Page 2 of 2

Bountyfactory.io : What about the legal features ?

Load European Cybersecurity

Bountyfactory.io – the first European Bug Bounty platform – was launched in early 2016.

Unlike some other platforms, Bountyfactory.io presents some specific and legal features that are designed to strengthen its relevance, security and legitimacy.

Above all, Bountyfactory.io focuses on security and legal framework :

Our Servers are based in Europe. Therefore, No data exposure to the US services via FISA, Patriot Act, Freedom Act.

  • BountyFactory uses OVH dedicated cloud that is subject to Service Organization Controls namely SOC 1 type II (SSAE 16 et ISAE 3402) & SOC 2 type II
  • Our infrastructure is ISO 27001 certified
  • Each vulnerability, each report, each comment is encrypted before being stored in our database and only identified actors are access granted.
  • In terms of financial transactions : BountyFactory complies with the following norm > The Payment Card Industry Data Security Standard (PCI DSS)
  • In terms of Privacy, BountyFactory is subject to EU Data Protection Reform (January 2012) While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
  • Our payment system, MangoPay, is tightly compliant to EU legal framework in terms of anti Money laundering and anti financing terrorism

mangopay_european_legal_framework

***

Beyond that essential standards, let’s go deeper into BountyFactory.io in order to discover some useful and relevant features :

As a customer – once logged in as Admin-manager – you will be able to digitally sign the General Terms & Conditions of Use thanks to YouSign Company based in France and subject to both French and European Law.

The GTU signing process

Send Bug Bounty Confirmation Code

Validation of the signing Process

signing process

Still as a customer, you are free to Credit and Refund your account any time you need.

Bug Bounty Credit and Refund

By default, your bug bounty program will be private so you can select the hunters (max 50 people) you want to invite.

For instance, you can choose BountyFactory core Team made of 10 people.

Yes We Hack Bug Bounty Private Team

And let the game begin !

The chosen hunters will start searching for vulnerabilities within the scope you defined with BountyFactory Manager.

Bug Bounty Program Management is a differentiating criterion and this feature will be the topic of the a forthcoming and dedicated post.

In order to win efficiency and time : only confirmed true vulnerabilities are taken into account.

Therefore, you will see the amount of bugs found in your dashboard . Each Bug is categorized according to OWASP criteria.

The screenshot below shows more details about the gamification feature focusing on the quality of reports submitted by Bug Bounty Hunters.

The admin-manager is able to rate and allocate one or several points to a well written report on one vulnerability .

Validation of the Vulnerability Report

Over Communicate

Comments are very useful to discuss some details with the researcher and it strengthens significantly the level of communication between the requester and the hunters.

Comments of the Vulnerability Report

One important step is the following : The way you will be able to reward a good hunter.

Thanks to MangoPay technology and security, one hunter can be paid by credit card or through your wallet. MangoPay is a service provided by the French Bank > Crédit Mutuel Arkéa

Rewarding Bug Bounty Hunter

The Dashboard gives you an overview of bug types and statuses

Dashboard

types_of_bug_bounty

As a Game Master : manage your Budget, your Timing, your Hunters

For instance, the screenshot shows you can keep an eye on your budget by checking statistics of the ongoing bug hunting (average and max rewards out of your total budget)

budget_average_reward_bug_bounty

Any time, you can choose to switch from a private program to a public program.

Switching from Private to Public Status

This step is specifically critical so BountyFactory Manager will be notified.

In order to avoid failure, YesWeHack Program manager will double check with the requester if it is a legitimate move.

To sum up, BountyFactory.io provides original features that will help customers managing their Bug Bounty Programs with all the specs, layers of security and trustworthy norms.

rihannaRegister and open your own bug bounty program !

***

/!\ Keep in mind /!\

We Have More Features to Show You

We will keep You posted folks !


Read More > Our FAQ

The Internet of Elevators, of Cars, of Weapons !

lift

Have you ever watched The Lift ? A Dutch horror movie by director Dick Maas about an intelligent ( or smart ?) and murderous elevator starting a killing spree. (Source : wikipedia)

Scary, isn’t it ?

Beyond fiction, the film “The Lift” aimed at questioning technology, systems you can not regain control over.

Nowadays, we are told about the benefits of design thinking, internet of things and their tremendous power in terms of digital and economic development… Oh wait.

Unfortunately, the Internet of Things is driven by marketing ravenous hyenas and very few IoT companies are inspired by – what we could call – the Security Design Thinking.

nebula_of-things

Today, within the Internet of Things, Auto Industry has to struggle to prevent itself from being hacked both by criminals and by their inner blind appetite for market at the expense of their duty in the field of security.

Imagine the antithesis of the legendary film “Rebel without a cause” where the hero no longer rides a car as a symbol of freedom but he’s the prisoner of a runaway wagon.

The revelations concerning the recent fraud on the behalf of  Volkswagen – by the way VW is not an isolated case – highlighted what is at stake in terms of security in the fabulous world of the Internet of Cars.

