Category: Vulnerability Coordination Page 1 of 3

Lucas aka BitK: high level bug hunter and the brand new YesWeHack Tech Ambassador.

Tell us about yourself, your background ?

I’m Lucas also know as BitK, I am 28 y/o. I’m a French guy who lives in Lyon. If you play CTF we have probably already met during an on site event as I play a lot of them with the French team Hexpresso.

Before joining YesWeHack I was writing / reversing software for power plants.

I’m also a bug hunter, I’ve been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.

Why did you join YesWeHack and what is your role ?

It’s a team that I’ve known for quite some time through CTF, Bug hunting and HZVCommunity & Events ( LeHack ).

We share the same principles and I do like the idea of bringing tools to the community.

My role as Tech Ambassador within YesWeHack will be to support the hackers’ community, by providing tools, talks and workshop. I’ll attend the YesWeHack sponsored events, having great time with bug hunters and IT security researchers.

As a bug hunter and CTF player what are you driven by ?

To me, bug hunting is a lot like a puzzle game, I feel like every software, application is vulnerable to some kind of exploitation, you just need to find how.

Writing software is a difficult job, and developers are still human beings, so they make mistakes : our job is to find those mistakes and help developers to fix them before it gets worse.

One thing I love about the hacker community is the willingness to share information, tips or tools. There is always someone better than you in a specific field and most of the time those people will share their knowledge if you ask nicely.

What are the benefits of CTF (Capture The Flag) for those who want to start bug hunting ?

CTF is a bit different from bug bounties, the major difference is that in CTF you know that a vulnerability is there, you goal is “just” to exploit it.

So usually CTF tasks are quite small, you need to exploit a very specific bug. While in bug bounties, you are hacking real enterprise, their website can be huge and sometime you can find yourself lost in the scope. Bug Bounty has a whole reckon phase that CTF don’t have, it’s a new skill to learn.

CTF and Bug Bounties are different, but most of the time I use tricks and tips I’ve learn during CTF to exploit real life application in Bug Bounty.

Read More

SPARTA — Re-imagining the way cybersecurity research, innovation, and training are performed in the European Union

Cybersecurity is an urgent and major societal challenge. Highly correlated with the digitalization of our societies, cyberthreats have an increasing impact on our lives. It is therefore essential to ensure digital security and strategic autonomy of the EU by strengthening leading cybersecurity capacities. This challenge will require the coordination of Europe’s best competences, towards common research and innovation goals.

SPARTA is a novel Cybersecurity Competence Network, supported by the EU’s H2020 program, with the objective to develop and implement top-tier research and innovation collaborative actions. Strongly guided by concrete challenges forming an ambitious Cybersecurity Research & Innovation Roadmap, SPARTA will setup unique collaboration means, leading the way in building transformative capabilities and forming a world-leading Cybersecurity Competence Network across the EU. From basic human needs (health) to economic activities (energy, finance, and transport) to technologies (ICT and industry) to sovereignty (eGovernment, public administration), four research and innovation programs will push the boundaries to deliver advanced solutions to cover emerging challenges.

The SPARTA consortium, led by CEA, assembles a balanced set of 44 actors from 14 EU Member States, including ANSSI, Institut Mines-Télécom, Inria, Thales, and YesWeHack for France, at the intersection of scientific excellence, technological innovation, and societal sciences in cybersecurity. Together, along with SPARTA Associates, they aim at re-imagining the way cybersecurity research, innovation, and training are performed in Europe across domains and expertise, from foundations to applications, in academia and industry.

In sharing experiences and excellence, challenges and capabilities, SPARTA makes decisive contributions to European strategic autonomy.

***

Follow SPARTA – Cybersecurity Competence Network –
on Twitter @sparta_eu

[ITW] Daniel Kalinowski: “Participating in bug bounties improves your skills and increase the overall knowledge.”

Let’s meet with Kalin, Bug Hunter from Poland.

What’s your background ?

