Moving from a private to a public Bug Bounty program

Customer Stories

What’s your role as CISO within Outscale?

First of all, Outscale deals with IaaS: like AWS we provide API and we have Branch offices in France, USA and China. Each Branch office is subject to a specific digital sovereignty. I’ve been wearing two hats: guarantor of the internal security and guarantor of the security for the customers. Globally speaking the human resources are at the core of my job.

What was the need assessment that led to the opening of a bug bounty program?

We provide cloud computing services with certification 27001.Regularly, we order penetration testing sessions led by IT security companies. The results are pretty good but that did not satisfy us enough and we wanted to go deeper to better secure our products. We made up our mind to expanse our culture in terms of security. Clearly, Bug Bounty is another approach because the payment is bound to the result, only the result counts, and bug bounty is not limited in time.

Why did you opt for YesWeHack and more precisely, what criteria convinced you compared to other US and European platforms?

We needed a platform based in France and so in Europe strictly because it was a strong demand on the behalf of our management because we are very sharp on the sovereignty of the data. So de facto, the US platforms have been disqualified.

YesWeHack offers much better responsiveness with the integration of features within the platform and the process of creating the program is clear. We were seduced and convinced by the high quality of the responsiveness and relevance of the YesWeHack team.

Did you ask for assistance in setting up your program?

YesWeHack provides a real and efficient support and follow-up. As a matter of fact, we managed to publish our Bug Bounty program in just a single day! I was sent an example of a program and in no time I was able to finalize, define our scope properly. Last step was the adjusting of the overall amount for the rewards.

For the private step how many hunters did you select?

From the hall of fame, I just selected the hunters that I knew of reputation (5 or 8) and completed with some of the yeswehack private team.

During the private program what did you notice in terms of reporting of vulnerabilities?

Indeed, we had two private Bug Bounty programs. One focused on our IaaS and Api and the other one focused on our web application. As for our Web interface: we’ve got 10 reported bugs in one month, and 5 were validated. Only 3 of them were critical. Concerning our API: nothing critical so far.

Have you enjoyed the quality of communication between you and the hunters via the YesWeHack platform? What improvement would you need?

The ticketing system via email is ok beyond that, we often discuss with hunters via twitter and more generally via the famous IRC so it would be a good idea to have a secure and built-in Instant messaging feature.
The hunters are very correct, they ask before attacking. The level of discussion and consultation is really good, prevention upstream before testing the perimeter because the platform was in production. They are careful and responsible, they want to have the customer’s approval before trying various methods.

Why did you decide to go public?

Beginning by a Private program was highly needed, we had no experience in managing a bug bounty program. The private step has a clear advantage a private bug bounty is like a penetration testing without time limit. Going Public will allow us to test in real conditions our IaaS + Api.
This first pass throughout the private mode is important to lucidly approach the switching from private to public status. Now we are glad to announce : Everyone can play ! The real attacker does not care about standards so only Bug Bounty can simulate this brutal truth !

In short, are you satisfied with your choice?

Definitely. In my humble opinion, penetration testing will have to question itself. With Bug Bounty, hunters are here to find vulnerabilities, as if they don’t find anything, they won’t be paid, contrary to penetration testing. Unfortunately, no normative aspects (PASSI) look at the benefits and we can confirm that the real attacker does not care about standards so only bug bounty can simulate this brutal truth !
With our customers, we will promote this exercise widely via twitter, and moreover our security approach via bug bounty will be explained to our partners and customers in the forthcoming appointments.

If you wish to learn more regarding our platform and service, please do not hesitate to contact us: