Interview with Romain Lods, Head of Engineering, Deezer
Why did you decide to launch a Bug Bounty program?
About two years before we launched our Bug Bounty program, we started internal security audits on our code, which had never been done before at Deezer. These tests allowed us to make a first pass and fix some obvious vulnerabilities.
Then we became interested in Bug Bounty and YesWeHack. The ease of use of the platform convinced us of launching a program. Following the launch, we very quickly received interesting vulnerabilities, everything went smoothly, so we decided to continue and expand our perimeters.
What value does Bug Bounty offer compared to traditional cyber security solutions, such as penetration testing?
We typically perform an annual audit on several of our services, which lasts between one and three weeks. But this approach is expensive, focuses only on a few services, and over time, doesn’t really deliver interesting results. Bug Bounty gives us ongoing feedback throughout the year, on various scopes, and detects bugs very quickly.
In terms of ROI, Bug Bounty is also very interesting: we decide ourselves the reward we assign to each vulnerability.
Moreover, Bug Bounty guarantees us a diversity of testing skills. With penetration testing, each consultant is ultra-specialized, so we tend to guide him or her on what we want from the test.
With Bug Bounty, we were surprised by some researchers’ reports. They gave us results of original scenarios, which we had never seen before.
Finally, I appreciate the quality of the reports on the flaws reported through YesWeHack. You sense the researchers are really trying to offer a functional and reproducible POC, that we can easily retest.
The reports of our usual audits are generally quite accurate, but we also find the equivalent quality with Bug Bounty, when the researchers are good and ‘play the game’. It’s very pleasant to receive reports illustrated with screenshots and videos, which greatly facilitates their understanding, validation, and also their communication to the teams concerned.
Do you get help from researchers to analyze and fix the bugs received?
Yes, the researchers help us in the bug reproduction phase. In some cases, we ask them to check whether the vulnerability has been fixed. We also have a large team of developers in-house who can take care of this patch management.
Does Bug Bounty mean the end of penetration testing or are the two complementary?
For me the two remain absolutely complementary. Bug Bounty is a tool that goes further and deeper than the audit. We use penetration testing on new services, or on scopes where we already know there are problems.
Have you observed any changes in your teams since you began using Bug Bounty?
We clearly see an increased awareness of security. Bug Bounty reports helped us trigger some major security projects. Our cybersecurity vision and posture have evolved, and Bug Bounty is one of the drivers of this change.
In terms of organization, we adapted our process to collect, sort, and validate reports. Then, based on the elements of each validated report, an internal ticket is created and assigned to the relevant team for processing with a varying degree of priority.
Do you consider Bug Bounty as a sign of confidence towards the market?
Yes. Using a public Bug Bounty program, we can demonstrate and highlight our concerns about security and transparency. We also assume the fact of exposing ourselves to ‘controlled’ attacks, and to consider the valuable feedback from the researchers’ community.
At Deezer, we also have a team dedicated to fraud: indeed, artists and labels are paid according to the audience of the tracks. In order to guarantee their income, we have to protect them from any fraud relating to the platform. So, this is a crucial part of our cybersecurity strategy – and within the scope of our Bug Bounty program.
For the time being, we are pursuing our current strategy, regularly reviving the program when activity is declining. Generally speaking, the amount of feedback often depends on how visible Deezer is in the news. When we communicate more or launch campaigns, researchers are attracted to our program.
As a next step, we will consider an increase in bounties to encourage researchers to find more complex vulnerabilities.
Do you have any advice for CISOs or startups considering Bug Bounty?
As a general rule, it’s better to know your security flaws when you start a project, rather than wait until there are too many to deal with, after you’ve made (bad) choices of architectures.
When I see what our Bug Bounty program brought us, I think it would have been better if we had taken these insights into account as early as possible.
So, I would recommend not waiting too long to implement tools such as Bug Bounty, in order to minimize the dependency on legacy systems, which are more complex to secure afterward.
If you want more information about Bug Bounty & YesWeHack, drop us a line:
Founded in 2013, YesWeHack is the #1 European Bug Bounty & VDP Platform.
YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cyber-security experts (ethical hackers) across 120 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs, public programs and vulnerability disclosure policies (VDP) for hundreds of organisations worldwide in compliance with the strictest European regulations.