I’m 25 yo ,I didn’t study, it’s kind of a waste of time in Poland. Well, depends if hacking the school PCs in junior high school counts? xD
I have started my carrier in IT industry as a Data Center Operator, then I got promoted to Junior Dev. They had to do it because I have pwned their application once, and after promotion with the access to source code I was able to find few more critical bugs. Also with the help of Shellshock I was able to download/view the files of the CTO that were stored on one NAS.

3 years ago I have joined a awesome security company, and in my current position I’m responsible for : Mobile apps testing / Web apps testing / Code reviews / General technical advisory on the customer side.

My nickname Kalin comes from my surname KALINowski. I can be also found on the Internet by @llamaonsecurity/@llamasbytes handle.

Why are you interested in bug bounty ?

It started bug bounties as a time-killer in my first job, then I forgot about it and came back to it when I started the carrier in IT security. Participating in bug bounties improves your skills and increase the overall knowledge. Once I had to dig into the PNG file format structure to execute the XSS payload on web servers. It was quite an unique experience. Financially speaking, 1 euro is equal to 4.15 PLN (my local currency) so participating in bug bounties can be profitable.

Read More

YesWeHack joins platform58, the start-up incubator of La Banque Postale

Building Trust at the core of digital transformation.

La Banque Postale puts its customers’ interests above all.

Through the creation of platform58, La Banque Postale asserts its willingness to strengthen its digital transformation for both its employees and customers.

Cybersecurity being a pillar of digital transformation, YesWeHack is looking forward to mobilizing its community in order to improve the banking industry global security.

The banking industry sees itself at a pivotal moment. The expectations of our customers but also of our employees, the rise of new disrupting techs and emerging players, require us to design a more open banking platform. With platform58, a strategic project for La Banque Postale, we embrace this change by creating a French FinTech & InsurTech ecosystem embodying our banking and civic values. We build together (start-ups, customers, partners, etc.) the bank and insurance of the future.

Remy Weber, Chairman of La Banque Postale’s Executive Board.

YesWeHack is delighted to be one of the first 7 start-ups to be hosted by platform58.

platform58 provides support and hosting for start-ups developing solutions in the fields of banking, insurance, technology, but also finance-related services, such as big data, health and education.

The platform58 incubator will offer selected start-ups (max. 10 per year) tailor-made support by experts and managers of La Banque Postale, with no equity investment and no time limit. Other actors, in particular CNP Assurances, 50 Partners1, Visa, EY, TelecomParisTech, 1000Mercis, and Startway will contribute to the success of start-ups.

The 7 selected start-ups

YesWeHack provides its bug bounty platform and expertise to the French Armed Forces Ministry.

YesWeHack is delighted to support the French Cyber Defence Command (COMCYBER), in order to leverage its 3,400 cyber-combatants+ force.

YesWeHack, a French start-up and bug bounty leader in Europe, equips COMCYBER with an innovative concept and tool to boost cooperation with all the Ministry’s cyber entities.

This bold initiative is part of the Ministry opening up towards the civil society and private actors.

Florence Parly, the French Armed Forces Minister, announced on the 22nd of January :

A partnership has been established between COMCYBER and a start-up, YesWeHack. So, yes, I do announce: we will launch the first bug bounty of the French Armed Forces Ministry at the end of February 2019. Ethical hackers, recruited within the cyber operational reserve, will be able to search for vulnerabilities in our systems and, if successful, be as they should be, rewarded.

Florence Parly, the French Armed Forces Minister

With the signing of this partnership, the Armed Forces Ministry becomes the first French Ministry to launch a bug bounty program. COMCYBER will leverage YesWeHack bug bounty platform to meet the growing challenge posed by new cyber threats.

With the YesWehack bug bounty platform, COMCYBER will be able to best use its trusted community of reservists, in order to improve global security of the ministry’s entities

Guillaume Vassault-Houlière, YESWEHACK CEO

This bug bounty program opens new perspectives for the management of the operational cyber reserve. Ultimately, such initiative will make possible to train reservists and increase their skills to significantly and durably improve the Ministry’s level of security.

YesWeHack met sa plateforme de bug bounty à disposition du ministère des Armées.

