What made you decide to launch a Bug Bounty program?
We mainly launched a bug bounty because of our short delivery cycles. We were used to doing “traditional” pentests once a year, but as we have a lot of changes every month on our scopes, we simply could not wait 12 months for the next audit. Bug Bounty enables us to carry out continuous checks, for each release, update, new delivery, etc.
Hey, we just wanted to greet the talented hacker community using our plateform and reward them for their skill.
As technology moves forward, so do the threats to the tools we use every day. GitHub is one such tool, enabling software developers to collaborate within and across organisations. One way of keeping tabs on GitHub is gitGraber which detects sensitive data available on the platform.
What made you decide to launch the Bug Bounty program?
Daniel Diez – Head of the Digital Factory Division, Groupe ADP :
“The Group Security team took the lead on this project. I had no prior experience of Bug Bounty, but we very quickly saw the model’s advantages and power. And although I never had any particular doubts or worries, now all I see is the benefits. The bugs reported by hunters are vulnerabilities that we and our auditors may not have seen otherwise, and which could therefore be exploited by bad guys.”
Eric Vautier – Groupe CISO, Group ADP : “In cyber security, anticipation is everything. You need to stay a step ahead of the hackers. This means keeping a close eye on market innovations.
In the digital world, doing “old-style” protection means you are clearly behind the game. And a good way to catch up is to work directly with security researchers who use hackers’ methods and think like them.”
Daniel Diez: “We started Bug Bounty wondering if we could successfully adapt the model to our way. Today, it is one of the pillars of our web security strategy. Of course, it’s vital to set the program’s rules carefully: you have to structure the tests in the right way so that the hunters don’t “disperse” their efforts. You need to identify the right “boundaries”, and this is where the program setup is essential. We started with a tightly drawn scope and expanded it as we went along.”
What value can Bug Bounty add compared to traditional cyber security solutions (e.g. pen test)?
Daniel Diez : “Continuous testing – this is Bug Bounty’s big strength. Pen tests are run at a given point in time – not following every minor delivery. While with Bug Bounty, we have hunters working continuously, remaining alert to anything new, which means they can detect whether any change creates potential vulnerabilities.”
Eric Vautier: “In a perfect world we should systematically test each update on our website. This would mean running a pentest every week, or even more often… And everyone knows that’s not feasible. Bug Bounty makes such continuous verification possible.”
Daniel Diez: “I’ve been getting reports we never got from our pen tests – way more in-depth reports, particularly on the website navigation experience. Auditors don’t necesserily have this approach. What’s more, a pentest has a limited timeframe, whereas hunters take the time they need to go as far as possible. As time goes by, they also get increasingly familiar with our scope, which means they can go even more in depth.”
Eric Vautier: “A Bug Bounty program can also be used to report more functional, not just technical, application vulnerabilities. For me, this is what genuinely differentiates it from the pentest. It is a completely different angle. A pen test often relies on automated tools, while Bug Bounty builds on these tools with a more human approach.”
Daniel Diez : “What is also interesting is the interactions with hunters. They help us understand the vulnerabilities they’ve found and how to fix them effectively. In this way we can leverage their expertise.
For sure, Bug Bounty demands some investment. You have to be available to understand what the hunters have tried to do, to talk to them…
But they force us to ask ourselves fresh questions: How a bad guy would get round our protection measures?”
Is Bug Bounty the end of pen testing? Or will it always remain complementary?
Daniel Diez: “For me, neither works without the other. For one thing, we are not necessarily testing the same things with both. And we cannot set off into the unknown without having some minimum level of certainty in advance. Bug Bounty comes in at a more mature stage in the logical flow of events. You need to leverage a minimum base level of security before launching Bug Bounty. That said, today, within the current scope, we no longer need to run pentests. Bug Bounty is enough on its own. You need to set the bar at the right level at the outset, and it then becomes a recurring process.”
How does Bug Bounty fit with your agile approach?
Daniel Diez: “Like everyone, we have tools to manage sources, builds, projects and performance analytics. We also use tools to log and track each new vulnerability report from the Bug Bounty program. For each sprint we verify which relevant data we can include, so we can deal with issues as they come.”
Why have you gone public? How has that changed your approach with Bug Bounty?
Eric Vautier: “The main advantage is to maximise our risk coverage by multiplying the number of potential tests. Also, it gives us a single channel for reporting vulnerabilities in our website.”
What comes next?
Eric Vautier: “We are going to open up new scopes, on other applications and with other business entities using the same model: private program first, then going public.”
