Category: Security by design

Le Réseau Thématique French Tech #Security #Privacy

Guillaume Vassault Houlière, CEO de YesWeHack, est un des ambassadeurs du Réseau Thématique French Tech #Security #Privacy .

Ce réseau a pour objectifs d’organiser un Tour de France sur la thématique “security & privacy” afin de fédérer l’écosystème, de développer et valoriser à l’international le savoir-faire des acteurs français en matière de cybersécurité.

Ce tour permettra notamment de continuer la sensibilisation des utilisateurs en entreprise (PME, ETI et Grands Groupes) à la sécurité et à la protection des données personnelles. C’est là une des clefs de la réussite de la transformation numérique.

Une des missions principale du réseau est l’identification des startups axées sur la cyber-Securité et la protection des données personnelles. L’idée c’est de procéder à un inventaire des besoins et de motiver des entrepreneurs « emblématiques » pour qu’ils deviennent des business angels et/ou des mentors.

Enfin, le réseau et tous ses acteurs ont pour activité la promotion du fonds French Tech Accélération aux entrepreneurs pouvant réinvestir dans l’écosystème.

En savoir plus sur la feuille de route

Incentive Policy for Coordinated Vulnerability Disclosure

Assessment

For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.

Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure?

The concept of responsible disclosure has too often been at the root of endless discussions:

On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.

During this precious time when both sides argue, the system concerned is at the opponent’s mercy.

In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Theory & Definitions

Coordinated Vulnerability Disclosure (CVD) is a process aimed at reducing risk and ultimately mitigating potential damage caused by a vulnerability affecting an information system. CVD is a process that cannot be reduced to the deployment of a patch or publication of a report, even though these events are indicators of the efficiency of cooperation.

A bounty bug platform such as Bountyfactory.io facilitates this process by encouraging the cooperation of thousands of security experts and organizations.
Cooperation: it is a key element of Cyber Governance.

Guillaume Vassault Houlière | YesWeHack CEO

Coordinated Vulnerability Disclosure is therefore the process of collecting information from Security Researchers, coordinating the sharing of this information among actors, and disclosing the existence of vulnerabilities (software or even hardware) and their mitigation measures to various stakeholders, including the public.

Coordinated Vulnerability Disclosure significantly increases the likelihood of success of any vulnerability response process. Contributions are often vulnerability reports written by security researchers.

CVD reports for a product (software or hardware) typically include patches as well as vulnerability report documentation or recordings in a vulnerability database.

NB: many operational vulnerabilities can be corrected by the operator and do not necessarily result in public disclosure.

Vulnerability disclosure is a process by which vendors and people who discover vulnerabilities can work collaboratively to find solutions that reduce the risks associated with a vulnerability.

ISO/IEC 29147 standard defining Vulnerability Disclosure

This process includes actions such as the reporting, coordination and publication of information on one vulnerability, its mitigation or, ideally, its remediation.

Let’s zoom in the concept :

Principles:

  • Reduce the risk of damage
  • Believe in good deeds, believe in good Samaritans
  • Avoid randomness
  • Boost cooperation
  • Follow the code of ethics
  • Learn from the OODA loop
  • Consider CVD as a process navigating between the “best” and the “worst”.

Goals:

  • Ensure that identified vulnerabilities are – well – addressed;
  • Reduce the risk of vulnerability;
  • Provide users with sufficient information to assess the risks associated with the vulnerabilities of their systems;

StakeHolders:

Coordinated Vulnerability Disclosure commonly begins with the detection of a vulnerability and ends with the deployment of patches or mitigation.

Therefore, several actors are involved in the CVD process:

  • Security researcher – the person or organization that identifies vulnerability.
  • Reporter – the person or organization who notifies the vendor
  • Vendor – the individual or organization that created or maintains the product that is vulnerable
  • System Administrator – an individual or organization that must implement a corrective action or take other corrective actions.
  • Coordinator – an individual or organization that facilitates the coordinated response process

Steps:

  • Discovery – Someone discovers a vulnerability in a product.
  • Report – The product vendor or a third party coordinator receives a vulnerability report.
  • Qualification – The recipient of a report validates it to ensure its accuracy before prioritizing it for further action.
  • Remediation – A remediation plan (ideally a software patch) is developed and tested.
  • Public Awareness – Vulnerability and corrective measures are disclosed to the public.
  • Deployment – Corrective measures are applied to the systems concerned.

