Security by design with Bug Bounty

Categories
Customer Stories

What is your role in CCM Benchmark Group?

I am Deputy CTO, in charge of technical monitoring with Damien Mangin, CTO of CCM Benchmark Group.

What were the reflexion and the needs assesment that brought about a Bug Bounty program ?

Like any other actor on the Internet, we are experiencing increasing threats like hacking tries or malware targeting our platforms. As we are the first French leaders media company (according to Comscore), we are particularly exposed to cyber threats. Therefore, we are meant to have a proactive approach in terms of security in order to protect our users’ data.
The Bug Bounty program we opened was a very important step complementary of others methods we set up (penetration testing, trainings). In terms of security by design, this exercise is really useful for our devs because thanks to the bug reporting they can improve the degree of security of their own code.

Why did you guys choose YesWeHack? What made the difference compared to other bug bounty platforms?

We paid attention to several criteria provided by YesWeHack. First advantage was the fact that it is based in France and it strongly facilitated the set up because we had a good feeling throughout the discussion with the team. They did prove their capacity in mobilizing some high-level hunters for a program such as ours. Eventually, The European approach and the way the rewards are run were both arguments that can assure us to fight against the financing of terrorism.

Did you ask for an help for setting up of your program (in terms of scope, timing, invitations) ?

Xavier Leune - CCM Benchmarck group -
Xavier Leune – CCM Benchmarck group –

Yes Yeswehack’s been helping us from the beginning on regular basis. Thanks to their experience, they have been able to help us write our programs, define our perimeters in an optimal way, so that the hunters have precise information about our expectations.I n addition, they accompanied us in defining our reward grid, to treat properly the feedback given by hunters who are spending long time for securing our platforms.

Last but not least, YesWeHack helped us to select and send invitations to high-ranked hunters.

How many hunters did you invite for the private step ?

For the private phrase, we have invited 10 hackers on our program.

What is your feedback in terms of vulnerabilities detected during this private phase?

Obviously at the very beginning of the program, simple and common vulnerabilities were reported, especially XSS vulnerabilities. As time went by, more sophisticated vulnerabilities appeared, and we were really surprised by some findings. We have felt a very good implication on the behalf of each hunter who was driven by their appetite for being the first reporting a critical vulnerability.

The features : 58 reported bugs, 34 were subject to corrective measures. Others were mainly duplicates 18 out of 24.
The number of critical vulnerabilities were up to 5.
The best reward  for one and only bug was up to 1000 €.

Did you appreciate the level of communication between you and the hunters ?

Yes, the level of communication with the hunters was really appreciated by our team. At times, we experienced some difficulties concerning some vulnerabilities in reproducing them or understanding the prejudice they implied. So the hunters were really good at answering our questions and at double-checking the patches we delivered.

Today you’re expanding your private Bug Bounty program into a public one–what motivated this choice?

To us, going public is a natural evolution of our bug bounty program. We wanted to be able to understand correctly the art of running a bug bounty through YesWeHack especially by dealing with a restricted number of reported bugs in a first movement and along with hunters whom we wanted to communicate with. Now, we are far more confident in terms of procedures and in terms of patching policy, so it makes sense going public and being exposed to a max of skills to keep on securing our platform .

In terms of profits, can you say that beyond the financial aspect there are issues of communication and reputation? How would CCM Benchmark deal with these aspects?

It is important for us to show a proactive approach on such crucial issues. However, it is not planned at the moment to promote the opening of our bounty bug program towards our audience. Above all, we decided to go public for ourselves and our visitors.

If you wish to learn more regarding our platform and service, please do not hesitate to contact us: