Fighting malware at the roots

YesWeHack organises bug bounty programmes to disclose and correct vulnerabilities before malicious tools get in. A year after joining the Paris Call, we look back at how have we contributed to furthering peace in the cyberspace.

+ Read More

YesWeHack EDU, the world’s first Bug Bounty educational platform

YesWeHack, Europe’s leading Bug Bounty company announces the launch of YesWeHack EDU, the world’s first Bug Bounty education platform dedicated to cybersecurity training.

YesWeHack EDU creates a training ecosystem for best practices in cybersecurity, meeting the growing need for talent in this sector.

Taking advantage of recognized expertise in Coordinated Vulnerability Disclosure (CVD), as well as a unique ecosystem of customers and researchers, YesWeHack EDU trains its users to detect security vulnerabilities in realistic scenarios, in identical contexts to what exists today in production within companies and organizations.

Guillaume Vassault-Houlière,
CEO & Co-Founder, YesWeHack

“Cybersecurity is both an economic and societal issue, and this sector suffers from an imbalance between the state of the threat and the market’s defence capabilities,” commented Guillaume Vassault-Houlière, co-founder of YesWeHack. He adds: “To remedy this situation, the capacity of public and private actors to detect and correct shortcomings in a professional and ethical manner must be rapidly strengthened – This requires specialized profiles training and better information sharing. »

YesWeHack EDU is aimed at cybersecurity curriculums in schools and universities and more broadly at all European IT curriculums (e.g. development, big data, etc.) that want to accelerate the sharing of quality datasets.

YesWeHack EDU’s educational approach first encourages emulation through gamification and the involvement of each student in securing their institution. Above all, it opens up prospects for future developers towards promising specializations such as DevSecOps, Data Scientist, Security Analyst, etc. Finally, YesWeHack EDU facilitates the implementation of collaborative projects and cross-functional initiatives between academic institutions and the private sector.

“According to a study published by Gartner, 50% of companies worldwide are expected to use Bug Bounty by 2022, compared to 5% today. We are launching YesWeHack EDU to address the talent shortage faced by the cyber security industry. This program provides the academic community with a sophisticated training platform to professionalize vulnerability management and to train for new cyber jobs, such as DevSecOps, Big Data, SOAR, etc. ” explains Guillaume Vassault-Houlière, CEO & Co-founder of YesWeHack.

YesWeHack will rely on its partner IT-Gnosis, who will provide YesWeHack EDU to schools and universities globally.

Available throughout Europe, the YesWeHack EDU platform is aligned with the SPARTA consortium initiative, of which YesWeHack is a founding member, that aims to strengthen both innovation and research in cybersecurity at the European level.

We have a small message for the hackers playing with us.

Hey, we just wanted to greet the talented hacker community using our plateform and reward them for their skill.

Last week we’ve began unrolling a reward system, beginning with achievement posters.

Some of you yet received them in a postal parcel, please bear with us while they travel around the globe 😉

The reward grid is as follow:

WEREWOLF
This achievement is awarded to hackers staying on top of the leaderboard for more than 3 months


2 Hackers had unlocked this achievement.

SAPIENS
This achievement is awarded to hackers having submitted a valid report each month for 12 months


4 hackers had unlocked this achievement

SURGEON
This achievement is awarded to hackers winning the max reward on a program


22 hackers had unlocked this achievement

DOZER
This achievement is awarded to hackers validating 10 reports on the same program


28 hackers had unlocked this achievement

EMPEROR
This achievement is awarded to hackers staying on the leaderboard’s top 5 for 12 months


2 hackers had unlocked this achievement

WARLORD
This achievement is awarded to hackers staying on the leaderboard’s top 5 for 6 months


4 hackers had unlocked this achievement

KING OF THE HILL
This achievement is awarded to hackers staying on the leaderboard’s top 5 for 3 months


7 hackers had unlocked this achievement

Next batch is in 3 months, KEEP HACKING! 😉

We hope those humble rewards will please you, get in touch with a private message on our twitter account for any follow-up needed on this matter.

Again, Thank you, you’re awesome.

A quick update on our ranking point system.

We have recently been questioned on how our ranking point system works and how report quality is evaluated.

Our system has evolved quite a lot since inception, and some new report quality rating features have been added.

1- Triaging

The first step of a bug report life cycle is being ( hopefully ) accepted as valid by the program owner, otherwise it is classified as invalid and receives an additional qualification that eventually can lead to a negative rating, as illustrated below:

Yes we hack workflow and points system

Note that a valid report can be triaged again as ” Informative ” or ” Won’t Fix ” after validation and before being accepted.

2- Accepted stage

Now that your shiny report has been accepted by the program owner, congratulations, you are now eligible for a reward.
But how are your ranking points calculated exactly?

a – Bounty

Depending on the bounty your report matches, you will be rewarded with ranking points:
– 15 POINTS for every bounty inferior to 500€
– 25 POINTS for every bounty from 500€, to 2000€
– 50 POINTS for every bounty superior to 2000€

b – Quality rating

The program owner can also reward the quality of your report and attribute 1 to 5 additional ranking points.

c – CVSS scoring bonus

Again, the program owner can give you 1 additional point if your report CVSS scoring falls right.

As summed-up in this chart:

Yes we hack workflow and points system

You get 7 additional points for a resolved bug, a big thank you.

3- The big picture.

Finally we’ve stitched it all inside a single graph for your convenience.
Is our ranking system clearer?

Yes we hack workflow and points system

You can refer to our leader-board to discover the hunters top 100

YesWeHack – Europe’s leading bug bounty platform – is opening an office in Singapore

YesWeHack – Europe #1 bug bounty platform – has announced that it is opening an office in Singapore. The new office is part of YesWeHack’s fast-growth strategy for its international activities following a €4 million fundraising at the start of the year.

YesWeHack is consolidating its global positioning in a sector that will transform the cybersecurity industry over the next five years.

Kevin Gallerin has been appointed Managing Director APAC to develop YesWeHack’s strategy in Asia. Having spent more than ten years in the region, he knows the Asian cybersecurity market inside out, having notably participated in the launch of CERT-LEXSI in Singapore.

+ Read More

Lucas aka BitK: high level bug hunter and the brand new YesWeHack Tech Ambassador.

Tell us about yourself, your background ?

I’m Lucas also know as BitK, I am 28 y/o. I’m a French guy who lives in Lyon. If you play CTF we have probably already met during an on site event as I play a lot of them with the French team Hexpresso.

Before joining YesWeHack I was writing / reversing software for power plants.

I’m also a bug hunter, I’ve been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.

Why did you join YesWeHack and what is your role ?

It’s a team that I’ve known for quite some time through CTF, Bug hunting and HZVCommunity & Events ( LeHack ).

We share the same principles and I do like the idea of bringing tools to the community.

My role as Tech Ambassador within YesWeHack will be to support the hackers’ community, by providing tools, talks and workshop. I’ll attend the YesWeHack sponsored events, having great time with bug hunters and IT security researchers.

As a bug hunter and CTF player what are you driven by ?

To me, bug hunting is a lot like a puzzle game, I feel like every software, application is vulnerable to some kind of exploitation, you just need to find how.

Writing software is a difficult job, and developers are still human beings, so they make mistakes : our job is to find those mistakes and help developers to fix them before it gets worse.

One thing I love about the hacker community is the willingness to share information, tips or tools. There is always someone better than you in a specific field and most of the time those people will share their knowledge if you ask nicely.

What are the benefits of CTF (Capture The Flag) for those who want to start bug hunting ?

CTF is a bit different from bug bounties, the major difference is that in CTF you know that a vulnerability is there, you goal is “just” to exploit it.

So usually CTF tasks are quite small, you need to exploit a very specific bug. While in bug bounties, you are hacking real enterprise, their website can be huge and sometime you can find yourself lost in the scope. Bug Bounty has a whole reckon phase that CTF don’t have, it’s a new skill to learn.

CTF and Bug Bounties are different, but most of the time I use tricks and tips I’ve learn during CTF to exploit real life application in Bug Bounty.

+ Read More

SPARTA — Re-imagining the way cybersecurity research, innovation, and training are performed in the European Union

Cybersecurity is an urgent and major societal challenge. Highly correlated with the digitalization of our societies, cyberthreats have an increasing impact on our lives. It is therefore essential to ensure digital security and strategic autonomy of the EU by strengthening leading cybersecurity capacities. This challenge will require the coordination of Europe’s best competences, towards common research and innovation goals.

SPARTA is a novel Cybersecurity Competence Network, supported by the EU’s H2020 program, with the objective to develop and implement top-tier research and innovation collaborative actions. Strongly guided by concrete challenges forming an ambitious Cybersecurity Research & Innovation Roadmap, SPARTA will setup unique collaboration means, leading the way in building transformative capabilities and forming a world-leading Cybersecurity Competence Network across the EU. From basic human needs (health) to economic activities (energy, finance, and transport) to technologies (ICT and industry) to sovereignty (eGovernment, public administration), four research and innovation programs will push the boundaries to deliver advanced solutions to cover emerging challenges.