The reporting step is important because it requires the creation of secure channels to ensure that transmitted information is not intercepted by a third party.

However, there are some obstacles within the process:

  • No vendor contact available – This may occur because a contact could not be found or because the contact is not reactive.
  • Termination of cooperation – participants in the CVD process may have other priorities that attract their attention.
  • Information leakage – Whether intentional or unintentional, information for a small group of actors can be passed on to others who are not involved in the CVD process.
  • Independent Discovery – Any vulnerability that can be found by one individual can be found by another, and not everyone will tell you about it.
  • Active Exploitation – Evidence that a vulnerability is being actively exploited by adversaries requires accelerating the CVD process to reduce users’ exposure to risk.
  • Communication is deteriorating – CVD is a process of coordinating human activities. As such, its success depends on the quality of the relationships between the participants.
  • Marketing – In some cases, vulnerabilities can be used as a marketing tool. This is not always conducive to the smooth running of the CVD process.

To sum up:

Vulnerability disclosure practices are no longer restricted to web applications. The Internet of Things and the constellation of SCADA systems, connected health devices, CCTV, Connected cars, etc. have become so dependent on software and the Internet that they increase the exposure perimeter and will inevitably be exposed to new attacks.

The Coordinated Vulnerability Disclosure is a major ally to federate the largest number of cyberspace actors and stimulate the exchange of knowledge to ensure both security and privacy protection by design.

By encouraging cooperation, CVD will enable all stakeholders not only to defend their common information assets but also to fight more effectively against the black market and the resale of Zerodays.

*

The set is now planted, so let’s switch from theory to practice.

Security.txt: the promising RFC!

In order to respond to the lack of contacts available to disclose a vulnerability on a website, security researcher EdOverflow, well inspired by the role of the famous robots. txt, suggested since the beginning of August 2017 to include in each website the file security.txt as a reference file containing the procedure to be followed to disclose more effectively to the editor of a site a bug, a vulnerability.

This approach has the merit of establishing clear guidelines for security researchers on how to report security issues and allows bug bounty programs to use them as a basis for defining the attack perimeter for future researchers.

security.txt is a draft that has been submitted to the RFC for review. This means that security.txt is still in the early stages of development. You can contribute on github!

Bug Bounty as part of your disclosure policy

As part of agile development on their own products, more and more vendors are choosing to be proactive by stimulating and cooperating with IT researchers:

  • by relying on in-house resources and expertise;
  • by contracting directly with external researchers;
  • via a platform that will connect researchers and one vendor. The latter will therefore pay for the result and will be able to choose between various options such as program management or even patch management if its internal resources are not sufficient.

NB: The creation and long-term implementation of a Bug Bounty program is considered as an indicator of the maturity of publishers’ E-governance in terms of vulnerability.

Since 2013, YesWeHack has been developing tools that greatly facilitate the implementation of an incentive policy for CVD.

YesWeHack, its community and ecosystem of services enable organizations and IT security researchers to better cooperate.

Thanks to the tools developed by YesWeHack, beneficiary organizations can more easily overcome the obstacles encountered by their CVD policy. In addition, organizations gain reputation by demonstrating their appetite and willingness for continuously improving their systems.

Bountyfactory.io as the first European platform of Bug bounty.

Differentiating criteria

  • Cooperation with European partners and providers as a matter of sovereignty.
  • Legal and technical infrastructure that meets the highest security requirements.
  • Security and confidentiality of communications based on encryption and compliance with ISO standards.
  • Securing financial transactions between organizations and security researchers.
  • Payment platform compliant with European anti-money laundering and anti-terrorist financing arrangements.
  • Support throughout the entire process: from the drafting of the program to assistance with corrective measures.
  • Operational ranking of the best researchers: Management of a security research community.
  • Reactivity that enables the best researchers to be mobilized in record time.
  • Ability to organize different types of Bounty bug programs (Private / Public / In situ / Hardware and/or Software).

Give it a try ! Register on BountyFactory.io

What should I do if a product does not offer Bug Bounty or Security.txt?

