Showcasing your vulnerability disclosure policy to the world

Every business needs a vulnerability disclosure policy. Thankfully, a growing number of organisations have one. Yet, those programs are not always a click away. Here’s to a unique plugin for both Chrome and Firefox, because making it easy to report issues need not be much work.

We are all too familiar with the quotidian data breach debacle that organisations go through more often than not. Besides, the initial notice frequently comes from an “anonymous report” or a disgruntled ethical hacker tweeting about your mishandling their repeated vulnerability notifications.

Those are situations we observe, yet many still struggle with preparing for them and the PR mess that inevitably follows. Shooting the messager, coming up with statements that look pretty much like they have been randomly generated , or not responding for months, are all symptoms that you are ill-prepared to handle reports from the broader security community.

The good news: I can haz a VDP

One robust approach to preventing stinky headlines and loss of trust from customers and partners is a vulnerability disclosure policy (VDP). That policy is a commitment that your organisation will receive, evaluate, and if need be, fix vulnerabilities notified by security folks external to the business.
A VDP also clarifies that you will not go after ethical hackers willing to help you improve the security of your service or product.

For a VDP to be efficient, it needs a few essential elements:

  1. Scope: clearly state what is what, identifying assets that your VDP covers.
  2. Safe harbour: specifically directed at ethical hackers, this bit confirms your commitment to not prosecuting well-intentioned researchers who report a vulnerability. That part is particularly important as legal clarity across organisations and countries is extremely challenging to achieve.
  3. How To: the precise mechanism your organisation has set up and, ideally, the details you would want to see added to a vulnerability report. The aim here is to make said report the most useful possible to the organisation’s technical team.
  4. DO’s and DON’Ts: anything you find relevant to smoothen communication.

You get it right: setting up such a policy implies you have thought out roles and responsibilities internally. Rather than a burden, setting a VDP and organising it is a way of developing talent, breaking silos and improving security altogether.

The better news: Showcasing your VDP has never been easier

You have a VDP; you need to feature it prominently on the organisation’s website so it is accessible to anyone who needs it. One way of doing so is creating a dedicated webpage, such as F-Secure.

Another way is thanks to a simple tool that comes in handy, namely security.txt. You fill in the form, download the file and upload it to the business’s website. Your security.txt can contain contact details, or else the link to your ongoing Bug Bounty programme. Indeed, a Bug Bounty programme is a vulnerability disclosure policy with a monetary reward system.

Whichever way you choose, you will want it to be known. Well, now, there is a plugin for that! Enter YesWeHack VDP Finder, the go-to Chrome and Firefox plugin . Whenever you browse the web, the plugin indicates whether a VDP exists. Because making it easy to report issues does not need to be much work!

Download the firefox plugin
from Mozilla.org
Wanna go for a cool – and secure – carpooling service?
We have marked cases where a VDP exists without a security.txt as “room for improvement” to highlight that security.txt is a (draft, for now) standard. As such, it makes locating a VDP policy even easier since one needs no extra browsing to find the contact detail: the security.txt file is always present at www.mywebsite.tld/.well-known/security.txt
Like, really?

YES, we have a changelog.

Hunters and Program Managers can now track our interfaces and backend evolutions.

We’re working hard, under the hood, to offer you the best experience possible.

From the first platform iteration, we’ve gone already a long way, paved with new features milestones.

You can now track them all on an unified interface: the YesWeHack Changelog.

You can get back to the changelog from the upper-top blog menu.

New YesWeHack Api Extension for Burp

YesWeBurp

Today we are proud to release the version 1.0.0 of our BurpSuite extension.

This will allow you to access all the programs details from YesWeHack directly inside of BurpSuite.
But also instantly configure the scopes and the required headers according to the program rules. No more copy pasting between the website and your favorite tool!

+ Read More

New features for quicker and improved Bug Reporting !

Our Dev Team issued two new features for you to save time and gain quality while reporting vulnerabilities.

As shown below, now you can access a new menu entry called “My Yes We Hack“. This section provides a template manager up to five templates. According to our experience, 5 templates should be sufficient and useful for a majority of bug hunters.

In this section, based on Markdown, you can add or edit your templates.

Now, let’s see a second useful feature to better illustrate and/or document your reports.

+ Read More

New YesWeHack platform : scale up your bug bounty programs

Thanks to the impressive work of our team,  our Bug Bounty platform has been revealed with new features for program Managers.

So we would like to share with you the new features below 🙂

New program structure
We have reviewed the structure of the programs by adding several fields.

A « Scope » field to define its types and perimeters (links, webapp, iOS Apple Store, Android)
An « Out of scope » field if applicable
« Qualifying Vulnerabilities » for a reward
« Non-Qualifying Vulnerabilities » for a reward
And a mandatory compensation grid based on criticality (Low / Medium / High / Critical)

Please update your Bug Bounty program by filling the new fields to better manage your perimeter.

New report workflow
We have reviewed the workflow for qualifying bug reports.
It is said that a picture speaks a thousand words so please take a look below:

[Optional] Free VPN
We offer all our customers a free VPN, which will allow you to provide hunters a dedicated connection to meet your program’s legal framework, but also to be able to open dedicated environments (IP filtered).

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New report structure
The details of the bug reports have also been reviewed, providing more clarity to the program manager. The ergonomics of the tools used for qualifying reports have also been redesigned to offer you a greater efficiency. These new programs/report structures linked to the provision of a public API allows an optimal capitalization of vulnerability reports (DevSecOps).

New dashboard
The new dashboard offers you all the statistics related to the reported bugs (severity, status, classification… etc.) but also concerning the amount of paid rewards.

API
We do provide an API so that you can develop or connect your own tools.

Members at all levels
We have improved granularity in member management. You can invite members to your business unit, but also to your programs and reports. The number of members is unlimited.

We hope that you will enjoy this new version as much as we do. Please be aware that we are still ready to listen to your feedbacks, questions and/or comments.

***

Click here to discover the new YesWeHack Bug Bounty Platform

***

YesWeHack Version 2 : And improvements for all Hunters !

Dear hunters,

Over the last months, we’ve been hard at work developing our new bug bounty platform. While engaging with you, we’ve made big changes to some parts of our services that needed improvements even a redesign.

Today, we would like to share some of these changes with you, and cover the benefits of the update.

We have a brand new logo!
Our branding is evolving with a new logo and design and we do think it provides a better look and we hope you will like it.

We’ve been listening to your feedback about the previous platform experience and thanks to You we were able to develop a brand new user experience.

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New programs display
The display of a program’s details has been completely redesigned to provide a better user experience.
In addition to the traditional information related to a Bug Bounty program, we improved -in a very visual way- the current activity on the program (number of reports, thanks… etc.) but also the reward bracket that the security expert can expect.

New billing process
We have completely reviewed the billing process. This will allow you to comply with the requirements of the tax authorities.

Program versioning
It is not always easy for the hunter to follow the evolution of a bounty bug program over time. That’s why we implemented a versioning feature on the program display.

***

We hope that you will enjoy this new version as much as we do.

We Wish You a Happy Hunting !

Please be aware that we are still ready to listen to your feedback, questions and/or comments.

***

Stay Tuned !
Soon, we will post about the new features improving our clients’ experience.

YesWeHack : What about the legal features ?

YesWeHack.com – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, YesWeHack.com presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

+ Read More