Bug Bounty is a “good addition” to Thüringer Aufbaubank’s fulfilment of its compliance obligations around pentesting, according to the development bank’s head of software engineering.
In this interview with YesWeHack, Jürgen Krug reflects on the benefits of crowdsourced security testing – not least for software development practices – and his tips for running an effective Bug Bounty Program.
Thüringer Aufbaubank (TAB) is a publicly-owned development bank that provides loans, grants and guarantees to projects and organisations in the central German state of Thuringia. Among other things, the bank provides financing on favourable terms to infrastructure projects, environmental protection initiatives and proposals that prioritise sustainable development.
Why did Thüringer Aufbaubank decide to launch a Bug Bounty Program?
Jürgen Krug: Only by ensuring the integrity, confidentiality and availability of the data we process can we maintain the necessary trust of our customers, which is the basis of the business we carry out.
The foundation for this is a systematic consideration of threat scenarios and the measures derived from them. This approach guarantees that the most important aspects of security are considered, but it also means that we are moving on pre-thought-out paths.
With a Bug Bounty Program, we want to complement this necessary approach with a pragmatic approach that also considers new, unexpected aspects of cybersecurity.
With the many bug hunters that YesWeHack connects us to, we have access to a large amount of know-how in the security space that all of our products can benefit from.
Why did you choose YesWeHack over rival platforms?
JK: Our choice fell on YesWeHack since the European data protection requirements can be met without a doubt, as well as the platform having sufficient popularity to be able to activate enough hunters, and finally due to the adequate pricing, as we are only a small company.
What are the most significant benefits of Bug Bounty so far?
JK: We received information on specific attack scenarios that we were able to prevent.
The hackers’ approach also showed us topics and approaches that we continue to pursue ourselves and that we take into account in the development process.
How has the program evolved and expanded so far?
JK: We started by inviting a limited selection of hackers, so we could gain experience of using a Bug Bounty platform before increasing the flow of bugs to remediate. After the number of reports plateaued, we decided to make the program public.
What are your plans or hopes for how your Bug Bounty Program will grow or become more optimised in the coming years?
JK: First, we are concentrating on business applications that are accessible on the internet.
An extension to other services offered by the bank is conceivable. Testing from an internal perspective, with extended authorisations on separate test systems, is a topic we want to address in the future.
Have you faced any challenges adapting your program to the demands or constraints of your security maturity and internal skills and resources?
JK: The volume of reports was easily processed by our internal teams. Of course, we also benefited from the sophisticated scoping of reportable vulnerabilities, as well as the triage services provided by YesWeHack.
All reports that are ultimately relevant to us flow into a general process for known security vulnerabilities in the bank, which can be centrally controlled and monitored regardless of the source of the information.
Are there any particular challenges or opportunities that Bug Bounty presents for the banking/financial services sectors, given their strict compliance and security requirements?
JK: The requirements of the supervisory authorities for banks already include the performance of penetration tests. In this respect, Bug Bounty is a good addition, since it has the same objective as pentests, but utilises a different approach.
What best practices do you follow that other organisations could benefit from by emulating?
JK: We try to classify a report as quickly as possible and provide feedback to the hacker quickly.
And if a piece of information is of value to us, even though the report itself has no direct impact, we sometimes give a voluntary bonus to show our appreciation to the bug hunters.
Thüringer Aufbaubank recently launched a public Bug Bounty Program on the YesWeHack platform with rewards ranging up to €5,000 for critical vulnerabilities. Check out the program details to find out about the scopes, rewards and rules of engagement.
Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to schedule a demo with one of our experts.