YesWeHack se réjouit d’apporter ses compétences au profit du Commandement de la cyberdéfense (COMCYBER) qui compte dans ses rangs plus de 3.400 cyber-combattants.

YesWeHack, start-up et leader français du bug bounty en Europe, offre au COMCYBER un concept et un outil novateurs développant la coopération avec l’ensemble des entités cyber du ministère. Cette discipline permet également au ministère de s’inscrire dans une démarche d’ouverture auprès du monde civil, avec l’ensemble des acteurs privés.

Un partenariat a été noué entre le COMCYBER et une start-up, YesWeHack. Alors, oui, je l’annonce, nous allons lancer fin février le premier bug bounty du ministère des Armées. Des hackers éthiques, recrutés au sein de la réserve opérationnelle cyber, pourront se lancer à la recherche des failles dans nos systèmes et s’ils en découvrent en être comme il se doit, récompensés.

Florence Parly, Ministre des Armées.

Avec la signature de ce partenariat, le ministère des Armées devient le premier ministère à se doter d’un exercice de bug bounty. Le COMCYBER va bénéficier de la plateforme de bug bounty de YesWeHack pour s’inscrire dans une vision de la Cybersécurité résolument moderne, où la collaboration et la coordination sont essentielles pour maintenir l’efficience de ses périmètres, face aux nouvelles menaces accentuées par la transformation numérique.

Il nous paraissait essentiel de proposer au COMCYBER la plateforme de bug bounty Yeswehack pour lui permettre d’améliorer sa sécurité opérationnelle grâce à leur communauté de confiance, constituée de réservistes.

Guillaume Vassault-Houlière, CEO YESWEHACK

Le bug bounty ouvre de nouvelles perspectives d’animation de la réserve opérationnelle cyber. À terme, la récurrence de ce type d’exercice permettra d’entraîner les réservistes et de les faire monter en compétences pour augmenter significativement et durablement le niveau de sécurité du ministère.
Ce modèle innovant pourra être facilement activé sur l’ensemble de l’exposition numérique du Ministère des Armées.

***

>> Devenir réserviste de cyberdéfense

La  réserve de cyberdéfense recrute tout au long de l’année des spécialistes dans le domaine informatique, réservistes opérationnels ou citoyens. La réserve recherche différents profils : coordinateurs, experts, analystes, techniciens; à différents niveaux : étudiants en 1ère année en informatique à BAC+5.

Le réserviste opérationnel souscrit un engagement à servir dans la réserve opérationnelle, un contrat rémunéré d'une durée de 1 à 5 ans renouvelable. Ces volontaires font le choix de servir leur pays sans faire du métier des armes leur seule profession.

Les réservistes citoyens sont des collaborateurs bénévoles du service public. Ils choisissent de servir leur pays en faisant bénéficier la défense de leur expertise et leur compétence. En tant que bénévole, ils consacrent le temps qu’ils souhaitent et peuvent, à cette mission.

Les conditions générales pour devenir réserviste

- Etre de nationalité française et résider en France
- Avoir plus de 17 ans
- Faire des études en informatique
- Etre en règle au regard des obligations du service national
- Ne pas avoir de casier judiciaire

Pour plus d’informations ou pour candidater (CV + lettre de motivation) : crpoc.cer.fct@intradef.gouv.fr

Source : https://www.defense.gouv.fr/portail/enjeux2/la-cyberdefense/la-cyberdefense/presentation

YesWeHack sponsor du CESIN : pour contribuer à renforcer la coopération entre les experts et les décideurs.

L’équipe YesWeHack est fière d’annoncer qu’elle devient officiellement sponsor du CESIN, une association qui lui est chère.

YesWeHack et le CESIN vont, ensemble, contribuer à renforcer la coopération entre tous les acteurs du numérique.

La communauté de YesWeHack, forte de plus de 6500 chercheurs, est désormais représentée au sein du CESIN.

