Category: Vulnerability Coordination (Page 1 of 2)

Partenariat : SODIFRANCE & YESWEHACK.

By

On November 19, 2018

In Bug Bounty, Bug Hunters, crowdsecurity, Disclosure, Europe, Partnership, Security by design, Vulnerability Coordination

Sodifrance et YesWeHack renforcent leur collaboration autour du Bug Bounty pour lutter efficacement contre les risques Cyber.

Sodifrance, au travers de sa marque d’experts Antéo Trust & Security et Bounty Factory by YesWeHack, principale plateforme ouverte de Bug Bounty en Europe, annoncent la signature d’un partenariat pour faciliter la détection de failles informatiques et offrir aux entreprises une réponse globale à leurs enjeux de cybersécurité.

Dans le cadre de leur transformation numérique, les entreprises de tous secteurs et de toutes tailles exploitent pleinement les capacités des nouvelles solutions numériques pour accélérer leur croissance et améliorer l’expérience client. En parallèle, le nombre de cyber-attaques augmente et leurs conséquences vont en s’aggravant : perte de chiffre d’affaires, de clients, vol de données, atteinte à l’image, et désormais risques juridiques avec les nouvelles réglementations telles que RGPD.

Face à ces nouveaux enjeux de sécurité, Sodifrance s’appuie sur la plateforme de YesWeHack pour proposer une solution innovante de services en cybersécurité. Elle permet aux entreprises de toutes tailles de mieux maîtriser le niveau de sécurité de leurs applications et environnements IT.

« Nous souhaitions proposer à nos clients une offre complémentaire aux audits de type Pentest ou Red Team » indique Hervé Troalic, Directeur de l’offre Sécurité de Sodifrance.

Hervé Troalic poursuit : “La solution clé en main de Bug Bounty que nous proposons, rendue possible par ce partenariat avec YesWeHack, apporte aux entreprises qui investissent dans des stratégies web et mobile, de réels atouts pour maîtriser la sécurité de leurs applications. De surcroît, elle s’avère parfaitement adaptée auprès des organisations qui adoptent les pratiques DevOps et qui souhaitent ne pas sacrifier la sécurité de leurs applications aux impératifs du time to market.”

Pour Guillaume Vassault-Houlière, fondateur de YesWeHack,

« Cette collaboration avec Sodifrance offre à nos clients un service sur mesure, complémentaire et à forte valeur ajoutée. Elle répond au souhait des RSSI et Directions générales de pouvoir s’appuyer sur des acteurs de confiance européens, à l’écoute de leurs clients et respectueux de leurs contraintes budgétaires. »

A propos de Sodifrance
Entreprise de Services du Numérique créée en 1986, Sodifrance compte plus de 1350 consultants répartis sur 14 implantations en France. L’offre de services se décompose en 6 grands métiers : le conseil technologique, la transformation numérique, le Data Management, la modernisation de SI, les services pour les applications et les services d’infrastructure. Sodifrance assure la transition entre les SI historiques et les nouveaux modèles IT, permettant aux organisations de toutes tailles de renforcer leur compétitivité et collaborer plus efficacement grâce aux solutions innovantes centrées sur la mobilité, la sécurité, le Big Data et le Cloud.

A propos de YesWeHack
Avec des bureaux en France et en Suisse, YesWeHack est la première plateforme européenne de Bug Bounty en termes de nombre de clients et de nombre de hunters, conforme aux standards de sécurité et normes juridiques européennes.

YesWeHack supports Paris’ call to strengthen cooperation between digital players.

By

On November 12, 2018

In Bug Bounty, Bug Hunters, crowdsecurity, Disclosure, Europe, Privacy by Design, Security by design, Vulnerability Coordination

YesWeHack supports the Paris’ Call for Trust and Security in Cyberspace.

With its founding members from the French and European Hacker community, YesWeHack promotes actions to share and transmit knowledge, as well as to strengthen digital sovereignty for the creation and maintenance of trusted environments.

Guided by its founding principles, YesWeHack is dedicated in uniting, cooperating with all digital actors and commit to better securing cyberspace.

Today, YesWeHack makes its CrowdSecurity platform available to all stakeholders who are committed to following the Paris’ Call. This platform brings together a community, the largest in Europe, made of 5000+ ethical hackers.

In a complex geopolitical context, facing the increasing cyber-threats and economic and political risks, YesWeHack is committed to defending an idea of the trust and security of cyberspace on a daily basis.

Our commitment is to the development of digital technology in order to defend our democracies, our informational assets and therefore the data protection for all citizens in the European Union and elsewhere.

Protecting our democracies is a major challenge in terms of cybersecurity and it is important to propose appropriate solutions to better secure digital tools used by citizens, both on a daily basis and during election periods.

Guillaume Vassault-Houlière, CEO of YesWeHack

***

The Paris Call

***

[ITW] High value bugs : like the hunters, these are the bugs we find most exciting !

By

On November 12, 2018

In Bug Bounty, Bug Hunters, crowdsecurity, Disclosure, Security by design, Vulnerability Coordination

Quentin Berdugo CISO @dailymotion

Can you describe dailymotion and the role you have within the organization?

Since 2005, dailymotion has been pioneering video streaming and delivery and is now making its comeback as a major video destination platform. I’m dailymotion’s CISO.

What is dailymotion’s history in terms of coordinated vulnerability disclosure and what milestones have you been through?

When we saw our first user notification *on Facebook*, we realized that we were lacking a proper channel for our users and the security community to notify us of potential issues.

For our users, we created a security category on our support portal, with instructions for the support team as to how to route these specific inquiries. For the security researchers, we had a security@dailymotion.com address created.

This went a long way and we had some surprisingly interesting notifications from the users, the InfoSec community and academia.

Since we later introduced a private bug bounty program, we were able to use it to reward these spontaneous notifications.

This didn’t really prevent the occasional researcher from tweeting about an issue before they even gave us a head’s up, but it really helped us build a strong experience on vulnerability disclosure that turned out to be very useful when writing our disclosure policy, that we published at the same time as we opened the bug bounty to the public.

We have made this disclosure policy available in our “security.txt” file, an draft internet standard aiming at facilitating the disclosure of security issues.

You have recently opened up your bug bounty program to the public, what’s your feedback?

Read More

“Ein Bug Bounty Programm ist eine gute Möglichkeit, um die eigene Arbeit auf den Prüfstand zu stellen”, bekräftigt Yves Berquin, Mitbegründer von MatrixReq.

By

On November 5, 2018

In Bug Bounty, crowdsecurity, Europe, IoT, Security by design, Vulnerability Coordination

Bitte stellen Sie Matrix Requirements und Ihre Rolle im Unternehmen kurz vor

Bevor wir 2014 Matrix Requirements (Matrixreq.com) gründeten, waren wir Projektmanager bei einem Medizintechnikunternehmen und hatten erkannt, dass wir für die Rückverfolgbarkeit des Designs ein besseres Tool benötigten. Daher entwickelten wir MatrixALM zunächst für den Eigenbedarf.

Die Gründung von Matrix Requirements zur unabhängigen Vermarktung dieser Anwendung erfolgte erst später.

Matrix Requirements ist ein vierköpfiges Team, das bereits 100 Kunden mit insgesamt 700 Nutzern akquiriert hat, was für ein so kleines Team eine beachtliche Leistung darstellt.
30% unserer Kunden kommen aus den USA und ähnlich viele aus Deutschland, der Rest entfällt auf die übrigen europäischen Länder sowie Israel, Australien, Indien und Kanada.
Meine Aufgabe im Team bezieht sich vorwiegend auf Back-Office, Netzwerke, Datenbanken und Linux-Server. Es versteht sich von selbst, dass Sicherheit bei mir höchste Priorität hat.

Was hat Sie dazu bewogen eine Bug-Bounty-Übung anzusetzen?

Auch wenn wir ein kleines Unternehmen sind, haben wir die ISO13485:2016 Zertifizierung erhalten und streben auch die Zertifizierung nach ISO27001 an. Diese Standards erfordern die eingehende Untersuchung der mit unseren Prozessen verbundenen Risiken. Ein offensichtliches Risiko in Unternehmen wie dem unseren ist natürlich das unbefugte Eindringen Fremder in unsere IT-Systeme.

Read More

“A bug bounty program is a practical way to put your work to the test” states Yves Berquin – CoFounder of MatrixReq

By

On October 2, 2018

In Bug Bounty, Bug Hunters, Disclosure, Security by design, Vulnerability Coordination

Yves Berquin - Cofounder of MatrixReq

Yves Berquin, Cofounder of MatrixReq – GmbH

Presentation of Matrix Requirements and your position

Before we co-founded our German company, Matrix Requirements (matrixreq.com) in 2014, we were project managers in a medical devices company and it was clear to us that we needed a better tool to manage the traceability of the design. We built MatrixALM for ourselves and later on we created Matrix Requirements to launch our application independently.

Matrix Requirements team is 4 people which is quite honorable compared to our results so far: we have about 100 customers totaling about 700 users.

30% of our customers come from the US, about 30% from Germany and the remaining in rest of Europe, Israel, Australia, India, Canada.

My role in the team is more on the back-office, network, databases, Linux servers. Needless to say I’m very concerned about security.

What are the reasons that led you to embark in the bug bounty exercise ?

Even though we are quite small, we are certified ISO13485:2016 and on the way to be ISO27001, and this type of standards mandate that we study the risks of our processes. Of course one obvious risk in our type of business is the intrusion of our information systems.

We’ve had intrusion attempts in the past an we protected ourselves with quite elaborated active rules on our firewalls. We’ve had an audit from a group in KULeuven, and one of their recommendations was to go through a bug bounty exercise.

Why did you chose YesWeHack ?

We first asked a well known US bug bounty company but the pricing was out of reach for us. Then we discovered YesWeHack, through the OVH DLP accelerator (we are also members). We contacted them and found out quickly that their offer matched what we were looking for: a group of researchers that could investigate our security in BlackBox mode. In particular we wanted to be able to talk to the researchers in English and that is a given on that platform.

What are the results of your private phase ?

The private phase was achieved with a group of 10 researchers, and they came back with 5 vulnerabilities. Frankly, we were relieved that none of the reported vulnerabilities were severe, which confirmed that we already had quite a good security maturity.

Of course we can never rest in this field, but what were returned to us were subtle weaknesses that wouldn’t allow by themselves anyone to actually enter our site.

We rewarded the researchers anyway, understanding that sometime a combination of small weaknesses could lead to an actual attack vector. The exchange with the researchers were very fruitful and they gladly checked that our fixes were efficient as well.

That dialogue is really the positive aspect of the exercise: we forced ourselves to reply quickly to the remarks, and they were very quick to answer back and offer suggestions to solve the issues if needed.

What are you waiting from the public phase ?

Opening the bounty to all the ethical hackers on the platforms in YesWeHack should lead to much more return for us, and should help us solidify even more our application and its API. I hope nothing too bad will come out of it but of course I prefer hearing about it this way: we have to detect potential security issues as soon as possible.

A bug bounty program is a practical way to put your work to the test. We hope to learn a lot from this public phase – through ways that we wouldn’t have thought about ourselves.

Today more than ever (think Facebook, British Airways, …) we must stay humble and remember that ‘Security through obscurity’ doesn’t exist and it’s only by putting your cards on the table and be pro-active that you can ensure a decent level of security.

***

Go to MatrixAlm’s Bug Bounty Public Program !

***

YesWeHack rejoint le Pôle d’Excellence Cyber !

By

On July 3, 2018

In Bug Bounty, Disclosure, Europe, GDPR, IoT, Security by design, Vulnerability Coordination

C’est avec une fierté non dissimulée que YesWeHack annonce son intégration au Pôle d’Excellence Cyber.

Nous avons été cooptés et nous allons honorer cette confiance au sein du PEC pour contribuer au rayonnnement de savoir-faire français et Européen en termes de CyberSécurité.

YesWeHack va notamment apporter son expertise sur deux disciplines à savoir : le recrutement des talents spécialisés en cybersécurité et la divulgation coordonnée de vulnérabilités.

Déjà presents au coeur de l’écosystème breton avec une base à Rennes, YesWeHack continue de tisser des liens et de coopérer avec tous les acteurs de la région.

#NDH16 : Knowledge is power

By

On June 27, 2018

In Bug Bounty, Bug Hunters, Europe, Vulnerability Coordination

In 2018, for the first time, La Nuit du Hack takes place at La Cité des Sciences et de l’Industrie  in Paris.

YesWeHack is proud to be one of the numerous Platinum Sponsors of #NDH16 ! We are longing for having Fun and meeting you Folks in this temple of science.

Photo by HackerzVoice

Photo by HZV

Science

In this age of panic where the powers in place are trying to mitigate “fake news” (well… let’s say more precisely propaganda or misinformation), La Cité des Sciences et de l’Industrie symbolizes knowledge in many ways, Science is one the best allies to counterattack lies and conspiracy theories.

