New YesWeHack Api Extension for Burp

YesWeBurp

Today we are proud to release the version 1.0.0 of our BurpSuite extension.

This will allow you to access all the programs details from YesWeHack directly inside of BurpSuite.
But also instantly configure the scopes and the required headers according to the program rules. No more copy pasting between the website and your favorite tool!

+ Read More

New features for quicker and improved Bug Reporting !

Our Dev Team issued two new features for you to save time and gain quality while reporting vulnerabilities.

As shown below, now you can access a new menu entry called “My Yes We Hack“. This section provides a template manager up to five templates. According to our experience, 5 templates should be sufficient and useful for a majority of bug hunters.

In this section, based on Markdown, you can add or edit your templates.

Now, let’s see a second useful feature to better illustrate and/or document your reports.

+ Read More

[ITW] Daniel Kalinowski: “Participating in bug bounties improves your skills and increase the overall knowledge.”

Let’s meet with Kalin, Bug Hunter from Poland.

What’s your background ?

I’m 25 yo ,I didn’t study, it’s kind of a waste of time in Poland. Well, depends if hacking the school PCs in junior high school counts? xD
I have started my carrier in IT industry as a Data Center Operator, then I got promoted to Junior Dev. They had to do it because I have pwned their application once, and after promotion with the access to source code I was able to find few more critical bugs. Also with the help of Shellshock I was able to download/view the files of the CTO that were stored on one NAS.

3 years ago I have joined a awesome security company, and in my current position I’m responsible for : Mobile apps testing / Web apps testing / Code reviews / General technical advisory on the customer side.

My nickname Kalin comes from my surname KALINowski. I can be also found on the Internet by @llamaonsecurity/@llamasbytes handle.

Why are you interested in bug bounty ?

It started bug bounties as a time-killer in my first job, then I forgot about it and came back to it when I started the carrier in IT security. Participating in bug bounties improves your skills and increase the overall knowledge. Once I had to dig into the PNG file format structure to execute the XSS payload on web servers. It was quite an unique experience. Financially speaking, 1 euro is equal to 4.15 PLN (my local currency) so participating in bug bounties can be profitable.

+ Read More

New YesWeHack platform : scale up your bug bounty programs

Thanks to the impressive work of our team,  our Bug Bounty platform has been revealed with new features for program Managers.

So we would like to share with you the new features below 🙂

New program structure
We have reviewed the structure of the programs by adding several fields.

A « Scope » field to define its types and perimeters (links, webapp, iOS Apple Store, Android)
An « Out of scope » field if applicable
« Qualifying Vulnerabilities » for a reward
« Non-Qualifying Vulnerabilities » for a reward
And a mandatory compensation grid based on criticality (Low / Medium / High / Critical)

Please update your Bug Bounty program by filling the new fields to better manage your perimeter.

New report workflow
We have reviewed the workflow for qualifying bug reports.
It is said that a picture speaks a thousand words so please take a look below:

[Optional] Free VPN
We offer all our customers a free VPN, which will allow you to provide hunters a dedicated connection to meet your program’s legal framework, but also to be able to open dedicated environments (IP filtered).

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New report structure
The details of the bug reports have also been reviewed, providing more clarity to the program manager. The ergonomics of the tools used for qualifying reports have also been redesigned to offer you a greater efficiency. These new programs/report structures linked to the provision of a public API allows an optimal capitalization of vulnerability reports (DevSecOps).

New dashboard
The new dashboard offers you all the statistics related to the reported bugs (severity, status, classification… etc.) but also concerning the amount of paid rewards.

API
We do provide an API so that you can develop or connect your own tools.

Members at all levels
We have improved granularity in member management. You can invite members to your business unit, but also to your programs and reports. The number of members is unlimited.

We hope that you will enjoy this new version as much as we do. Please be aware that we are still ready to listen to your feedbacks, questions and/or comments.

***

Click here to discover the new YesWeHack Bug Bounty Platform

***

YesWeHack Version 2 : And improvements for all Hunters !