Un combo gagnant : la transformation numérique et la Cybersécurité

YesWeHack inscrit ce partenariat avec le CESIN dans le long terme, afin de partager sa vision de la cybersécurité du futur, adaptée aux transformations que connaissent les membres de l’association. 

Ayant contribué au sein du CESIN depuis 2016 en tant que CISO chez Qwant, c’est une fierté de devenir sponsor aujourd’hui avec YesWeHack. Nous allons continuer à participer aux échanges au cœur du CESIN car la cybersécurité est le pré-requis essentiel pour mener efficacement toute transformation numérique auprès des décideurs.”

Guillaume Vassault-Houlière, CEO de YesWeHack.

Avec plus de 500 membres, les activités du CESIN connaissent un succès grandissant parmi les experts en cybersécurité et YesWeHack est très enthousiaste à l’idée de participer à cette dynamique riche de promesses.

Le CESIN a souhaité cette année diversifier son sponsoring en accueillant en son sein quelques startups innovantes.

L’objectif est d’offrir encore davantage de visibilité à des entreprises auxquelles nous croyons beaucoup, comme YesWeHack car elles apportent, par leur innovation et leur audace, une réponse complémentaire aux enjeux de la cybersécurité auxquels sont confrontés les RSSI membres du club.

Alain Bouillé, Président du CESIN.

YesWeHack et le CESIN vous donne donc rendez-vous en 2019 pour une année constructive faite de rencontres et de projets concrets.

Open Source software audits via Bug Bounties for the EU institutions: digital.security and YesWeHack awarded.

digital.security and YesWeHack are glad to be part of the 3 winners of the tender for Free and Open Source Software Audit (FOSSA OSS-BB). FOSSA OSS-BB’s main goal is to help improve the overall security of the Internet by focusing on free and open source tools used by Citizens and Public entities of European Union.

DevSecOps : how to increase your agility with Bug Bounty

Digital transformation requires security at the core of DevOps culture and processes.

Under pressure from business lines, DevOps teams need concision, speed and security to ensure continuous integration and delivery. Security unfortunately is -too often- considered as an constraint to agility and it has to be demystified for a better and faster takeover by DevOps teams.

Given the recent stories about data breaches that blackened famous corporations like Facebook and Equifax, the time has come to empower your DevOps Team with security.

We will try to cover the organizational and cultural challenges in order to set up effective DevSecOps and how, as a manager, you can develop security awareness and skills in your agile teams. 

Last but not least, we will try to point out how Crowd Sourced Security is a key enabler of your DevSecOps strategy to success.

Source https://tech.gsa.gov

What is at stake ?

Read More

FIC 2019: YesWeHack’s community, NGOs & CivicTech unite through a unique Bug Bounty Campaign.

For this edition of FIC 2019, YesWeHack is organizing, for the first time in the history of FIC, a special event dedicated to Bug Bounty.

The International Cybersecurity Forum: the European reference event bringing together all stakeholders in digital trust will take place on 22 and 23 January.

This unprecedented bug bounty campaign will take place in an original space reserved for dozens of security researchers so that they can operate over several scopes, and where applicable, earn rewards according to the criticality of the reported vulnerabilities.

For this Premiere, the scopes are submitted by NGOs and CivicTech projects wishing to harden their systems and thus better protect their information assets and their reputation.

YesWeHack has chosen this year to help NGOs and Civictech as a priority, because many European citizens use tools developed by this sector to contribute to the common good, democracy, associative and charitable projects.

“For all actors, customers, developers and researchers, this Bug Bounty campaign within the 2019 FIC is a great and useful opportunity to exchange and confront the reality of threats in order to significantly increase the level of security and privacy by design”

Guillaume Vassault-Houlière – CEO @YESWEHACK

The Bug Bounty’s area will welcome bug hunters who will cooperate with “program managers” from the selected projects with the support of Romain Lecoeuvre, the CTO of the YesWeHack team.

The rewards will be of two types: a total prize pool of several thousand euros is planned to reward the best researchers and goodies collectors will delight some players.

Read More

Page 1 of 3

Powered by WordPress & Theme by Anders Norén