Zerodisclo.com

A simple and effective tool to avoid full disclosure of vulnerabilities in the wild.

It is important to note that some products (software or hardware) do not have their own Bug Bounty program. Thus, it is difficult for a security researcher to report a vulnerability to a vendor. Not all countries have a law allowing this kind of practice, as is the purpose of Article 47 of the Law for a Digital Republic initiated by ANSSI.

YesWeHack has created Zerodisclo.com to facilitate the escalation of vulnerabilities in a secure and even anonymous way and put in touch the different actors working for a safer Internet.

Thanks to Zerodisclo several obstacles are removed: no login, anonymization of the report via the Tor (.onion) network and mandatory and automatic encryption of the report content with the public PGP key of the CERT chosen.

The list of CERTs included in ZeroDisclo.com

Please find below the infographic of ZeroDisclo.com

Cybersecurity & Bug Bounty: Attack is the best form of defense

uillaume Vassault-Houlière President of Yes We HackBy Guillaume Vassault-Houlière | CEO of YesWeHack

Through our European platform BountyFactory.io, Bug Bounty is gaining respectability in France and Europe.

Bug Bounty is an innovative and operational practice from the United States that rewards security experts who find security flaws in IT systems.

Within a complex geopolitical context, Europe and France can compete in defending a European model of digital sovereignty.

In the light of new threats and given reports of organizations that are victims of piracy and irreversible damage, some innovative cyber security policies and approaches need to be adopted.

Cybersecurity is a powerful ally for leading digital transformation.

Like the United States, France and Europe must capitalize on the IT security talents of the European zone for those are the talents who will consolidate the digital fortresses of tomorrow.

Today, thanks to BountyFactory.io, the first European Bug Bounty platform developed by YesWeHack, organizations have an additional tool in their defensive arsenal. Based on a community of more than 3,000 IT security researchers, organizations can significantly increase the security degree of their information systems.

Commonly, organizations are used to planning audits or penetration tests led by a limited number of IT experts during a restricted time window. Although this kind of audit is recommended, it is far from sufficient for protecting information assets.

Keep in mind that cyber criminals do not ask for clearance to damage one targeted infrastructure.

Through a Bug Bounty program, an organization can thus simulate the real conditions of an attack while imposing IT researchers a legal framework. BountyFactory.io is the appropriate tool to harden information systems and build a relationship of trust between organizations and the IT security experts.

BountyFactory.io, with the striking force of our community, allows any type of organization to test a web site, a mobile application, web services, connected things or embedded systems in order to reduce risks and increase data protection.

As soon as a vulnerability is discovered, the expert reports in details to the initiator of the program. Once the reported vulnerability has been confirmed and validated, the organization can fix the issue and can ideally reward the expert.

In the framework of a Bug Bounty program, the organization only pays for the result and the more critical the flaw, the higher the reward.

BountyFactory.io provides its clients with total control over the entire process: control over the scope, rules, budget, accreditation of experts and, of course, the program can be stopped at any time.

Bug Bounty programs constructively increase developers’ skills.

Furthermore, thanks to Bug Bounty Practice, one organization can communicate positively on its capacity to keep the best level of security, as demonstrated by the US Army and Pentagon in 2016.

BountyFactory.io assists you in the creation of totally private or public Bug Bounty programs. We count among our clients, which we can mention, companies such as Orange, OVH, Qwant or ERCOM.

 

Confronting reality is the duty of every IT security professional

Interview of Stéphane Bourou | Technical Project Manager at Ercom

For 30 years, Ercom has developed a leadership position in the communications, data and terminal security markets.
This position is based on complementary technological expertise in Telco/cloud infrastructure, cryptography and software and on shared values: innovation, expertise, commitment and confidentiality.

Our products and expertise are recognized in France and internationally by major companies, customers, partners and certification entities.

All our solutions are certified or in the process of certification by ANSSI.

Two examples that illustrate Ercom’s expertise:

  • Ercom equipped the Presidential aircraft with a secure telephone in 2002, thus offering the first highly secure mobile communication solution.
  • Ercom’s Cryptosmart (secure communications and mobile terminals) is the first ANSSI-certified solution to be restricted for distribution to consumer terminals, facilitating users to adopt it.