As a famous place in Paris, La Cité des Sciences et de l’Industrie provides through three levels : a 900 seat amphitheater, 2000m2 of exhibition area and one space called the « Loft » with its 1000m2 fully dedicated to hacktivities and games orchestrated by the HZV’s Team <3

Gravity, Density & Fun

So for this edition, La Nuit du Hack is going to deliver its thoroughness and richness with : 14 talks, 10 workshops, 6 Challenges, 1 Private CTF, On Site Bug Bounties and a Confessional .

Read More

OVH Bug Bounty RetEx by Vincent Malguy

By

On June 18, 2018

In Bug Bounty, Bug Hunters, Disclosure, opensource, Security by design, Vulnerability Coordination

As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.

***

The genesis

In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.

In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.

Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.

Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.

In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.

In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.

The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.

Private phase

In this exercise we have the support of the management and technical teams.

Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.

Read More

Bug Bounty: Take the leap – [ITW] Alain Tiemblo @BlaBlaCar

By

On April 23, 2018

In Bug Bounty, Disclosure, Europe, GDPR, Security by design, Vulnerability Coordination

Alain Tiemblo – BlaBlaCar Web Security Lead Engineer

Since September 2017, BlaBlaCar has been managing with a select number of security experts a private Bug Bounty program to enhance the operational security of its platform.

Previously accessible only by invitation via BountyFactory.io, YesWeHack’s bug bounty platform, this program has enabled BlaBlaCar to remain proactive on the cyber security of its services.

Thursday April 19, BlaBlaCar’s program is public

What is your role at BlaBlaCar?

I am a backend developer profile, today overseeing application security. When I joined BlaBlaCar, I was in charge of the platform’s performance and security. In mid-2015 and early 2016, our operational security needed to level up significantly, especially following our major fund-raising campaigns, which put BlaBlaCar under the light and pressure. So at that period of time, i took the lead of a small team to mitigate these attacks, and audit/consolidate the platform.

What is your approach to security, including coordinated vulnerability disclosure?

We have kept application security in-house for a long time. Previously, we used classical audits conducted by various companies, by several basic pentest applications, by using static analysis tools, etc. I think it helped to rough out a lot of little things that would have been detected by bug hunters.

In addition, we received a few troll messages on Twitter reporting vulnerabilities without notice and without any details… We also have some emails via customer support about potential security holes, but nothing was disclosed by these contacts, they first wanted to be paid and this, without proof of the existence of a security flaw, so it was impossible for us to enter the game.

Read More

Bug Bounty : Franchir le pas – ITW d’Alain Tiemblo @ BlaBlaCar

By

On April 12, 2018

In Bug Bounty, Disclosure, Privacy by Design, Security by design, Vulnerability Coordination

Alain Tiemblo - Bug Bounty - Vulnerability Coordination

Depuis septembre 2017, BlaBlaCar propose à un nombre d’experts en sécurité triés sur le volet, un
programme de Bug Bounty privé afin de renforcer la sécurité opérationnelle de sa plateforme. Accessible
jusqu’alors uniquement sur invitation via BountyFactory.io, la plateforme de bug bounty de YesWeHack, ce programme a permis à BlaBlaCar de rester proactif sur la cybersécurité de ses services.

Entretien avec Alain Tiemblo Web Security Lead Engineer – @BlaBlaCar – manager du programme de Bug Bounty.

Jeudi 19 avril le programme de BlaBlaCar est public

Quel est votre rôle au sein de BlaBlaCar ?

Je suis un profil développeur backend, aujourd’hui chapeautant la sécurité applicative. Lorsque je suis arrivé à BlaBlaCar, je m’occupais de la performance et la sécurité de la plateforme. Mi 2015 début 2016, nos besoins en sécurité opérationnelle ont augmenté de manière significative notamment à la suite de nos grosses levées de fonds qui ont suscité quelques convoitises. J’ai alors pris le lead d’une petite équipe afin de mitiger ces attaques, et auditer / consolider la plateforme.

Quelle est votre démarche en termes de sécurité et notamment de divulgation coordonnée de vulnérabilités?

Nous avons pendant longtemps gardé la sécurité applicative en interne. Auparavant, nous faisions appel à des audits classiques menés par diverses entreprises, par plusieurs applications de pentest, en utilisant des outils d’analyses statiques, etc. Je pense que ça a permis de dégrossir beaucoup de petites choses qui auraient été détectées par des chasseurs de failles.

Par ailleurs, on a reçu quelques messages de trolls sur Twitter signalant des failles sans préavis et sans aucun détails…

Read More

Page 1 of 2

Next →

Events

Categories

Powered by WordPress & Theme by Anders Norén