Can you tell us what made you decide to launch a Bug Bounty?
Security has always been a part of the OVHcloud DNA. It’s inherent to our business as an infrastructure provider and all of the services that we offer. The high level of security of our infrastructure has to be a permanent focus, as well as a driver of our customers’ trust. It relies on physical and logical safeguards and oversight activities, scans, internal and external penetration tests, code and configuration reviews, etc. Some of these safeguards are managed non-stop by our teams, while others rely on a partnership with trusted third parties.
We launched a Bug Bounty program for OVH with YesWeHack several years ago in order to add a layer of security to our existing systems. Our companies share the same core values and evolve in the same ecosystem; we share the same passion and the same European roots. It’s partly for these reasons that we started with this platform: we were one of YesWeHack’s first public program clients, and launched our program during a live Bug Bounty at the Nuit du Hack (Hack Night) event.
Does Bug Bounty strengthen the trust your customers’ place in you?
Yes, definitely. OVHCloud works with different types of clients. Some of them manage their infrastructure themselves and are highly sensitive to technical communications. Our communication is therefore based on transparency and reliability. Other customers are more mindful as to our ability to bring in trusted third parties, such as certification auditors or external service providers. Bug Bounty is therefore an added element of trust for some of our customers who expect more than the traditional security means.
YesWeHack works with large strategic organisations such as OVIs*, and we also play in that market. Doing Bug Bounty with YesWeHack is a part of this ecosystem of trust and is becoming a “must have” for organisations like ours. It’s also a question of reputation vis-à-vis the community of hunters, who are stakeholders in this ecosystem: through YesWeHack, we can interact with people who aren’t always available via other channels.
*Operators of Vital Importance
What does Bug Bounty offer you in terms of the aforementioned services (audits, scans, penetration tests, etc.)?
Bug Bounty puts us in touch with experts with knowledge that complements that of our teams, across the entire spectrum of technologies that we use: OpenStack, Kubernetes, Machine Learning tools, AI, etc. It’s just impossible to find a team of pentesters with advanced skills in all of these technologies.
YesWeHack gives us easy access to experts in these various technologies who say: “I’m a Kubernetes expert, so I’m going to take a look at all of these bug bounty programs with Kubernetes offers and dig deeper.” This effectively completes our security approach by providing a perspective that complements that of our teams.
Another key point is that Bug Bounty offers a formal framework for vulnerability reporting. It allows us to provide a legally secure point of entry for the Hunters. Even if it isn’t the only OVHcloud channel for vulnerability reporting, we recommend to anyone that “finds” vulnerabilities to use our program. This allows us to have one single inflow and a linked process for managing vulnerability reports. It’s therefore a defining part of our CVD (Coordinated Vulnerability Disclosure).
Beyond the advantages of Bug Bounty as a model, I‘d like to highlight the YesWeHack platform, which comes in very handy, with a very intuitive UI. The OVHCloud team managing the Bug Bounty give us excellent feedback on the workflow management, report processing, interactions with the hunters, etc.
The APIs make it possible to integrate all useful information into our own tools and dashboards in an automated way, and also track our bonus budget, the activity of each program, etc. At a glance, we’re able to know the status of our programs and report indicators to our management: the bug bounty is fully integrated into our strategy and the steering of our global security.
What part does Bug Bounty play in your agile development approach?
Our team of pentesters oversees our Bug Bounty: two managers are in charge of the program as well as leading the community of hunters. They then work with the various teams affected by the vulnerabilities so that we can integrate them into our management systems and ensure their correction.
Once the vulnerabilities are reported via the platform, we integrate them into our processes: we have an entire organisational structure that we call security management systems, as part of the ISO 27001 certification framework – including processes, roles, responsibilities that are documented and enable us to ensure that each vulnerability, incident, potential threat, etc. is processed and monitored over time by our teams, and is part of a detailed action plan whose application is verified – according to the sensitivity of the product in question, and the associated level of requirement. Thanks to the YesWeHack API, we easily integrated the bug bounty reports into this process: everything is managed by tickets that are viewable on our dashboards and accessible to our external auditors if needed.
You’re in a public program – how are your exchanges with the community going?
Managing a Bug Bounty program is a real commitment to all stakeholders involved in making the internet safer. This means that we have a responsibility to be rigorous and transparent in the handling and resolution of vulnerabilities that are reported to us. What makes the process easier is that the platform provides a framework that facilitates relationships between customers and Hunters, with very rich and very direct communication – we’re in a relationship where we openly discuss findings on how to analyse a vulnerability. There is no other way to have such productive communication.
What are the next steps?
We’re working on integrating the tickets generated by vulnerability reports into our global risk management model in a standard way. The goal is to be able to standardise our risk management regardless of the information source – whether it’s a proven incident or a vulnerability report. So, it’s about taking advantage of the API’s full potential to further automate reporting.
We’ve also identified certain Hunters who are particularly strong on our public program, with whom we have excellent relationships, or who have very specific skills, that we plan to invite onto programs dedicated to specific products. That will probably happen this year.
If you want more informations about Bug Bounty & YesWeHack, drop us a line:
Founded in 2013, YesWeHack is the #1 European Bug Bounty & VDP Platform.
YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 15 000 cyber-security experts (ethical hackers) across 120 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs, public programs and vulnerability disclosure policies (VDP) for hundreds of organisations worldwide in compliance with the strictest European regulations.