How security vendors use Bug Bounty programs

Categories
Customer Stories

Interview of Stéphane Bourou | Technical Project Manager at Ercom

For 30 years, Ercom has developed a leadership position in the communications, data and terminal security markets.
This position is based on complementary technological expertise in Telco/cloud infrastructure, cryptography and software and on shared values: innovation, expertise, commitment and confidentiality.

Our products and expertise are recognized in France and internationally by major companies, customers, partners and certification entities.All our solutions are certified or in the process of certification by ANSSI.

Two examples that illustrate Ercom’s expertise:

  • Ercom equipped the Presidential aircraft with a secure telephone in 2002, thus offering the first highly secure mobile communication solution.
  • Ercom’s Cryptosmart (secure communications and mobile terminals) is the first ANSSI-certified solution to be restricted for distribution to consumer terminals, facilitating users to adopt it.

Our offer is based on three products : CryptoPass, CryptoSmart and CryptoBox.

What did you learn from the private phase of your bug bounty program?

The Bug Bounty in general complements the ANSSI certifications to which we submit each of our security solutions. Our primary goal was to confront our CryptoBox solution with a relevant range of attackers who we might encounter during its use, in order to have a continuous evaluation of the level of resistance of our solution.

Several bug reports were provided to us and one in particular proved out to be a significant level. This enabled us to improve our product and demonstrate the thoroughness of our development teams about security.

Why going public is a good move ?

Private mode limits the number of bug bounty hunters therefore, it does not really confront us with what we would definitely encounter during an operational deployment. By Going Public, we expect to have Bug Bounty Hunters with more focused, varied and specialized skills on specific surfaces, such as web and smart-phone applications. Through this important and true exercise, we will be able to increase the level of assurance obtained during the private phase.

What would be your arguments for convincing reluctant organizations to cross the threshold ?

It’s always good to face reality, and this is especially important for a security solution. We are making the effort to use the Bug Bounty with the dual objective of improving our solution and having greater visibility and credibility. A Bug Bounty program makes it possible to mobilize a large number of IT security researchers for a limited period of time in an economical and repetitive way.
Our experience being very positive, we will soon open a second program for our new product: CryptoPass.