Category: opensource

OVH Bug Bounty RetEx by Vincent Malguy

As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.

***

The genesis

In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.

In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.

Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.

Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.

In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.

In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.

The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.

Private phase

In this exercise we have the support of the management and technical teams.

Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.

Read More

https://douwedeboer.pixieset.com/

Interview of EdOverFlow : Bug Hunter & mastermind of security.txt

Photo Courtesy of Douwe De Boer

What is your background ?

I am a web developer, security researcher, and a computer science student at the ETH Zürich. In my spare time, I like to contribute to open-source projects, hunt for security vulnerabilities, and triage reports. For a long time, one of my biggest goals has been to learn something new as often as possible and get to know people who share a similar passion for what they do.

How long have you been bug hunting and what are you driven by ?

I have been bug bounty hunting for roughly one and a half years, but I have been interested in security for quite a while. Curiosity and learning something new are what drive me the most. I find myself constantly wanting to try something new and learn as much about the topic as possible.

Can you explain the genesis of security.txt ?

Read More

Open Source, NGOs & Hackers : Unity is strength

YesWeHack is definitely a group of passionate people who all have become professionals. As passionate people, we do have principles and it is precisely these principles that keep us on the right path of our social, economic and financial development.

For some of you, you’ve been noticing that we are operating in a competitive world without forgetting our fundamentals.
We are willing to defend the common goods mainly the Internet neutrality, Press Freedom, Open Source (software & hardware).

To us, those 3 pillars – amongst others – are strong allies for Civil Society and especially for NGOs to defend and promote Human Rights.

This is the reason why we do care about helping NGOs and non-profit organizations who share the same principles.

Cooperation is good for all of us !

In 2017, our community of security researchers participated in 3 bug bounty programs powered by our Bounty Factory :

In june 2017, the first program was launched by OCCRP and it exposed one tool of the organization : VIS.OCCRP.org

As a matter of fact, OCCRP is involved in the original Panama Papers, Paradise Papers amongst many other projects.

Read More

Powered by WordPress & Theme by Anders Norén