After a few months on a private Bug Bounty program, Prestashop opens up to the whole YesWeHack community. Check out the following interview with Pierre Rambaud, Senior Core Developer at Prestashop to understand the motivations behind this jump.
Could you please briefly introduce us to Prestashop and explain your role within the company?
PrestaShop is an Open Source e-commerce solution, written in PHP, with high customization capabilities. It is currently used by 300,000 shops worldwide and is available in 75 different languages. I work in the Core Team as a maintainer and I take care of security matters both for the open-source project and for the company.
What led you to launch a Bug Bounty program?
Obviously our main reason for launching a Bug Bounty program was to improve security testing for the project. It helps uncover more unknown vulnerabilities and implement better security practices. It also provides a private channel for vulnerability reporting. We already had a security email address but we think the Bug Bounty will encourage more people to report issues because of the reward.We will benefit from YesWeHack visibility to attract more security researchers to our project.
Finally, in 2020, having a Bug Bounty program is also a reliability indicator and proof we treat security seriously. It will help us gain the trust of customers and partners.
How Bug Bounty is an added value for an open-source application?
Bug Bounty is the perfect solution for improving the security of an application (open-source or not). In our case, the Bug Bounty will increase both the software security and users’ trust because it is public.
Today you’re expanding your private program into a public one–what motivated this choice?
Opening the program to the public was always our goal because this is an open-source project. It wouldn’t make sense to keep the program private for too long. Having a private program has allowed us to lift our platform to a higher standard, to correct multiple vulnerabilities, and to define more precisely the scope of our program and its rules. Today, we are ready to open it to the public and say confidently that PrestaShop is properly secured.
Any tip for companies hesitating to launch a Bug Bounty program?
The recent number of incidents where attackers were able to steal data from software companies proves that a Bug Bounty is especially needed nowadays. We owe it to PrestaShop users to put application security as the number one priority.
It is obvious that this program has a cost: not only money but also time dedicated to reports and to patch the issues. People whose source code is not disclosed may have the impression that they are safe and nothing can happen to them as the code is not public. Which of course is wrong. Because it will save your reputation and your money. The program will actually cost less than you may think, as it will prevent breaches from happening.
Auditing your infrastructure or your application is fine, but it’s all constantly evolving. The advantage of a Bug Bounty program is that it will attract different hunters, with different skills, which will significantly increase the possibility of finding vulnerabilities.
A Bug Bounty will have different types of attacks being tried against your system. While an audit will be performed by a single entity.