Our offer is based on three products : CryptoPass, CryptoSmart and CryptoBox.

What did you learn from the private phase of your bug bounty program?
The Bug Bounty in general complements the ANSSI certifications to which we submit each of our security solutions.
Our primary goal was to confront our CryptoBox solution with a relevant range of attackers who we might encounter during its use, in order to have a continuous evaluation of the level of resistance of our solution.

Several bug reports were provided to us and one in particular proved out to be a significant level. This enabled us to improve our product and demonstrate the thoroughness of our development teams about security.

Why going public is a good move ?
Private mode limits the number of bug bounty hunters therefore, it does not really confront us with what we would definitely encounter during an operational deployment. By Going Public, we expect to have Bug Bounty Hunters with more focused, varied and specialized skills on specific surfaces, such as web and smart-phone applications. Through this important and true exercise, we will be able to increase the level of assurance obtained during the private phase.

What would be your arguments for convincing reluctant organizations to cross the threshold ?
It’s always good to face reality, and this is especially important for a security solution. We are making the effort to use the Bug Bounty with the dual objective of improving our solution and having greater visibility and credibility. A Bug Bounty program makes it possible to mobilize a large number of IT security researchers for a limited period of time in an economical and repetitive way.
Our experience being very positive, we will soon open a second program for our new product : CryptoPass.


Join the hunt on BountyFactory.io !


 

Qwant.com & BountyFactory.io to harden companies’ systems

Qwant.com‘s Security & Privacy Fund is now real and it aims at hardening companies’ systems through our BountyFactory.io !

Qwant has always believed that the development of online services should be done with maximum protection of the confidentiality of users personal data. That is why Qwant took a “privacy by design” and a “data minimization” approach from day one, which requires to think preventively of the technical means and business models that generate as little risks as possible for the privacy of users.

Since 2014, thanks to YesWeHack founders, Qwant has created its bug bounty program.

Each year Qwant offers bounties to the vulnerabilities hunters gathered at La Nuit du Hack, in Paris. Those programs run by HackerzVoice & YesWeHack teams have significantly helped Qwant to build up skills, and to even better protect their users personal data.

And for the 15th edition of La Nuit du Hack, Qwant wants to offer other startups and organizations – thanks to its fund – the opportunity to challenge and increase the security of their services with the best hackers in Europe and in the world, to improve privacy on the Internet.

Qwant grants 10,000 euros to this fund, that will allow to pay bounties to hackers who will discover vulnerabilities on the services of startups or associations that share Qwant’s ethical values.

Organizations that are selected to benefit from this fund will of course be accompanied to put the bug bounty program together.

You can find all the necessary details to apply for this Privacy & Security Fund at the operation’s official website: https://hackmeimfamous.com/

European Regulation for the Protection of Personal Data and Data Security


By

Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
&
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice


The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

GDPR Article 32 on the security of data processing lists the various criteria that a controller and a processor must take into account to determine the level of security required, namely, the state of the art, the costs of implementing security, the processing in question, including its purpose and context, the probability and the severity of the risks for individual rights and freedoms The logic consists in customizing security measures to the risks identified with respect to the processing of personal data.
Major change: the Regulation provides for an assessment of risks to privacy from data processing. Subsequently, it is up to the controller to perform a PIA (privacy impact assessment) for all the processing actions likely to result in a high degree of privacy risk for the individuals in question. According to GDPR, some types of processing are deemed to constitute risks and are subject to a PIA because of the nature of the data being processed (large-scale processing of sensitive or criminal record data) or the purpose of such processing (profiling, large-scale monitoring of public areas, etc.).
Given that this is about safeguards to be put in place, Article 32 lists certain measures that are to be implemented by the controller and/or the processor, such as data pseudonymization or encryption, the implementation of methods capable of ensuring system confidentiality, integrity, availability, and resilience, the implementation of techniques capable of restoring availability and access to personal data in the event of a physical or technical incident, regular verification of such measures. The Code of Conduct (GDPR Article 40) and certification (GDPR Article 42) are also solutions that are likely to be considered with respect to security.
Pursuant to GDPR Article 36, whenever a PIA identifies a high level of risk, it becomes mandatory to consult the CNIL prior to proceeding with the data processing in question. This requires, for instance, that the CNIL be advised of any measures having to do with the security of processing for the CNIL to evaluate whether they are sufficient to allow the processing to proceed.
Pursuant to GDPR, data security also requires that a notification of a personal data breach be made initially to the supervisory authority (CNIL) within 72 hours of it becoming known (Article 33) and to the data subject (Article 34) if CNIL believes the security measures to have been inadequate. This obligation extends to the processor who must notify the controller of any data breaches as soon as it becomes aware of them. These data breaches result from one or more security incidents (unauthorized access to an IT system, data extraction, reproduction, or distribution). Advance incident detection and correction help obviate the need to notify since there is no breach.
We understand that the new regulation requires that locations where data are processed within an organization (mapping) be brought to a condition that will help determine specific priorities for bringing into compliance as well as the relevant support. As for security, implementation of Bug Bounty practices appears to us to be highly recommended to detect security incidents early, thereby preventing them.

