault-Houlière – CEO @YESWEHACK

The Bug Bounty’s area will welcome bug hunters who will cooperate with “program managers” from the selected projects with the support of Romain Lecoeuvre, the CTO of the YesWeHack team.

The rewards will be of two types: a total prize pool of several thousand euros is planned to reward the best researchers and goodies collectors will delight some players.

Read More

New YesWeHack Bug Bounty platform: For a better program management

Thanks to the impressive work of our team,  our Bug Bounty platform has been revealed with new features for program Managers.

So we would like to share with you the new features below 🙂

New program structure
We have reviewed the structure of the programs by adding several fields.

A « Scope » field to define its types and perimeters (links, webapp, iOS Apple Store, Android)
An « Out of scope » field if applicable
« Qualifying Vulnerabilities » for a reward
« Non-Qualifying Vulnerabilities » for a reward
And a mandatory compensation grid based on criticality (Low / Medium / High / Critical)

Please update your Bug Bounty program by filling the new fields to better manage your perimeter.

New report workflow
We have reviewed the workflow for qualifying bug reports.
It is said that a picture speaks a thousand words so please take a look below:

[Optional] Free VPN
We offer all our customers a free VPN, which will allow you to provide hunters a dedicated connection to meet your program’s legal framework, but also to be able to open dedicated environments (IP filtered).

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New report structure
The details of the bug reports have also been reviewed, providing more clarity to the program manager. The ergonomics of the tools used for qualifying reports have also been redesigned to offer you a greater efficiency. These new programs/report structures linked to the provision of a public API allows an optimal capitalization of vulnerability reports (DevSecOps).

New dashboard
The new dashboard offers you all the statistics related to the reported bugs (severity, status, classification… etc.) but also concerning the amount of paid rewards.

API
We do provide an API so that you can develop or connect your own tools.

Members at all levels
We have improved granularity in member management. You can invite members to your business unit, but also to your programs and reports. The number of members is unlimited.

We hope that you will enjoy this new version as much as we do. Please be aware that we are still ready to listen to your feedbacks, questions and/or comments.

***

Click here to discover the new YesWeHack Bug Bounty Platform

***

YesWeHack Version 2 : And improvements for all Hunters !

Dear hunters,

Over the last months, we’ve been hard at work developing our new bug bounty platform. While engaging with you, we’ve made big changes to some parts of our services that needed improvements even a redesign.

Today, we would like to share some of these changes with you, and cover the benefits of the update.

We have a brand new logo!
Our branding is evolving with a new logo and design and we do think it provides a better look and we hope you will like it.

YesWeHack New Logo

We’ve been listening to your feedback about the previous platform experience and thanks to You we were able to develop a brand new user experience.

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Bug Hunter Public Profile

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

TOTP new security 2FA for bug hunters

New programs display
The display of a program’s details has been completely redesigned to provide a better user experience.
In addition to the traditional information related to a Bug Bounty program, we improved -in a very visual way- the current activity on the program (number of reports, thanks… etc.) but also the reward bracket that the security expert can expect.

New billing process
We have completely reviewed the billing process. This will allow you to comply with the requirements of the tax authorities.

Billing process for Bug hunters

Program versioning
It is not always easy for the hunter to follow the evolution of a bounty bug program over time. That’s why we implemented a versioning feature on the program display.

Versioning of bug bounty program

***

We hope that you will enjoy this new version as much as we do.

We Wish You a Happy Hunting !

Please be aware that we are still ready to listen to your feedback, questions and/or comments.

***

Stay Tuned !
Soon, we will post about the new features improving our clients’ experience.

Partenariat : SODIFRANCE & YESWEHACK.

Sodifrance et YesWeHack renforcent leur collaboration autour du Bug Bounty pour lutter efficacement contre les risques Cyber.

Sodifrance, au travers de sa marque d’experts Antéo Trust & Security et Bounty Factory by YesWeHack, principale plateforme ouverte de Bug Bounty en Europe, annoncent la signature d’un partenariat pour faciliter la détection de failles informatiques et offrir aux entreprises une réponse globale à leurs enjeux de cybersécurité.