Before reaching the point of no return, Cars companies and end users should deeply consider the following thoughts :

  • Cars like drones and planes are not harmless devices

In terms of security and safety, Auto and aeronautics industries have to be exemplary and they constantly have to improve again and again their technology, their protocol. Unlike many devices of the Internet of things, cars and planes are massive vehicles. They can cause real and serious damages when they are out of control. They unfortunately can be used as weapons. Therefore, smart and connected cars could be potential massive killing machines.

  • Millions of cars as One Botnet

Like any device of the Internet of things, a car can be pirated and subject to a botnet. In this case, a huge number of cars can be orchestrated as one  and only system driven by just one freak, Remember Skynet ! Needless to say that a terrorist attack could be coordinated via this kind of botnet.

  • Top priority : Privacy and Security By Design

IoT companies seem far from tackling the highly critical issue : How to secure the entire chain of their business including their precious customers (known as end users), their reputation, their data.

The Internet of Cars could be, somehow, a strong ally for security (reducing car accidents) and environmental issues (reducing the CO² emissions footprint) but Automakers don’t seem to prioritize acutely despite some attempts like the Automotive Cybersecurity Best Practices.

Auto industry has to embrace privacy and security by design, they must think and implement these concepts before moving on to the unbridled production of hackable products.

Examples of compromised connected cars are legions such as Tesla, Range Rover etc.

To address these concerns and data compliance issues, car manufacturers need to address privacy and security issues and legislative requirements at the design stage – and not as an afterthought – and, in the EU at least, will need to develop technological solutions to empower individuals to track and manage their own data.
Privacy by design – essential for the growth of the Internet of Things? by Taylor Wessing

  • The vital need for an offline button.

In case of emergency, every single connected car should be provided with a kill-switch feature meaning at any time one could switch a smart car from a full connected mode to a full manual and off-line mode including the old-school and reliable steering wheel.

  • Fighting the diktat of Obsolescence

Tackling the issue of Obsolescence is highly relevant especially when the world is facing the global climate change. Beyond security, Car Manufacturers have to improve the reputation of their products and thus adapt their marketing policy by promoting the sustainable quality of their vehicles.

  • The fallacious comfort of voice controlling, key-less and wireless features

Internet of Things is a constellation of connected devices, it requires user-friendly innovation to  improve its appropriation by speaking human beings. It turns out to be clear that voice controlling, key-less and wireless features are to be core parts of IoT UX namely User experience.

That Generalization of wireless and key-less features is a real curse for it is exposing more and more IoT and therefore smart cars to encryption_is_not_a_crimecriminals. There are numerous testimonies asserting that thieves use cloning electronic tools to illegally open and drive cars. Those kind of tools can -easily- capture and reproduce voice spectrum, wireless signal and so on and so forth. Therefore, Encryption and physical tokens are still good layers of security for Multi-factor authentication (MFA).

Indeed, it has been said that multi-factor authentication is the worst form of security except all those other forms that have been tried from time to time. – The Churchill Way of IT security 🙂

  • Security is a continuous process

First, Security through obscurity is no cure because it hides potential and critical bugs.

Definitely, Car Industry should strengthen its proof of concept by testing continuously the robustness of their technology. Open Source code enables companies to improve their protocol.

By Open Sourcing and submitting the code to communities (IT security Experts, hackers, FLOSS developers) AutoMakers will increase significantly the degree of their products’ security,  especially thanks to bug bounty programs.

There was a landmark : for the first time in the history of automotive, Fiat-Chrysler did invite hackers to test their cars in the framework of bug bounty programs with clear boundaries made of legal, financial norms such as BountyFactory.io

To sum up, Car industry has to find its Way within the IT security experience by questioning itself  and applying the OODA loop scheme.

the Way is not an end but a process, a journey… The connections, the insights that flow from examining the world in different ways, from different perspectives, from routinely examining the opposite proposition, were what were important. The key is mental agility.
– John Boyd

ooda-loop-1-1(Source : The Tao of Boyd: How to Master the OODA Loop )

YesWeHack Team will attend “les Assises de la sécurité”

From 5 to 8 October 2016, join us for the 16th edition of Les Assises.

“Les Assises de la sécurité” is a key annual event for any professional who is keen on Information Systems Security.

Les Assises will gather more than 2000 people in Monaco to discuss what is at stake in terms of IT security.

YesWeHack Team will be represented by Manuel Dorne aKa Korben & Guillaume VASSAULT-HOULIÈRE aKa Freeman. On October 5 at 5 pm, Guillaume will participate in a round table “Are the search for security breaches and the collaborative economy compatible ?”

YesWeHack Team has a strong experience within Hackers’ communities and the way they deal with legal and accountable disclosure of vulnerabilities.

 

Goals and means of a bug bounty hunter.

These days, Bug bounty Hunters are trending within the IT security ecosystem, but very few articles deal with the DNA of a Bug Bounty Hunter.

At Bountyfactory.io, we consider, unlike Hackers, Bug Bounty Hunters  have to respect and fit legal frameworks and norms.

So, if you are willing to become a bounty hunter, please take the following items into account :

Here are the goals you should be driven by :

  • Keep on having Fun
  • Make the Internet more secure for your beloved and in extenso for all end users. Regarding the rise of two main concepts “Privacy by design” and “Security by design” your role is far more important than ever.  By instinct, you are strongly devoted in protecting people from crooks and all sorts of criminal mercenaries.
  • Share and improve your knowledge and skills. Get wisdom and empowerment.
  • The more, the merrier : Open and strengthen your circle of acquaintances and friends.
  • Get rewards especially cash (not only t-shirts and miles for instance).
  • Forge your reputation, fame and defend your ranking like  a professional Tennis player. Eventually be hunted by recruiters for a well-paid and interesting position in the best IT security company you had been dreaming of. Check Bounty Factory’s ranking page.

Here are the means you should deploy to pursue your goals :

  • Keep learning languages you are supposed to work with.
  • Spot and exploit what the main weakness of each language is .
  • Trust your knowledge : Use your existing skills, especially as a programmer, to spot and find vulnerabilities.
  • Focus on concise reporting : once you found one vulnerability your duty as a hunter is to provide a clear and relevant report so that one could reproduce it properly.
  • Explore new dimensions : After you’ve learnt how to deal with basic vulnerabilities  (eg. IDOR, CSRF) you should move a step forward and look into XSS ones.
  • Reverse Engineering you should cherish and practice.

Being core-hunter of Bounty Factory Private Team

core bug bounty hunter

onemoreMy nickname is Onemore and I am a core-hunter of the BountyFactory.io private Team.

I’ve been hunting for bug bounties since 2012.

As a core-hunter for BountyFactory.io, my job is to spot talents and ask them to join us.

Even if our recruitment is subject to a co-optation process, i do have some criteria that help me spotting and rating new applicants.

In order to level-up the degree of trust, we need to apply some criteria for recruiting of our core hunters.

Those criteria are based on skill, level, openness, ethics, without omitting the ability to produce clear and relevant reports.

In terms of languages, the basic expected knowledge trio is the following : Python, PHP and JS. Obviously, this implies that hunters are to keep on learning other languages and techniques.

Before going public, the bug bounty programs are supposed to be private because our very important customers demand legal framework and concise scope.

The very core of our private team respects the following motto :

Legal conditions demand loyal and trustworthy people.

Based on this code of conduct : only 10 hunters are part of our Private team out of 1200 hunters registered on Bountyfactory.io : 7 are professional pentesters and 3 are from different backgrounds.

Our expertise is not focused on massive hunting but on our efficiency :

Quality Of Service is prior to a huge amount of hunters

Last but not least, our platform responds to norms like ISO 27001. Moreover, our General Conditions of Contract have been reviewed and approved by legal team from namely OVH and Orange.

So, if you wanna try to enter our first circle, then Cross the threshold and smell the coffee honey ! > https://bountyfactory.io/register/hunter

Our Crowd Security Way

This video below presents the genuine and trustworthy commitment of our Bounty Factory.

BountyFactory.io : the first European platform for Bug Bounty

Computer security is a strategic challenge for all organizations and companies. Carrying out an inventory is essential to have an overall view of the situation. Security audits should be performed regularly and the costs are high.

Bug Bounty Programs allow companies to outsource seeking vulnerabilities by collecting a significant number of security breakdowns that will be reproduced and analyzed. This does improve the code, preventing from new risks.

With a good Bug Bounty program, a company can continuously check the security of its site or its applications. Hundreds of experts will test sites, and be rewarded (financial or else).

Submit your site to a Bug Bounty program is affordable. You can communicate about its security, also be proactive and reactive in case of vulnerabilities.

By participating in Bug Bounties, security researchers apply their knowledge legally, are paid, enrich their network and enhance their expertise YesWeHack launches the first European platform for Bug Bounty : BountyFactory.io.

BountyFactory.io is an easy way to secure your platforms.

To create their own Bug Bounty program, the startups, the large enterprise groups or the project holders have to register on our platform. They have to define a scope, a reward and whether it will be private or public.

Security researchers that are registered on Bountyfactory.io then take note of the bug bounty program’s details.

When one of the hunters find a bug inside the scope, it shall have to be validated by the bug bounty initiator. Once recognized, the hunter will instantly be rewarded and credited skill points that would highlight him on Yeswehack.


About YesWeHack :

YesWeHack, launched in 2013, connect organizations or projects with IT security needs with qualified people.

Three interrelated platforms are available :

YesWeHack Jobboard : the first job site specializing in computer security.

Bounty Factory : first European platform for Bug Bounties

FireBounty : Bug Bounties aggregator.

Page 2 of 2

YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press