digital.security and YesWeHack are glad to be part of the 3 winners of the tender for Free and Open Source Software Audit (FOSSA OSS-BB). FOSSA OSS-BB’s main goal is to help improve the overall security of the Internet by focusing on free and open source tools used by Citizens and Public entities of European Union.
For this edition of FIC 2019, YesWeHack is organizing, for the first time in the history of FIC, a special event dedicated to Bug Bounty.
The International Cybersecurity Forum: the European reference event bringing together all stakeholders in digital trust will take place on 22 and 23 January.
This unprecedented bug bounty campaign will take place in an original space reserved for dozens of security researchers so that they can operate over several scopes, and where applicable, earn rewards according to the criticality of the reported vulnerabilities.
For this Premiere, the scopes are submitted by NGOs and CivicTech projects wishing to harden their systems and thus better protect their information assets and their reputation.
YesWeHack has chosen this year to help NGOs and Civictech as a priority, because many European citizens use tools developed by this sector to contribute to the common good, democracy, associative and charitable projects.
“For all actors, customers, developers and researchers, this Bug Bounty campaign within the 2019 FIC is a great and useful opportunity to exchange and confront the reality of threats in order to significantly increase the level of security and privacy by design”Guillaume Vassault-Houlière – CEO @YESWEHACK
The Bug Bounty’s area will welcome bug hunters who will cooperate with “program managers” from the selected projects with the support of Romain Lecoeuvre, the CTO of the YesWeHack team.
The rewards will be of two types: a total prize pool of several thousand euros is planned to reward the best researchers and goodies collectors will delight some players.
As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.
In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.
In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.
Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.
Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.
In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.
In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.
The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.
In this exercise we have the support of the management and technical teams.
Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.
Photo Courtesy of Douwe De Boer
What is your background ?
I am a web developer, security researcher, and a computer science student at the ETH Zürich. In my spare time, I like to contribute to open-source projects, hunt for security vulnerabilities, and triage reports. For a long time, one of my biggest goals has been to learn something new as often as possible and get to know people who share a similar passion for what they do.
How long have you been bug hunting and what are you driven by ?
I have been bug bounty hunting for roughly one and a half years, but I have been interested in security for quite a while. Curiosity and learning something new are what drive me the most. I find myself constantly wanting to try something new and learn as much about the topic as possible.
Can you explain the genesis of security.txt ?
YesWeHack is definitely a group of passionate people who all have become professionals. As passionate people, we do have principles and it is precisely these principles that keep us on the right path of our social, economic and financial development.
For some of you, you’ve been noticing that we are operating in a competitive world without forgetting our fundamentals.
We are willing to defend the common goods mainly the Internet neutrality, Press Freedom, Open Source (software & hardware).
To us, those 3 pillars – amongst others – are strong allies for Civil Society and especially for NGOs to defend and promote Human Rights.
This is the reason why we do care about helping NGOs and non-profit organizations who share the same principles.
Cooperation is good for all of us !
In 2017, our community of security researchers participated in 3 bug bounty programs powered by our Bounty Factory :
In june 2017, the first program was launched by OCCRP and it exposed one tool of the organization : VIS.OCCRP.org
As a matter of fact, OCCRP is involved in the original Panama Papers, Paradise Papers amongst many other projects.