GDPR leads us to the following motto:

When security works, everything works!

Interview of Gilles Cadignan – CEO & Co-Founder of Woleet

First of all, can you introduce us to Woleet?

Woleet.io was founded in Rennes in 2016. Woleet is a data anchoring platform using the Bitcoin blockchain. To sum up, we provide a SaaS platform that receives digital fingerprints of data and proceeds to anchor them in Bitcoin by linking these fingerprints to a transaction having a certain date. To achieve this, Woleet builds a cryptographic structure that allows multiple fingerprints to be put together in a single transaction.

The use of Woleet has many benefits:

Once anchored in the blockchain, verification of proof of existence dated and free for anyone with data, anchor receipt and Internet access to retrieve the relevant Bitcoin transaction.
Confidentiality is preserved, Woleet only deals with digital fingerprints, which can be improved with meta-data for information purposes.
No need to have bitcoins to use our service, as Woleet takes care of interacting with the blockchain by building transactions.

Ok but why does the partnership Woleet and YesWeHack make sense?

Well, Yes We Hack is actually a nice team : they like to chat and laugh around a beer 😉

More seriously, the Woleet and YesWeHack partnership came quite logically following a meeting held in Rennes in December 2016 on the framework of the EuroCyberWeek.

The technology and the start-up spirit offered by Woleet fit perfectly with YesWeHack’s know-how. You know the concept of blockchain is too often used as a buzz word. Too often, so called experts talk about it but very few know what it is really. Concretely, the synergy between Woleet, YesWeHack and its partner Digital Security took place in record time (less than 3 weeks), that synergy made it possible very effectively to integrate all the skills to the benefit of the project Zerodisclo.com.

Thanks to the meeting of Woleet and YesWeHack, the blockchain finally finds a relevant and concrete use-case to better secure the Internet.

Woleet is very proud to have contributed to its measure to this useful initiative for the public interest. Obviously, it is a smart and good way for Woleet to promote our skills and vision.

So from your point of view : why is zerodisclo.com a good usecase?

Yes We Hack wanted for its Zerodisclo.com service to have irrefutable proof of integrity and time-stamping for vulnerability reports transmitted via the Zerodisclo.com. An open and verifiable proof by all without intermediary. The choice of anchoring the integrity and time-stamp data for these vulnerability reports was self-evident. By anchoring them in the blockchain, the service offered full transparency without revealing any information about the source or content about the discovered vulnerability. The anchoring of data in the blockchain coupled with the electronic signature thus ensures an increased degree in terms of irrefutable traceability for each party, both for the security researcher and for the company concerned by the vulnerability.

Zerodisclo.com was launched during the FIC2017 and it showed very genuinely that an idea can become operational and efficient when all the stakeholders involved contribute with a common interest. This notable exercise reveals the quality of startups in France and furthermore in Europe.

Zerodisclo is therefore an ambitious project aimed at strengthening information systems by facilitating the reporting of vulnerabilities by some good Samaritans. Innovation is at this stage rather unique, Zerodisclo.com is a non-profit tool to better protect bug reporters by putting in the loop the official CERTs that will have the responsibility to warn the organizations concerned.

By the way, next march 29 in Paris for Hackpero.com at Ecole 42, i will take the floor with Guillaume from YesWeHack to present the synergy we made within the project : ZeroDisclo.com !