Dans le cadre de leur transformation numérique, les entreprises de tous secteurs et de toutes tailles exploitent pleinement les capacités des nouvelles solutions numériques pour accélérer leur croissance et améliorer l’expérience client. En parallèle, le nombre de cyber-attaques augmente et leurs conséquences vont en s’aggravant : perte de chiffre d’affaires, de clients, vol de données, atteinte à l’image, et désormais risques juridiques avec les nouvelles réglementations telles que RGPD.

Face à ces nouveaux enjeux de sécurité, Sodifrance s’appuie sur la plateforme de YesWeHack pour proposer une solution innovante de services en cybersécurité. Elle permet aux entreprises de toutes tailles de mieux maîtriser le niveau de sécurité de leurs applications et environnements IT.

« Nous souhaitions proposer à nos clients une offre complémentaire aux audits de type Pentest ou Red Team » indique Hervé Troalic, Directeur de l’offre Sécurité de Sodifrance.

Hervé Troalic poursuit : “La solution clé en main de Bug Bounty que nous proposons, rendue possible par ce partenariat avec YesWeHack, apporte aux entreprises qui investissent dans des stratégies web et mobile, de réels atouts pour maîtriser la sécurité de leurs applications. De surcroît, elle s’avère parfaitement adaptée auprès des organisations qui adoptent les pratiques DevOps et qui souhaitent ne pas sacrifier la sécurité de leurs applications aux impératifs du time to market.”

Pour Guillaume Vassault-Houlière, fondateur de YesWeHack,

« Cette collaboration avec Sodifrance offre à nos clients un service sur mesure, complémentaire et à forte valeur ajoutée. Elle répond au souhait des RSSI et Directions générales de pouvoir s’appuyer sur des acteurs de confiance européens, à l’écoute de leurs clients et respectueux de leurs contraintes budgétaires. »

A propos de Sodifrance
Entreprise de Services du Numérique créée en 1986, Sodifrance compte plus de 1350 consultants répartis sur 14 implantations en France. L’offre de services se décompose en 6 grands métiers : le conseil technologique, la transformation numérique, le Data Management, la modernisation de SI, les services pour les applications et les services d’infrastructure. Sodifrance assure la transition entre les SI historiques et les nouveaux modèles IT, permettant aux organisations de toutes tailles de renforcer leur compétitivité et collaborer plus efficacement grâce aux solutions innovantes centrées sur la mobilité, la sécurité, le Big Data et le Cloud.

A propos de YesWeHack
Avec des bureaux en France et en Suisse, YesWeHack est la première plateforme européenne de Bug Bounty en termes de nombre de clients et de nombre de hunters, conforme aux standards de sécurité et normes juridiques européennes.

YesWeHack supports Paris’ call to strengthen cooperation between digital players.

YesWeHack supports the Paris’ Call for Trust and Security in Cyberspace.

With its founding members from the French and European Hacker community, YesWeHack promotes actions to share and transmit knowledge, as well as to strengthen digital sovereignty for the creation and maintenance of trusted environments.

Guided by its founding principles, YesWeHack is dedicated in uniting, cooperating with all digital actors and commit to better securing cyberspace.

Today, YesWeHack makes its CrowdSecurity platform available to all stakeholders who are committed to following the Paris’ Call. This platform brings together a community, the largest in Europe, made of 5000+ ethical hackers.

In a complex geopolitical context, facing the increasing cyber-threats and economic and political risks, YesWeHack is committed to defending an idea of the trust and security of cyberspace on a daily basis.

Our commitment is to the development of digital technology in order to defend our democracies, our informational assets and therefore the data protection for all citizens in the European Union and elsewhere.

Protecting our democracies is a major challenge in terms of cybersecurity and it is important to propose appropriate solutions to better secure digital tools used by citizens, both on a daily basis and during election periods.

Guillaume Vassault-Houlière, CEO of YesWeHack

***

The Paris Call

***

YesWeHack soutient l’appel de Paris pour renforcer la coopération entre les acteurs du numérique.

YesWeHack soutient l’Appel de Paris pour la confiance et la sécurité dans le cyber-espace.