Singapore Polytechnic (SP) successfully concluded its first ever bug-bounty event, held in partnership with YesWeHack, Europe’s leading bug bounty platform.
The first-ever held by the institution, the workshop brought more than 30 second- and third-year students from the Diploma in Infocomm Security Management back to school from their vacation as they learnt the ins and outs of bug-bounty hunting.
During the bug bounty hunt, the Singapore Polytechnic students found a total of nine critical vulnerabilities in the applications, and by the end of the workshop, one group successfully penetrated and gained full admin rights to one of the applications – impressive for the first timers!
Bug bounty programs are a growing industry best practice, implemented by both public and private sector organizations across multiple sectors in Singapore. With cyber-attacks growing in scale and complexity, bug bounty has been recognised by the Singapore Government as an initiative to strengthen collaboration with the cybersecurity community to safeguard systems and digital services.
Life-long learning plays a significant role in advancing Singapore’s digital defence mandate. Equipping and exposing future talents to the latest technologies and practices creates a highly-skilled and sustainable workforce, which is especially vital in the area of cybersecurity, which is fast evolving.
This is well in line with Singapore Polytechnic’s ongoing efforts to keep the Diploma in Infocomm Security Management (DISM) course relevant with industry demands. Through the bug bounty event, students gain the technical know-how to detect bugs that are generally difficult to find using normal tools or techniques. Moreover, the out-of-curriculum activity complements the lessons taught in the course by allowing students to apply their existing skills and knowledge to real-life situations.
“The bug bounty workshop was well-received with our students. At Singapore Polytechnic, we aim to equip our students with the latest knowledge and skills. We are confident that the bug-bounty session gave our Infocomm Security Management students an insight into the cybersecurity industry and we’re exploring the inclusion of bug bounty programmes as part of the curriculum in the diploma course,” said Samson Yeow, Course Chair, Diploma of Infocomm Security Management, Singapore Polytechnic.
“Throughout my education at Singapore Polytechnic, I’ve had the opportunity to attend cybersecurity events like Capture-The-Flag competitions, which has allowed me to learn new things and further enhance my skills. Bug-bounty is very different, you’re trying to exploit a real and live application. This raises the difficulty level and requires me to pick up new skills and knowledge that cannot be found in a school environment,” said Jonathan Tan, a Year 3 Infocomm Security Management student.
“Singapore Polytechnic is setting a great example by taking a bold move to explore bug bounty as part of its course module. As one of the first tertiary institutions in Singapore to equip students with industry-level bug-bounty skills, we are excited to partner with them to explore ways to further enhance the learning experience for their future talents,” said Kevin Gallerin, Managing Director, Asia Pacific, YesWeHack. “Ethical hacking will increasingly become a larger focus as organisations tackle the cybersecurity threat, and training needs to start from young.”
We have recently been questioned on how our ranking point system works and how report quality is evaluated.
Our system has evolved quite a lot since inception, and some new report quality rating features have been added.
The first step of a bug report life cycle is being ( hopefully ) accepted as valid by the program owner, otherwise it is classified as invalid and receives an additional qualification that eventually can lead to a negative rating, as illustrated below:
Note that a valid report can be triaged again as ” Informative ” or ” Won’t Fix ” after validation and before being accepted.
2- Accepted stage
Now that your shiny report has been accepted by the program owner, congratulations, you are now eligible for a reward.
But how are your ranking points calculated exactly?
a – Bounty
Depending on the bounty your report matches, you will be rewarded with ranking points:
– 15 POINTS for every bounty inferior to 500€
– 25 POINTS for every bounty from 500€, to 2000€
– 50 POINTS for every bounty superior to 2000€
b – Quality rating
The program owner can also reward the quality of your report and attribute 1 to 5 additional ranking points.
c – CVSS scoring bonus
Again, the program owner can give you 1 additional point if your report CVSS scoring falls right.
As summed-up in this chart:
You get 7 additional points for a resolved bug, a big thank you.
3- The big picture.
Finally we’ve stitched it all inside a single graph for your convenience.
Is our ranking system clearer?
You can refer to our leader-board to discover the hunters top 100
Hunters and Program Managers can now track our interfaces and backend evolutions.
We’re working hard, under the hood, to offer you the best experience possible.
From the first platform iteration, we’ve gone already a long way, paved with new features milestones.
You can now track them all on an unified interface: the YesWeHack Changelog.
You can get back to the changelog from the upper-top blog menu.