Dear hunters,

Over the last months, we’ve been hard at work developing our new bug bounty platform. While engaging with you, we’ve made big changes to some parts of our services that needed improvements even a redesign.

Today, we would like to share some of these changes with you, and cover the benefits of the update.

We have a brand new logo!
Our branding is evolving with a new logo and design and we do think it provides a better look and we hope you will like it.

YesWeHack New Logo

We’ve been listening to your feedback about the previous platform experience and thanks to You we were able to develop a brand new user experience.

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Bug Hunter Public Profile

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

TOTP new security 2FA for bug hunters

New programs display
The display of a program’s details has been completely redesigned to provide a better user experience.
In addition to the traditional information related to a Bug Bounty program, we improved -in a very visual way- the current activity on the program (number of reports, thanks… etc.) but also the reward bracket that the security expert can expect.

New billing process
We have completely reviewed the billing process. This will allow you to comply with the requirements of the tax authorities.

Billing process for Bug hunters

Program versioning
It is not always easy for the hunter to follow the evolution of a bounty bug program over time. That’s why we implemented a versioning feature on the program display.

Versioning of bug bounty program

***

We hope that you will enjoy this new version as much as we do.

We Wish You a Happy Hunting !

Please be aware that we are still ready to listen to your feedback, questions and/or comments.

***

Stay Tuned !
Soon, we will post about the new features improving our clients’ experience.

SaXX, number one of YesWeHack’s all time ranking.

This month, we publish an interview with one of the best researchers of our  Bug Bounty Platform called SaXX who is only 27 years old.

In the all time ranking, SaXX culminates in the first place and he intends to defend his ranking well. Like Rafael Nadal, SaXX never gives up and works hard to exercise his passion with his true mischievous side!

1. Where did you get your nickname?

Well, that’s a question a lot of people ask.
I only tell the genesis of this nickname in certain circles.

2. What’s your background?

I have a career path that some would describe as classic. I had a BAC S (maths specialization) then a BTS IG at that period of time. After the BTS, I didn’t really know what to do so I let myself be tempted by an Information Systems Management school in Lorient – France. + Read More

Interview of EdOverFlow : Bug Hunter & mastermind of security.txt

Photo Courtesy of Douwe De Boer

What is your background ?

I am a web developer, security researcher, and a computer science student at the ETH Zürich. In my spare time, I like to contribute to open-source projects, hunt for security vulnerabilities, and triage reports. For a long time, one of my biggest goals has been to learn something new as often as possible and get to know people who share a similar passion for what they do.

How long have you been bug hunting and what are you driven by ?

I have been bug bounty hunting for roughly one and a half years, but I have been interested in security for quite a while. Curiosity and learning something new are what drive me the most. I find myself constantly wanting to try something new and learn as much about the topic as possible.

Can you explain the genesis of security.txt ? + Read More

Edouard Camoin, CISO of Outscale.com, on the bug bounty switching process from private to public status

https://twitter.com/skelkey

Edouard Camoin, CISO of Outscale.

– What’s your role as CISO within Outscale?

First of all, Outscale deals with IaaS : like AWS we provide API and we have Branch offices in France, USA and China. Each Branch office is subject to a specific digital sovereignty.

I’ve been wearing two hats : Guarantor of the internal security and guarantor of the security for the customers.
Globally speaking the human resources are at the core of my job.

– What was the need assessment that led to the opening of a bug bounty program?

+ Read More

Xavier Leune, CCM Benchmark Group, on the benefits of bug bounty

Xavier Leune - CCM Benchmarck group -

Xavier Leune – CCM Benchmarck group –

What is your role in CCM benchmark ?
I am deputy CTO and i’m in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.

What were the reflexion and the needs assesment that brought about a bug bounty program ?
Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The bug bounty Program we opened was a very important step complementary of others methods we set up (pentests, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code. + Read More

YesWeHack : What about the legal features ?

YesWeHack.com – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, YesWeHack.com presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

+ Read More