Why did you launch a Bug Bounty program?
As Europe’s leading publisher of cybersecurity solutions, we need to have peerless security ourselves. The strong cybersecurity practices we endorse to our customers must be reflected in our own operations. In the past, we relied on traditional methodologies, such as security audits, penetration testing and scans. However, these solutions were not only expensive, they were also only carried out periodically. About two years ago, we took the decision to move to continuous monitoring, both to improve the security of our applications and reassure our customers. Bug Bounty was the natural choice to underpin this modern cybersecurity strategy.
During client engagements, we are often asked searching questions about our security guarantees. After all, we host sensitive information and our customers want to be certain that their data will not be compromised. We present all of our security processes and methodologies to clients, including non-regression testing, DevOps and others. The problem is that these practises are no longer sufficient to reassure customers. However, the conversation changes completely when we talk to clients about our Bug Bounty program. They are immediately reassured by the fact experts are continuously testing our applications. Bug Bounty is a real differentiating asset, and it’s a sales argument we promote every time.
What makes Bug Bounty so special? What does it offer over traditional approaches to cybersecurity?
The first, as I mentioned, is the continuous applications security. Previously, we worked with an audit firm on a quarterly basis, and now we have ‘hunters’ tracking down potential vulnerabilities throughout the year.
There is also the follow-up aspect. If we perform a penetration testing, for example, and want the auditor to check the correction once a bug has been fixed, we have to undertake a new audit. With Bug Bounty, it’s much more flexible. When a hunter raises a vulnerability, we can exchange directly with that person, correct it and ask them to check it. We then pay the hunter once the correction has been confirmed. With a traditional auditor, there is no verification: it’s up to the developer to make sure that he or she has implemented the patch properly. Every time you deal with an auditor it can also feel like part of a contractual exchange.
Then, of course, there is the return on investment. When you perform a penetration testing, you have to pay even if no vulnerability is identified. With Bug Bounty, when a product is added to the program, dozens of hunters – potentially many more in a public program – perform the test. If no vulnerability is found, there’s nothing to pay. It’s very rare to find a solution offering near-optimal security for such a low cost.This really resonates with senior management too. They can see directly that a Bug Bounty program costs much less than a penetration testing or an audit.
Bug Bounty also offers significant value in terms of efficiency and diversity of skills. When you carry out penetration testing for the first time, you typically don’t have trusted partners you can turn to, so you choose an auditing or consulting firm at random. It’s a bit like a lottery: the tests might be carried out by people who are familiar with the theory, but less familiar with the practice. They’ll run scans to see the installed versions, which will bring up all the vulnerabilities associated with these versions, but there will be no proof of exploitability. For example, these consultants may comment, “You have PHP 7.0 installed. We know there are all these vulnerabilities online, we’ll put them in the report and let you deal with it”.
From our experience with audit firms, we just end up with a report with no evidence of exploitable vulnerabilities. All too often, an auditor may fall short of expectations, but the final bill is the same.With Bug Bounty it’s different. If we come across hunters with a little less experience, it’s not a big deal, because there are more than a hundred other researchers working on the project who will surface potential vulnerabilities. In addition, the reports written by the Bug Bounty researchers detail precisely the vulnerabilities found – and sometimes even how to fix them. That’s a key point compared to traditional approaches: Bug Bounty offers a very wide range of skills to ensure that applications are as secure as possible.
Has penetration testing been scaled back since introducing Bug Bounty?
Yes, we’re only doing one or two a year now. Honestly, penetration testing doesn’t interest us much anymore since we launched our Bug Bounty program.
One of the other attractions of Bug Bounty is the fact we can increase the price of the bounties over time if we choose, either to attract more hunters or draw in more qualified hunters. We can also vary different types of campaigns by introducing new scopes. Currently, for instance, we are in ‘grey box mode’, an authenticated mode. Last month however, we opened the ‘black box’ mode with more attractive pricing for hunters.
From time to time, we also do special campaigns. Not too often though, because it requires resources to follow-up with the reports.
How has bug bounty influenced your development team? Are they more aware of hacking, for example? Has it broadened their skill set?
Bug Bounty has really raised awareness among our developers. The concept of ‘hacking’ is now a fun part of their role. It’s a bit ‘dark’ and certainly interesting for our technical teams. Developers learn how to be the ‘bad guys’, for example, and how to retrieve information they shouldn’t have access to. This aspect is really interesting for the development teams, raising their awareness of security and their engagement with it.
Most developers have already heard about various security breaches – XSS vulnerabilities, SQL injections – but don’t have the opportunity to practice. When they have to fix a vulnerability and have access to a well detailed POC done by a researcher, they have a real use case in front of them, and that makes all the difference.
Generally speaking, all the teams that have been able to correct vulnerabilities have improved their skills and integrated good development practices.
How does Bug Bounty fit into your agile strategy?
The Bug Bounty model is much more agile than traditional methods. Before, we used to receive a PDF report with a list of vulnerabilities to fix. Now, we receive reports progressively, which makes the workload much easier for our teams to absorb.
In conclusion, what advice would you offer to your peers?
I would advise any organisation to implement a Bug Bounty program. For me, it is a mandatory step to achieving continuous, cost-effective application security. In my opinion, Bug Bounty should be implemented in every company that develops software. It’s a necessary step if you want to deliver both a secure and scalable software solution.
Interested in a demo or want to know how to implement a Bug Bounty program in your organisation? Get in touch with our team👇
Founded in 2015, YesWeHack is a Global Bug Bounty & VDP Platform.
YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cybersecurity experts (ethical hackers) across 170 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.YesWeHack runs private (invitation based only) programs and public programs for hundreds of organizations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: support in creating a Vulnerability Disclosure Policy (VDP), a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.