As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.
In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.
In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.
Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.
Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.
In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.
In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.
The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.
In this exercise we have the support of the management and technical teams.
Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.