Showcasing your vulnerability disclosure policy to the world

Every business needs a vulnerability disclosure policy. Thankfully, a growing number of organisations have one. Yet, those programs are not always a click away. Here’s to a unique plugin for both Chrome and Firefox, because making it easy to report issues need not be much work.

We are all too familiar with the quotidian data breach debacle that organisations go through more often than not. Besides, the initial notice frequently comes from an “anonymous report” or a disgruntled ethical hacker tweeting about your mishandling their repeated vulnerability notifications.

Those are situations we observe, yet many still struggle with preparing for them and the PR mess that inevitably follows. Shooting the messager, coming up with statements that look pretty much like they have been randomly generated , or not responding for months, are all symptoms that you are ill-prepared to handle reports from the broader security community.

The good news: I can haz a VDP

One robust approach to preventing stinky headlines and loss of trust from customers and partners is a vulnerability disclosure policy (VDP). That policy is a commitment that your organisation will receive, evaluate, and if need be, fix vulnerabilities notified by security folks external to the business.
A VDP also clarifies that you will not go after ethical hackers willing to help you improve the security of your service or product.

For a VDP to be efficient, it needs a few essential elements:

  1. Scope: clearly state what is what, identifying assets that your VDP covers.
  2. Safe harbour: specifically directed at ethical hackers, this bit confirms your commitment to not prosecuting well-intentioned researchers who report a vulnerability. That part is particularly important as legal clarity across organisations and countries is extremely challenging to achieve.
  3. How To: the precise mechanism your organisation has set up and, ideally, the details you would want to see added to a vulnerability report. The aim here is to make said report the most useful possible to the organisation’s technical team.
  4. DO’s and DON’Ts: anything you find relevant to smoothen communication.

You get it right: setting up such a policy implies you have thought out roles and responsibilities internally. Rather than a burden, setting a VDP and organising it is a way of developing talent, breaking silos and improving security altogether.

The better news: Showcasing your VDP has never been easier

You have a VDP; you need to feature it prominently on the organisation’s website so it is accessible to anyone who needs it. One way of doing so is creating a dedicated webpage, such as F-Secure.

Another way is thanks to a simple tool that comes in handy, namely security.txt. You fill in the form, download the file and upload it to the business’s website. Your security.txt can contain contact details, or else the link to your ongoing Bug Bounty programme. Indeed, a Bug Bounty programme is a vulnerability disclosure policy with a monetary reward system.

Whichever way you choose, you will want it to be known. Well, now, there is a plugin for that! Enter YesWeHack VDP Finder, the go-to Chrome and Firefox plugin . Whenever you browse the web, the plugin indicates whether a VDP exists. Because making it easy to report issues does not need to be much work!

Download the firefox plugin
from Mozilla.org
Wanna go for a cool – and secure – carpooling service?
We have marked cases where a VDP exists without a security.txt as “room for improvement” to highlight that security.txt is a (draft, for now) standard. As such, it makes locating a VDP policy even easier since one needs no extra browsing to find the contact detail: the security.txt file is always present at www.mywebsite.tld/.well-known/security.txt
Like, really?

Fighting malware at the roots

YesWeHack organises bug bounty programmes to disclose and correct vulnerabilities before malicious tools get in. A year after joining the Paris Call, we look back at how have we contributed to furthering peace in the cyberspace.

+ Read More

YesWeHack EDU, the world’s first Bug Bounty educational platform

YesWeHack, Europe’s leading Bug Bounty company announces the launch of YesWeHack EDU, the world’s first Bug Bounty education platform dedicated to cybersecurity training.

YesWeHack EDU creates a training ecosystem for best practices in cybersecurity, meeting the growing need for talent in this sector.

Taking advantage of recognized expertise in Coordinated Vulnerability Disclosure (CVD), as well as a unique ecosystem of customers and researchers, YesWeHack EDU trains its users to detect security vulnerabilities in realistic scenarios, in identical contexts to what exists today in production within companies and organizations.

Guillaume Vassault-Houlière,
CEO & Co-Founder, YesWeHack

“Cybersecurity is both an economic and societal issue, and this sector suffers from an imbalance between the state of the threat and the market’s defence capabilities,” commented Guillaume Vassault-Houlière, co-founder of YesWeHack. He adds: “To remedy this situation, the capacity of public and private actors to detect and correct shortcomings in a professional and ethical manner must be rapidly strengthened – This requires specialized profiles training and better information sharing. »

YesWeHack EDU is aimed at cybersecurity curriculums in schools and universities and more broadly at all European IT curriculums (e.g. development, big data, etc.) that want to accelerate the sharing of quality datasets.

YesWeHack EDU’s educational approach first encourages emulation through gamification and the involvement of each student in securing their institution. Above all, it opens up prospects for future developers towards promising specializations such as DevSecOps, Data Scientist, Security Analyst, etc. Finally, YesWeHack EDU facilitates the implementation of collaborative projects and cross-functional initiatives between academic institutions and the private sector.

“According to a study published by Gartner, 50% of companies worldwide are expected to use Bug Bounty by 2022, compared to 5% today. We are launching YesWeHack EDU to address the talent shortage faced by the cyber security industry. This program provides the academic community with a sophisticated training platform to professionalize vulnerability management and to train for new cyber jobs, such as DevSecOps, Big Data, SOAR, etc. ” explains Guillaume Vassault-Houlière, CEO & Co-founder of YesWeHack.

YesWeHack will rely on its partner IT-Gnosis, who will provide YesWeHack EDU to schools and universities globally.

Available throughout Europe, the YesWeHack EDU platform is aligned with the SPARTA consortium initiative, of which YesWeHack is a founding member, that aims to strengthen both innovation and research in cybersecurity at the European level.

We have a small message for the hackers playing with us.

Hey, we just wanted to greet the talented hacker community using our plateform and reward them for their skill.

Last week we’ve began unrolling a reward system, beginning with achievement posters.

Some of you yet received them in a postal parcel, please bear with us while they travel around the globe 😉

The reward grid is as follow:

WEREWOLF
This achievement is awarded to hackers staying on top of the leaderboard for more than 3 months

2 Hackers had unlocked this achievement.

SAPIENS
This achievement is awarded to hackers having submitted a valid report each month for 12 months

4 hackers had unlocked this achievement

SURGEON
This achievement is awarded to hackers winning the max reward on a program

22 hackers had unlocked this achievement

DOZER
This achievement is awarded to hackers validating 10 reports on the same program

28 hackers had unlocked this achievement

EMPEROR
This achievement is awarded to hackers staying on the leaderboard’s top 5 for 12 months

2 hackers had unlocked this achievement

WARLORD
This achievement is awarded to hackers staying on the leaderboard’s top 5 for 6 months

4 hackers had unlocked this achievement

KING OF THE HILL
This achievement is awarded to hackers staying on the leaderboard’s top 5 for 3 months

7 hackers had unlocked this achievement

Next batch is in 3 months, KEEP HACKING! 😉

We hope those humble rewards will please you, get in touch with a private message on our twitter account for any follow-up needed on this matter.

Again, Thank you, you’re awesome.

A quick update on our ranking point system.

We have recently been questioned on how our ranking point system works and how report quality is evaluated.

Our system has evolved quite a lot since inception, and some new report quality rating features have been added.

1- Triaging

The first step of a bug report life cycle is being ( hopefully ) accepted as valid by the program owner, otherwise it is classified as invalid and receives an additional qualification that eventually can lead to a negative rating, as illustrated below:

Note that a valid report can be triaged again as ” Informative ” or ” Won’t Fix ” after validation and before being accepted.

2- Accepted stage

Now that your shiny report has been accepted by the program owner, congratulations, you are now eligible for a reward.
But how are your ranking points calculated exactly?

a – Bounty

Depending on the bounty your report matches, you will be rewarded with ranking points:
– 15 POINTS for every bounty inferior to 500€
– 25 POINTS for every bounty from 500€, to 2000€
– 50 POINTS for every bounty superior to 2000€

b – Quality rating

The program owner can also reward the quality of your report and attribute 1 to 5 additional ranking points.

c – CVSS scoring bonus

Again, the program owner can give you 1 additional point if your report CVSS scoring falls right.

As summed-up in this chart:

You get 7 additional points for a resolved bug, a big thank you.

3- The big picture.

Finally we’ve stitched it all inside a single graph for your convenience.
Is our ranking system clearer?

You can refer to our leader-board to discover the hunters top 100

YesWeHack Ivy League

YesWeHack – Europe’s leading bug bounty platform – is opening an office in Singapore

YesWeHack – Europe #1 bug bounty platform – has announced that it is opening an office in Singapore. The new office is part of YesWeHack’s fast-growth strategy for its international activities following a €4 million fundraising at the start of the year.

YesWeHack is consolidating its global positioning in a sector that will transform the cybersecurity industry over the next five years.

Kevin Gallerin has been appointed Managing Director APAC to develop YesWeHack’s strategy in Asia. Having spent more than ten years in the region, he knows the Asian cybersecurity market inside out, having notably participated in the launch of CERT-LEXSI in Singapore.

+ Read More

Lucas aka BitK: high level bug hunter and the brand new YesWeHack Tech Ambassador.

Tell us about yourself, your background ?

I’m Lucas also know as BitK, I am 28 y/o. I’m a French guy who lives in Lyon. If you play CTF we have probably already met during an on site event as I play a lot of them with the French team Hexpresso.

Before joining YesWeHack I was writing / reversing software for power plants.

I’m also a bug hunter, I’ve been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.

Why did you join YesWeHack and what is your role ?

It’s a team that I’ve known for quite some time through CTF, Bug hunting and HZVCommunity & Events ( LeHack ).

We share the same principles and I do like the idea of bringing tools to the community.

My role as Tech Ambassador within YesWeHack will be to support the hackers’ community, by providing tools, talks and workshop. I’ll attend the YesWeHack sponsored events, having great time with bug hunters and IT security researchers.