Fort de ses membres fondateurs issus de la communauté de Hackers français et européens, YesWeHack promeut les actions de partage et de transmission de la connaissance, ainsi que de renforcement de la souveraineté numérique pour la création et le maintien des environnements de confiance.

Guidé par ses principes fondateurs, YesWeHack continue à fédérer, à coopérer avec l’ensemble des acteurs du numérique et à s’engager pour mieux sécuriser le cyber-espace.

Aujourd’hui, YesWeHack met à disposition sa plateforme de CrowdSecurity à tous les acteurs ayant à cœur de suivre la ligne directrice de l’appel de Paris. Cette plateforme rassemble une communauté, la plus importante d’Europe, de plus de 5000 hackers éthiques.

Dans un contexte géopolitique complexe, face à des cyber-menaces croissantes et aux risques économiques et politiques, YesWeHack s’engage au quotidien pour défendre une idée de la confiance et de la sécurité du cyber-espace.

Notre engagement est du côté d’un développement du numérique soucieux de la défense de nos démocraties, de nos patrimoines informationnels, et donc de la protection des données de tous les citoyens l’Union Européenne et d’ailleurs.

Nos démocraties sont un enjeu fort en matière de cybersécurité et il est important de proposer des solutions adaptées pour mieux sécuriser les outils utilisés par les citoyens et ce, au quotidien et pendant les périodes électorales.

Guillaume Vassault-Houlière, CEO de YesWeHack

***

L’Appel de Paris

***

[ITW] High value bugs : like the hunters, these are the bugs we find most exciting !

Quentin Berdugo CISO @dailymotion

Can you describe dailymotion and the role you have within the organization?

Since 2005, dailymotion has been pioneering video streaming and delivery and is now making its comeback as a major video destination platform. I’m dailymotion’s CISO.

What is dailymotion’s history in terms of coordinated vulnerability disclosure and what milestones have you been through?

When we saw our first user notification *on Facebook*, we realized that we were lacking a proper channel for our users and the security community to notify us of potential issues.

For our users, we created a security category on our support portal, with instructions for the support team as to how to route these specific inquiries. For the security researchers, we had a security@dailymotion.com address created.

This went a long way and we had some surprisingly interesting notifications from the users, the InfoSec community and academia.

Since we later introduced a private bug bounty program, we were able to use it to reward these spontaneous notifications.

This didn’t really prevent the occasional researcher from tweeting about an issue before they even gave us a head’s up, but it really helped us build a strong experience on vulnerability disclosure that turned out to be very useful when writing our disclosure policy, that we published at the same time as we opened the bug bounty to the public.

We have made this disclosure policy available in our “security.txt” file, an draft internet standard aiming at facilitating the disclosure of security issues.

You have recently opened up your bug bounty program to the public, what’s your feedback?

Read More

“A bug bounty program is a practical way to put your work to the test” states Yves Berquin – CoFounder of MatrixReq

Yves Berquin - Cofounder of MatrixReq

Yves Berquin, Cofounder of MatrixReq – GmbH

Presentation of Matrix Requirements and your position

Before we co-founded our German company, Matrix Requirements (matrixreq.com) in 2014, we were project managers in a medical devices company and it was clear to us that we needed a better tool to manage the traceability of the design. We built MatrixALM for ourselves and later on we created Matrix Requirements to launch our application independently.

Matrix Requirements team is 4 people which is quite honorable compared to our results so far: we have about 100 customers totaling about 700 users.

30% of our customers come from the US, about 30% from Germany and the remaining in rest of Europe, Israel, Australia, India, Canada.

My role in the team is more on the back-office, network, databases, Linux servers. Needless to say I’m very concerned about security.

What are the reasons that led you to embark in the bug bounty exercise ?

Even though we are quite small, we are certified ISO13485:2016 and on the way to be ISO27001, and this type of standards mandate that we study the risks of our processes. Of course one obvious risk in our type of business is the intrusion of our information systems.

We’ve had intrusion attempts in the past an we protected ourselves with quite elaborated active rules on our firewalls. We’ve had an audit from a group in KULeuven, and one of their recommendations was to go through a bug bounty exercise.

Why did you chose YesWeHack ?

We first asked a well known US bug bounty company but the pricing was out of reach for us. Then we discovered YesWeHack, through the OVH DLP accelerator (we are also members). We contacted them and found out quickly that their offer matched what we were looking for: a group of researchers that could investigate our security in BlackBox mode. In particular we wanted to be able to talk to the researchers in English and that is a given on that platform.

What are the results of your private phase ?

The private phase was achieved with a group of 10 researchers, and they came back with 5 vulnerabilities. Frankly, we were relieved that none of the reported vulnerabilities were severe, which confirmed that we already had quite a good security maturity.

Of course we can never rest in this field, but what were returned to us were subtle weaknesses that wouldn’t allow by themselves anyone to actually enter our site.

We rewarded the researchers anyway, understanding that sometime a combination of small weaknesses could lead to an actual attack vector. The exchange with the researchers were very fruitful and they gladly checked that our fixes were efficient as well.

That dialogue is really the positive aspect of the exercise: we forced ourselves to reply quickly to the remarks, and they were very quick to answer back and offer suggestions to solve the issues if needed.

What are you waiting from the public phase ?

Opening the bounty to all the ethical hackers on the platforms in YesWeHack should lead to much more return for us, and should help us solidify even more our application and its API. I hope nothing too bad will come out of it but of course I prefer hearing about it this way: we have to detect potential security issues as soon as possible.

A bug bounty program is a practical way to put your work to the test. We hope to learn a lot from this public phase – through ways that we wouldn’t have thought about ourselves.

Today more than ever (think Facebook, British Airways, …) we must stay humble and remember that ‘Security through obscurity’ doesn’t exist and it’s only by putting your cards on the table and be pro-active that you can ensure a decent level of security.

***

Go to MatrixAlm’s Bug Bounty Public Program !

***

YesWeHack se dote officiellement d’un bureau à Lausanne, Suisse

Fort d’une reconnaissance déjà acquise dans de nombreux pays, YesWeHack aspire à convaincre les organisations suisses préoccupées par le renforcement constant de leur sécurité et la recherche de services innovants.

Dans ce contexte, YesWeHack est fier d’annoncer l’ouverture d’un bureau à Lausanne.

A travers cette présence locale, YesWeHack servira au mieux les organisations publiques et privées helvétiques, en mettant à leur disposition sa plateforme de Bug Bounty (la première en Europe), Bounty Factory.

A la lumière des derniers incidents ayant affecté les services de santé de Singapour et le site internet de British Airways, il en résulte que des millions de données personnelles ont été divulguées, les entreprises et organisations suisses doivent être plus mobilisées que jamais pour sécuriser leurs systèmes. YesWeHack, à travers sa plateforme de Bug Bounty,  apporte une solution innovante, simple et efficace, destinée à devenir incontournable dans l’arsenal défensif des entreprises et des administrations helvétiques.

Guillaume Vassault-houlière, CEO de YesWEHACK

Le Bug Bounty façon YesWeHack

Bounty Factory, la première plateforme européenne de Bug Bounty de YesWeHack met au service des organisations désireuses d’améliorer leur sécurité, une communauté de plus de 5400 chercheurs en cybersécurité.

Un programme de Bug Bounty maximise votre retour sur investissement en rémunérant les chercheurs au résultat. Il complète idéalement les audits de sécurité traditionnels, ces derniers étant, par essence, limités dans le temps, et sans garantie ni obligations de résultats.

Read More

YesWeHack rejoint le Pôle d’Excellence Cyber !

C’est avec une fierté non dissimulée que YesWeHack annonce son intégration au Pôle d’Excellence Cyber.

Nous avons été cooptés et nous allons honorer cette confiance au sein du PEC pour contribuer au rayonnnement de savoir-faire français et Européen en termes de CyberSécurité.

YesWeHack va notamment apporter son expertise sur deux disciplines à savoir : le recrutement des talents spécialisés en cybersécurité et la divulgation coordonnée de vulnérabilités.

Déjà presents au coeur de l’écosystème breton avec une base à Rennes, YesWeHack continue de tisser des liens et de coopérer avec tous les acteurs de la région.

Page 1 of 4

Powered by WordPress & Theme by Anders Norén