Page 2 of 4

Open Source, NGOs & Hackers : Unity is strength

YesWeHack is definitely a group of passionate people who all have become professionals. As passionate people, we do have principles and it is precisely these principles that keep us on the right path of our social, economic and financial development.

For some of you, you’ve been noticing that we are operating in a competitive world without forgetting our fundamentals.
We are willing to defend the common goods mainly the Internet neutrality, Press Freedom, Open Source (software & hardware).

To us, those 3 pillars – amongst others – are strong allies for Civil Society and especially for NGOs to defend and promote Human Rights.

This is the reason why we do care about helping NGOs and non-profit organizations who share the same principles.

Cooperation is good for all of us !

In 2017, our community of security researchers participated in 3 bug bounty programs powered by our Bounty Factory :

In june 2017, the first program was launched by OCCRP and it exposed one tool of the organization : VIS.OCCRP.org

As a matter of fact, OCCRP is involved in the original Panama Papers, Paradise Papers amongst many other projects.

Read More

Incentive Policy for Coordinated Vulnerability Disclosure

Assessment

For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.

Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure?

The concept of responsible disclosure has too often been at the root of endless discussions:

On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.

During this precious time when both sides argue, the system concerned is at the opponent’s mercy.

In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Read More

Politique Incitative à la Divulgation Coordonnée de Vulnérabilités.

 ☄ Constat

Depuis une dizaine d’années, les organisations tentent de mettre en place des politiques opérationnelles pour éviter les rapports sauvages de failles ou autre “Full Disclosure” ou “Open Bug Bounty” dont les méthodes laissent à désirer en terme d’honnêteté et de responsabilité.

A propos de responsabilité, vous connaissez peut-être la notion “Divulgation Responsable” ( Responsible Disclosure – chez nos amis anglophones) et vous vous demandez en quoi elle est différente de la Divulgation Coordonnée de Vulnérabilités?

Le concept de divulgation responsable a trop souvent été au cœur de discussions sans fin :

  • d’un côté les vendeurs/éditeurs s’insurgent “Divulguer une vulnérabilité sans fournir de patchs n’est pas responsable”
  • et de l’autre “Ne pas corriger cette vulnérabilité au plus vite n’est pas responsable”, rétorquent les chercheurs en sécurité.

Pendant ce temps précieux où les parties se chamaillent, le système concerné est à la merci de l’adversaire et ce dernier en profite pour commettre ses méfaits.

Afin de tendre vers plus d’efficacité et sortir des débats stériles, il convient donc d’éviter de parler de “divulgation responsable”. C’est la raison pour laquelle de nombreuses organisations plaident en faveur du concept de “Divulgation Coordonnée de Vulnérabilités” (DCV) afin de promouvoir et renforcer la coopération entre les différents acteurs de la cybersécurité qui tous ont un objectif commun : rendre l’Internet plus sûr.

Coordinated Vulnerability Disclosure

Read More

Cybersecurity & Bug Bounty: Attack is the best form of defense

uillaume Vassault-Houlière President of Yes We HackBy Guillaume Vassault-Houlière | CEO of YesWeHack

Through our European platform BountyFactory.io, Bug Bounty is gaining respectability in France and Europe.

Bug Bounty is an innovative and operational practice from the United States that rewards security experts who find security flaws in IT systems.

Within a complex geopolitical context, Europe and France can compete in defending a European model of digital sovereignty.

In the light of new threats and given reports of organizations that are victims of piracy and irreversible damage, some innovative cyber security policies and approaches need to be adopted.

Cybersecurity is a powerful ally for leading digital transformation.

Read More

Confronting reality is the duty of every IT security professional

Interview of Stéphane Bourou | Technical Project Manager at Ercom

For 30 years, Ercom has developed a leadership position in the communications, data and terminal security markets.
This position is based on complementary technological expertise in Telco/cloud infrastructure, cryptography and software and on shared values: innovation, expertise, commitment and confidentiality.

Our products and expertise are recognized in France and internationally by major companies, customers, partners and certification entities.

All our solutions are certified or in the process of certification by ANSSI.

Two examples that illustrate Ercom’s expertise:

Read More

Qwant.com & BountyFactory.io to harden companies’ systems

Qwant.com‘s Security & Privacy Fund is now real and it aims at hardening companies’ systems through our BountyFactory.io !

Qwant has always believed that the development of online services should be done with maximum protection of the confidentiality of users personal data. That is why Qwant took a “privacy by design” and a “data minimization” approach from day one, which requires to think preventively of the technical means and business models that generate as little risks as possible for the privacy of users.

Since 2014, thanks to YesWeHack founders, Qwant has created its bug bounty program.

Each year Qwant offers bounties to the vulnerabilities hunters gathered at La Nuit du Hack, in Paris. Those programs run by HackerzVoice & YesWeHack teams have significantly helped Qwant to build up skills, and to even better protect their users personal data.

And for the 15th edition of La Nuit du Hack, Qwant wants to offer other startups and organizations – thanks to its fund – the opportunity to challenge and increase the security of their services with the best hackers in Europe and in the world, to improve privacy on the Internet.

Qwant grants 10,000 euros to this fund, that will allow to pay bounties to hackers who will discover vulnerabilities on the services of startups or associations that share Qwant’s ethical values.

Organizations that are selected to benefit from this fund will of course be accompanied to put the bug bounty program together.

You can find all the necessary details to apply for this Privacy & Security Fund at the operation’s official website: https://hackmeimfamous.com/

Shall We Play A Game ? Yes We Shall ⠵

Yes We Hack is proud to be platinium Sponsor for the 15th “la Nuit du Hack” next June 24 & 25 \o/

The forthcoming Nuit Du Hack is about to gather more than 2000 people from all over Europe !

Check the schedule !

☠ ☠ ☠

A bit of History :

Originally, la Nuit du Hack was created by Paulo Pinto aKa CrashFR.

“La Nuit Du Hack” is one of the oldest French underground hackers’ event which bring together, professionals and amateurs of any skill level, around lectures and challenges.

At the very beginning of la Nuit du Hack in 2003, the budget was lower than 1 k€.

Started with 20 persons, the event never stopped growing up by gathering more and more people from amateurs to professionals.

Now, it has reached 170 k€ thanks to the HackerzVoice Team, Géraldine and almost 100 volunteers 🙂

Read More

European Regulation for the Protection of Personal Data and Data Security


By

Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
&
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice


The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

Read More

Interview of Gilles Cadignan – CEO & Co-Founder of Woleet

First of all, can you introduce us to Woleet?

Woleet.io was founded in Rennes in 2016. Woleet is a data anchoring platform using the Bitcoin blockchain. To sum up, we provide a SaaS platform that receives digital fingerprints of data and proceeds to anchor them in Bitcoin by linking these fingerprints to a transaction having a certain date. To achieve this, Woleet builds a cryptographic structure that allows multiple fingerprints to be put together in a single transaction.

The use of Woleet has many benefits:

Read More

YesWeHack is now member of FNTC’s business incubator

YesWeHack is now an official member of FNTC (The Federation of the Digital Trusted Third Parties) ‘s business incubator.

We, YesWeHack, were used to mentioning during our conferences the real need for building trust for our Bug bounty platform namely Bountyfactory and this membership is a milestone for our company.

The FNTC Board met in December to validate our application to its business incubator.

Thanks to the FNTC Board for having accepted us in its business incubator.

Read More

Page 2 of 4

Powered by WordPress & Theme by Anders Norén