Can you tell us more about the evolutions of Woleet?

After a year of various experiments with several customers, Woleet is entering a phase of production of the various projects. By focusing solely on mature low-level uses, we differentiate ourselves from the only experimental approach of the majority of current blockchain projects. Beyond the implementation of the projects based on the Woleet platform, we owe many projects such as the standardization work on proofs, carried out jointly with several other international startups with authorities such as the W3C. At R&D level, we are working on the next primitives that we intend to provide as an alternative to the digital signature based on the Bitcoin protocol, we also provide tools for the management of digital assets, always on Bitcoin. To lead all these projects, we will have to make our team grow and welcome passionate people who want to participate in – what we think is – a revolution at least as big as the Internet revolution.

Xavier Leune, CCM Benchmark Group, on the benefits of bug bounty

Xavier Leune - CCM Benchmarck group -

Xavier Leune – CCM Benchmarck group –

What is your role in CCM benchmark ?
I am deputy CTO and i’m in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.

What were the reflexion and the needs assesment that brought about a bug bounty program ?
Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The bug bounty Program we opened was a very important step complementary of others methods we set up (pentests, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code.

Why did you guys choose Bounty Factory : What made the difference compared to other bug bounty platforms ?
We paid attention to several criteria provided by Bountyfactory.io. First advantage was the fact that it is based in France and it strongly facilitated the set up because we had a good feeling throughout the discussion with YesWehack teams. They did prove their capacity in mobilizing some high-level hunters for a program such as ours. Eventually, The European approach and the way the rewards are run were both arguments that can assure us to fight against the financing of terrorism.

Did you ask for an help for setting up of your program (in terms of scope, timing, invitations) ?
Since the launching of our bug bounty program on the 28th of September, we’ve been helped by Bounty Factory dedicated Team from the very beginning and on the regular basis. We did profit from their experiences in order to better write up our program and better define our scope so that hunter were precisely informed of our expectations. Moreover, we have been accompanied to define our rewarding policy to treat properly the feedback given by hunters who are spending long time for securing our platforms.
Last but not least, we benefited from Bounty Factory dedicated team in order to select and send invitations to high-ranked hunters.

How many hunters did you invite for the private step ?
For the private step we have invited the whole YesWehack private team made of 10 people.

During the private time, what did you notice out in terms of reported vulnerabilities ?
Obviously at the very beginning of the program simple and common vulnerabilities were reported, especially XSS vulnerabilities. As time went by, more sophisticated vulnerabilities appeared , we were really surprised by some findings. We have felt a very good implication on the behalf of each hunter who was driven by their appetite for being the first reporting a critical vulnerability.
The features : 58 reported bugs, 34 were subject to corrective measures. Others were mainly duplicates 18 out of 24.
The number of critical vulnerabilities were up to 5.
The best reward  for one and only bug was up to 1000 €.

Did you appreciate the level of communication between you and the hunters ?
The level of communication with the hunters was really appreciated by our team. At times, we experienced some difficulties concerning some vulnerabilities in reproducing them or understanding the prejudice they implied. So the hunters were really good at answering our questions and at double-checking the patches we delivered.

Why did you choose to go public ?
To us, going public is a natural evolution of our bug bounty program. We wanted to be able to understand correctly the art of running a bug bounty through Bountyfactory.io especially by dealing with a restricted number of reported bugs in a first movement and along with hunters whom we wanted to communicate with. Now, we are far more confident in terms of procedures and in terms of patching policy, so it makes sense going public and being exposed to a max of skills to keep on securing our platform .

In terms of profits, can you say that beyond the financial aspect there are issues of communication and reputation ? How would CCM deal with these aspects ?
It is important for us to show a proactive approach on such crucial issues. However, it is not planned at the moment to promote the opening of our bounty bug program towards our audience. Above all, we decided to go public for ourselves and our visitors.

***

So, Hunters 

Hack and take the cash

via BountyFactory

***

Bountyfactory.io : What about the legal features ?

Load European Cybersecurity

Bountyfactory.io – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, Bountyfactory.io presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

  • BountyFactory uses OVH dedicated cloud that is subject to Service Organization Controls namely SOC 1 type II (SSAE 16 et ISAE 3402) & SOC 2 type II
  • Our infrastructure is ISO 27001 certified
  • Each vulnerability, each report, each comment is encrypted before being stored in our database and only identified actors are access granted.
  • In terms of financial transactions : BountyFactory complies with the following norm > The Payment Card Industry Data Security Standard (PCI DSS)
  • In terms of Privacy, BountyFactory is subject to EU Data Protection Reform (January 2012) While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
  • Our payment system, MangoPay, is tightly compliant to EU legal framework in terms of anti Money laundering and anti financing terrorism

mangopay_european_legal_framework

***

Beyond that essential standards, let’s go deeper into BountyFactory.io in order to discover some useful and relevant features :

As a customer – once logged in as Admin-manager – you will be able to digitally sign the General Terms & Conditions of Use thanks to YouSign Company based in France and subject to both French and European Law.

The GTU signing process

Send Bug Bounty Confirmation Code

Validation of the signing Process

signing process

Still as a customer, you are free to Credit and Refund your account any time you need.

Bug Bounty Credit and Refund

By default, your bug bounty program will be private so you can select the hunters (max 50 people) you want to invite.

For instance, you can choose BountyFactory core Team made of 10 people.

Yes We Hack Bug Bounty Private Team

And let the game begin !

The chosen hunters will start searching for vulnerabilities within the scope you defined with BountyFactory Manager.

Bug Bounty Program Management is a differentiating criterion and this feature will be the topic of the a forthcoming and dedicated post.

In order to win efficiency and time : only confirmed true vulnerabilities are taken into account.

Therefore, you will see the amount of bugs found in your dashboard . Each Bug is categorized according to OWASP criteria.

The screenshot below shows more details about the gamification feature focusing on the quality of reports submitted by Bug Bounty Hunters.

The admin-manager is able to rate and allocate one or several points to a well written report on one vulnerability .

Validation of the Vulnerability Report

Over Communicate

Comments are very useful to discuss some details with the researcher and it strengthens significantly the level of communication between the requester and the hunters.

Comments of the Vulnerability Report

One important step is the following : The way you will be able to reward a good hunter.

Thanks to MangoPay technology and security, one hunter can be paid by credit card or through your wallet. MangoPay is a service provided by the French Bank > Crédit Mutuel Arkéa

Rewarding Bug Bounty Hunter

The Dashboard gives you an overview of bug types and statuses

Dashboard

types_of_bug_bounty

As a Game Master : manage your Budget, your Timing, your Hunters

For instance, the screenshot shows you can keep an eye on your budget by checking statistics of the ongoing bug hunting (average and max rewards out of your total budget)

budget_average_reward_bug_bounty

Any time, you can choose to switch from a private program to a public program.

Switching from Private to Public Status

This step is specifically critical so BountyFactory Manager will be notified.

In order to avoid failure, YesWeHack Program manager will double check with the requester if it is a legitimate move.

To sum up, BountyFactory.io provides original features that will help customers managing their Bug Bounty Programs with all the specs, layers of security and trustworthy norms.

rihannaRegister and open your own bug bounty program !

***

/!\ Keep in mind /!\

We Have More Features to Show You

We will keep You posted folks !


Read More > Our FAQ

The Internet of Elevators, of Cars, of Weapons !

lift

Have you ever watched The Lift ? A Dutch horror movie by director Dick Maas about an intelligent ( or smart ?) and murderous elevator starting a killing spree. (Source : wikipedia)

Scary, isn’t it ?

Beyond fiction, the film “The Lift” aimed at questioning technology, systems you can not regain control over.

Nowadays, we are told about the benefits of design thinking, internet of things and their tremendous power in terms of digital and economic development… Oh wait.

Unfortunately, the Internet of Things is driven by marketing ravenous hyenas and very few IoT companies are inspired by – what we could call – the Security Design Thinking.

nebula_of-things

Today, within the Internet of Things, Auto Industry has to struggle to prevent itself from being hacked both by criminals and by their inner blind appetite for market at the expense of their duty in the field of security.

Imagine the antithesis of the legendary film “Rebel without a cause” where the hero no longer rides a car as a symbol of freedom but he’s the prisoner of a runaway wagon.

The revelations concerning the recent fraud on the behalf of  Volkswagen – by the way VW is not an isolated case – highlighted what is at stake in terms of security in the fabulous world of the Internet of Cars.

Before reaching the point of no return, Cars companies and end users should deeply consider the following thoughts :

  • Cars like drones and planes are not harmless devices

In terms of security and safety, Auto and aeronautics industries have to be exemplary and they constantly have to improve again and again their technology, their protocol. Unlike many devices of the Internet of things, cars and planes are massive vehicles. They can cause real and serious damages when they are out of control. They unfortunately can be used as weapons. Therefore, smart and connected cars could be potential massive killing machines.

  • Millions of cars as One Botnet

Like any device of the Internet of things, a car can be pirated and subject to a botnet. In this case, a huge number of cars can be orchestrated as one  and only system driven by just one freak, Remember Skynet ! Needless to say that a terrorist attack could be coordinated via this kind of botnet.

  • Top priority : Privacy and Security By Design

IoT companies seem far from tackling the highly critical issue : How to secure the entire chain of their business including their precious customers (known as end users), their reputation, their data.

The Internet of Cars could be, somehow, a strong ally for security (reducing car accidents) and environmental issues (reducing the CO² emissions footprint) but Automakers don’t seem to prioritize acutely despite some attempts like the Automotive Cybersecurity Best Practices.

Auto industry has to embrace privacy and security by design, they must think and implement these concepts before moving on to the unbridled production of hackable products.

Examples of compromised connected cars are legions such as Tesla, Range Rover etc.

To address these concerns and data compliance issues, car manufacturers need to address privacy and security issues and legislative requirements at the design stage – and not as an afterthought – and, in the EU at least, will need to develop technological solutions to empower individuals to track and manage their own data.
Privacy by design – essential for the growth of the Internet of Things? by Taylor Wessing

  • The vital need for an offline button.

In case of emergency, every single connected car should be provided with a kill-switch feature meaning at any time one could switch a smart car from a full connected mode to a full manual and off-line mode including the old-school and reliable steering wheel.

  • Fighting the diktat of Obsolescence

Tackling the issue of Obsolescence is highly relevant especially when the world is facing the global climate change. Beyond security, Car Manufacturers have to improve the reputation of their products and thus adapt their marketing policy by promoting the sustainable quality of their vehicles.

  • The fallacious comfort of voice controlling, key-less and wireless features

Internet of Things is a constellation of connected devices, it requires user-friendly innovation to  improve its appropriation by speaking human beings. It turns out to be clear that voice controlling, key-less and wireless features are to be core parts of IoT UX namely User experience.

That Generalization of wireless and key-less features is a real curse for it is exposing more and more IoT and therefore smart cars to encryption_is_not_a_crimecriminals. There are numerous testimonies asserting that thieves use cloning electronic tools to illegally open and drive cars. Those kind of tools can -easily- capture and reproduce voice spectrum, wireless signal and so on and so forth. Therefore, Encryption and physical tokens are still good layers of security for Multi-factor authentication (MFA).

Indeed, it has been said that multi-factor authentication is the worst form of security except all those other forms that have been tried from time to time. – The Churchill Way of IT security 🙂

  • Security is a continuous process

First, Security through obscurity is no cure because it hides potential and critical bugs.

Definitely, Car Industry should strengthen its proof of concept by testing continuously the robustness of their technology. Open Source code enables companies to improve their protocol.

By Open Sourcing and submitting the code to communities (IT security Experts, hackers, FLOSS developers) AutoMakers will increase significantly the degree of their products’ security,  especially thanks to bug bounty programs.

There was a landmark : for the first time in the history of automotive, Fiat-Chrysler did invite hackers to test their cars in the framework of bug bounty programs with clear boundaries made of legal, financial norms such as BountyFactory.io

To sum up, Car industry has to find its Way within the IT security experience by questioning itself  and applying the OODA loop scheme.

the Way is not an end but a process, a journey… The connections, the insights that flow from examining the world in different ways, from different perspectives, from routinely examining the opposite proposition, were what were important. The key is mental agility.
– John Boyd

ooda-loop-1-1(Source : The Tao of Boyd: How to Master the OODA Loop )

YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press