Vulnerability Disclosure Policy as a first step of GfK’s crowdsourced security strategy

For this new issue of our customer stories, we discussed Vulnerability Disclosure Policy with the security team of GfK, a global leader in data and analytics for the consumer products industry. Standing for Growth from Knowledge, GfK was originally founded in 1934 as a non-profit organisation in Nuremberg, Germany. Today, with over 8,000 employees, it provides consumer and market insights to more than 10,000 clients worldwide.

Sure! I am Jean-Yves Le Breton and I joined GfK four and a half years ago as a Product Security Manager.

My product security team is part of a global Information Security team of 30+ people located in multiple locations, with main hubs in the UK, Bulgaria, Germany and Malaysia. My team is composed of three mainstreams: the pentesters aka the breakers, the DevSecOps engineers aka the builders, and the defenders. We work mostly with development and application teams and help other teams with their security requirements and security posture.

Here with me today we have Adam Jarman, who has been an IT Security Analyst at GfK for a year and a half, and Sasha Druzhinin, who recently joined the team as a Junior Security Analyst. Our security analysts work mainly with web applications and penetrating testing; and run lots of vulnerability tools, scanning tools and DevSecOps activities.

Jean-Yves Le Breton, Product Security Manager, GfK:

Over a year ago, around October 2021, we started thinking we were mature enough to consider getting external feedback as part of our security strategy.

There were definitely some internal concerns about inviting “hackers” to look into our products, so VDP has been used as a preliminary phase for us, before launching a Bug Bounty program. With a VDP, we wanted to build a business case on how we can leverage feedback from security researchers. Our aim was to demonstrate that we could receive some interesting reports with this passive approach.

We started our VDP program with YesWeHack in early June 2022. We compared several platforms and decided to go with YesWeHack because of 3 main reasons:

• The triage: it is done in-house at YesWeHack, and we heard good feedback from other YesWeHack clients saying that the triage team was very responsive.
• The engagement: throughout our interactions with the team, we felt like we would get much more engagement from YesWeHack than from other platforms we spoke to.
• GDPR and data protection compliance: GfK is headquartered in Germany and most of our biggest customers are EU-based. We comply with local laws regarding GDPR and take data security seriously, so we wanted to make sure our provider also did.

Jean-Yves Le Breton, Product Security Manager, GfK:

Over the years, GfK had received reports from security researchers that enabled us to flag possible misconfigurations. Those were not necessarily security issues, but potential things we needed to investigate and address. We felt that we needed a central way for collecting those reports and a more efficient process to deal with external security feedback. We thought that setting up a VDP would really help us in that journey to provide a transparent and secure channel to the security researcher community.

Furthermore, we can look at it from a signalling theory perspective: for GfK, having a VDP sends a signal to the broader security community that we highly value security. It shows that we welcome security reports, take them seriously and make sure they are triaged efficiently as well. We are trying to foster some collaboration with the wider community of researchers that we may not have without this process.

Finally, it indicates that we want to improve. As security experts, we are always looking for feedback. We intend to see how, within the context of our application, we can make security improvements to our products.

Sasha Druzhinin, Junior Security Analyst, GfK:

Besides, of course, a key point for us is to build the confidence and trust in GfK as a company.

Jean-Yves Le Breton, Product Security Manager, GfK:

Before setting up our VDP, most of the reports we received were through our online contact form, as there was no dedicated email address for the security team. Some researchers also reached out to our legal or data protection teams, who then forwarded the matter to us. Now that we have our VDP program, it helps streamline the contact process.

Adam Jarman, IT Security Analyst, GfK:

With a VDP, we know that the reports we receive are coming straight away. It avoids researchers thinking that we are not interested in their reports.

Another aspect worth mentioning is the setup of the platform. Its configuration actually forces a minimum standard for the reports, compared to an email with only a screenshot and a few lines describing the vulnerability, for instance.

Sasha Druzhinin, Junior Security Analyst, GfK:

Indeed, it encourages consistency for the researchers because they are in a specific framework.

Jean-Yves Le Breton, Product Security Manager, GfK:

From a technical perspective, the process was pretty straight forward. It only took a couple of hours to write the VDP content with the YesWeHack customer support team. After that, the text was quicky reviewed by our legal department.

What’s more interesting to look at is GfK’s internal process to set up the VDP: we, the infosec team, needed to talk to several other departments (data protection, legal, marketing, PR…) to ensure everybody was aware of the VDP program. We had to explain what we were trying to do and to achieve, and why, to help them get onboard.

It was incredibly interesting and rewarding internally as it brought up a collaborative approach of how we interact with external parties when it comes to security. And we did not just publish the VDP: we made sure our corporate site referenced our VDP, that the data protection content page was updated to include the whole VDP process, etc.

Jean-Yves Le Breton, Product Security Manager, GfK:

We are in a multi-year journey of trying to continuously improve our security. GfK is a complex and broad environment so we are looking for ways to optimise our VDP and ensure security researchers can access it easily. For that, we make sure all our web applications have a valid security.txt file and all our communications mention our VDP.

Besides, I think we are now ready to launch our Bug Bounty program, a step which we have been considering for quite a while now. We could start with a private Bug Bounty program on some of our key products to get more active feedback from the security community and deliver more secure products.

Jean-Yves Le Breton, Product Security Manager, GfK:

We wish to thank the YesWeHack team. We feel we have been in really good hands from the beginning and the team always answers quickly to our requests. This has been a great experience so far!

And lastly, I would like to point out that it’s also great having a VDP with respect to our customers. We have seen an increasing number of our clients wanting to ensure we have the right processes in place and asking us whether we have a VDP or a Bug Bounty program. We can definitely see that the industry is moving, and that crowdsourced security is more and more becoming a part of a mature security posture. The attitude at GfK and throughout the industry is changing towards external “hackers”, who are no longer considered to be a bad thing but a way of providing an additional safety net through reporting extra findings.

Curious to know more about how YesWeHack’s VDP solution can benefit your business? Let’s connect and find out. Click the button below to schedule a demo.

Book a demo

About YesWeHack

Founded in 2015, YesWeHack is a global Bug Bounty and VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 45,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.

YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.

In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.