As a bug hunter and CTF player what are you driven by ?

To me, bug hunting is a lot like a puzzle game, I feel like every software, application is vulnerable to some kind of exploitation, you just need to find how.

Writing software is a difficult job, and developers are still human beings, so they make mistakes : our job is to find those mistakes and help developers to fix them before it gets worse.

One thing I love about the hacker community is the willingness to share information, tips or tools. There is always someone better than you in a specific field and most of the time those people will share their knowledge if you ask nicely.

What are the benefits of CTF (Capture The Flag) for those who want to start bug hunting ?

CTF is a bit different from bug bounties, the major difference is that in CTF you know that a vulnerability is there, you goal is “just” to exploit it.

So usually CTF tasks are quite small, you need to exploit a very specific bug. While in bug bounties, you are hacking real enterprise, their website can be huge and sometime you can find yourself lost in the scope. Bug Bounty has a whole reckon phase that CTF don’t have, it’s a new skill to learn.

CTF and Bug Bounties are different, but most of the time I use tricks and tips I’ve learn during CTF to exploit real life application in Bug Bounty.

+ Read More

SPARTA — Re-imagining the way cybersecurity research, innovation, and training are performed in the European Union

Cybersecurity is an urgent and major societal challenge. Highly correlated with the digitalization of our societies, cyberthreats have an increasing impact on our lives. It is therefore essential to ensure digital security and strategic autonomy of the EU by strengthening leading cybersecurity capacities. This challenge will require the coordination of Europe’s best competences, towards common research and innovation goals.

SPARTA is a novel Cybersecurity Competence Network, supported by the EU’s H2020 program, with the objective to develop and implement top-tier research and innovation collaborative actions. Strongly guided by concrete challenges forming an ambitious Cybersecurity Research & Innovation Roadmap, SPARTA will setup unique collaboration means, leading the way in building transformative capabilities and forming a world-leading Cybersecurity Competence Network across the EU. From basic human needs (health) to economic activities (energy, finance, and transport) to technologies (ICT and industry) to sovereignty (eGovernment, public administration), four research and innovation programs will push the boundaries to deliver advanced solutions to cover emerging challenges.

The SPARTA consortium, led by CEA, assembles a balanced set of 44 actors from 14 EU Member States, including ANSSI, Institut Mines-Télécom, Inria, Thales, and YesWeHack for France, at the intersection of scientific excellence, technological innovation, and societal sciences in cybersecurity. Together, along with SPARTA Associates, they aim at re-imagining the way cybersecurity research, innovation, and training are performed in Europe across domains and expertise, from foundations to applications, in academia and industry.

In sharing experiences and excellence, challenges and capabilities, SPARTA makes decisive contributions to European strategic autonomy.

Press Release & Contacts

***

Follow SPARTA – Cybersecurity Competence Network –
on Twitter @sparta_eu

YesWeHack raises €4 million and plans to disrupt Europe’s cybersecurity market

YesWeHack, Europe’s leading Bug Bounty platform, announced today it has raised €4 million from Open CNP, the corporate venture program of CNP Assurances, and Normandie Participations. This deal aims at asserting the company’s presence in France and accelerate its international development, notably in Europe and Asia.

Founded in 2013, YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 7,000 cyber-security experts (ethical hackers) across 120 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.

 “YesWeHack mobilises collective intelligence to plug the widening gap in cybersecurity skills – one of the big challenges of the next few decades”

Guillaume Vassault-Houlière, CEO of YesWeHack
+ Read More

YesWeHack joins platform58, the start-up incubator of La Banque Postale

Building Trust at the core of digital transformation.

La Banque Postale puts its customers’ interests above all.

Through the creation of platform58, La Banque Postale asserts its willingness to strengthen its digital transformation for both its employees and customers.

Cybersecurity being a pillar of digital transformation, YesWeHack is looking forward to mobilizing its community in order to improve the banking industry global security.

The banking industry sees itself at a pivotal moment. The expectations of our customers but also of our employees, the rise of new disrupting techs and emerging players, require us to design a more open banking platform. With platform58, a strategic project for La Banque Postale, we embrace this change by creating a French FinTech & InsurTech ecosystem embodying our banking and civic values. We build together (start-ups, customers, partners, etc.) the bank and insurance of the future.

Remy Weber, Chairman of La Banque Postale’s Executive Board.

YesWeHack is delighted to be one of the first 7 start-ups to be hosted by platform58.

platform58 provides support and hosting for start-ups developing solutions in the fields of banking, insurance, technology, but also finance-related services, such as big data, health and education.

The platform58 incubator will offer selected start-ups (max. 10 per year) tailor-made support by experts and managers of La Banque Postale, with no equity investment and no time limit. Other actors, in particular CNP Assurances, 50 Partners1, Visa, EY, TelecomParisTech, 1000Mercis, and Startway will contribute to the success of start-ups.

The 7 selected start-ups
1 2 3