The SPARTA consortium, led by CEA, assembles a balanced set of 44 actors from 14 EU Member States, including ANSSI, Institut Mines-Télécom, Inria, Thales, and YesWeHack for France, at the intersection of scientific excellence, technological innovation, and societal sciences in cybersecurity. Together, along with SPARTA Associates, they aim at re-imagining the way cybersecurity research, innovation, and training are performed in Europe across domains and expertise, from foundations to applications, in academia and industry.

In sharing experiences and excellence, challenges and capabilities, SPARTA makes decisive contributions to European strategic autonomy.

***

Follow SPARTA – Cybersecurity Competence Network –
on Twitter @sparta_eu

YesWeHack raises €4 million and plans to disrupt Europe’s cybersecurity market

YesWeHack, Europe’s leading Bug Bounty platform, announced today it has raised €4 million from Open CNP, the corporate venture program of CNP Assurances, and Normandie Participations. This deal aims at asserting the company’s presence in France and accelerate its international development, notably in Europe and Asia.

Founded in 2013, YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 7,000 cyber-security experts (ethical hackers) across 120 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.

 “YesWeHack mobilises collective intelligence to plug the widening gap in cybersecurity skills – one of the big challenges of the next few decades”

Guillaume Vassault-Houlière, CEO of YesWeHack
+ Read More

YesWeHack joins platform58, the start-up incubator of La Banque Postale

Building Trust at the core of digital transformation.

La Banque Postale puts its customers’ interests above all.

Through the creation of platform58, La Banque Postale asserts its willingness to strengthen its digital transformation for both its employees and customers.

Cybersecurity being a pillar of digital transformation, YesWeHack is looking forward to mobilizing its community in order to improve the banking industry global security.

The banking industry sees itself at a pivotal moment. The expectations of our customers but also of our employees, the rise of new disrupting techs and emerging players, require us to design a more open banking platform. With platform58, a strategic project for La Banque Postale, we embrace this change by creating a French FinTech & InsurTech ecosystem embodying our banking and civic values. We build together (start-ups, customers, partners, etc.) the bank and insurance of the future.

Remy Weber, Chairman of La Banque Postale’s Executive Board.

YesWeHack is delighted to be one of the first 7 start-ups to be hosted by platform58.

platform58 provides support and hosting for start-ups developing solutions in the fields of banking, insurance, technology, but also finance-related services, such as big data, health and education.

The platform58 incubator will offer selected start-ups (max. 10 per year) tailor-made support by experts and managers of La Banque Postale, with no equity investment and no time limit. Other actors, in particular CNP Assurances, 50 Partners1, Visa, EY, TelecomParisTech, 1000Mercis, and Startway will contribute to the success of start-ups.

The 7 selected start-ups

YesWeHack provides its bug bounty platform and expertise to the French Armed Forces Ministry.

YesWeHack is delighted to support the French Cyber Defence Command (COMCYBER), in order to leverage its 3,400 cyber-combatants+ force.

YesWeHack, a French start-up and bug bounty leader in Europe, equips COMCYBER with an innovative concept and tool to boost cooperation with all the Ministry’s cyber entities.

This bold initiative is part of the Ministry opening up towards the civil society and private actors.

Florence Parly, the French Armed Forces Minister, announced on the 22nd of January :

A partnership has been established between COMCYBER and a start-up, YesWeHack. So, yes, I do announce: we will launch the first bug bounty of the French Armed Forces Ministry at the end of February 2019. Ethical hackers, recruited within the cyber operational reserve, will be able to search for vulnerabilities in our systems and, if successful, be as they should be, rewarded.

Florence Parly, the French Armed Forces Minister

With the signing of this partnership, the Armed Forces Ministry becomes the first French Ministry to launch a bug bounty program. COMCYBER will leverage YesWeHack bug bounty platform to meet the growing challenge posed by new cyber threats.

With the YesWehack bug bounty platform, COMCYBER will be able to best use its trusted community of reservists, in order to improve global security of the ministry’s entities

Guillaume Vassault-Houlière, YESWEHACK CEO

This bug bounty program opens new perspectives for the management of the operational cyber reserve. Ultimately, such initiative will make possible to train reservists and increase their skills to significantly and durably improve the Ministry’s level of security.

1 2 3