Can you describe dailymotion and the role you have within the organization?
Since 2005, dailymotion has been pioneering video streaming and delivery and is now making its comeback as a major video destination platform. I’m dailymotion’s CISO.
What is dailymotion’s history in terms of coordinated vulnerability disclosure and what milestones have you been through?
When we saw our first user notification *on Facebook*, we realized that we were lacking a proper channel for our users and the security community to notify us of potential issues.
For our users, we created a security category on our support portal, with instructions for the support team as to how to route these specific inquiries. For the security researchers, we had a firstname.lastname@example.org address created.
This went a long way and we had some surprisingly interesting notifications from the users, the InfoSec community and academia.
Since we later introduced a private bug bounty program, we were able to use it to reward these spontaneous notifications.
This didn’t really prevent the occasional researcher from tweeting about an issue before they even gave us a head’s up, but it really helped us build a strong experience on vulnerability disclosure that turned out to be very useful when writing our disclosure policy, that we published at the same time as we opened the bug bounty to the public.
We have made this disclosure policy available in our “security.txt” file, an draft internet standard aiming at facilitating the disclosure of security issues.
You have recently opened up your bug bounty program to the public, what’s your feedback?
Bitte stellen Sie Matrix Requirements und Ihre Rolle im Unternehmen kurz vor
Bevor wir 2014 Matrix Requirements (Matrixreq.com) gründeten, waren wir Projektmanager bei einem Medizintechnikunternehmen und hatten erkannt, dass wir für die Rückverfolgbarkeit des Designs ein besseres Tool benötigten. Daher entwickelten wir MatrixALM zunächst für den Eigenbedarf.
Die Gründung von Matrix Requirements zur unabhängigen Vermarktung dieser Anwendung erfolgte erst später.
Matrix Requirements ist ein vierköpfiges Team, das bereits 100 Kunden mit insgesamt 700 Nutzern akquiriert hat, was für ein so kleines Team eine beachtliche Leistung darstellt.
30% unserer Kunden kommen aus den USA und ähnlich viele aus Deutschland, der Rest entfällt auf die übrigen europäischen Länder sowie Israel, Australien, Indien und Kanada.
Meine Aufgabe im Team bezieht sich vorwiegend auf Back-Office, Netzwerke, Datenbanken und Linux-Server. Es versteht sich von selbst, dass Sicherheit bei mir höchste Priorität hat.
Was hat Sie dazu bewogen eine Bug-Bounty-Übung anzusetzen?
Auch wenn wir ein kleines Unternehmen sind, haben wir die ISO13485:2016 Zertifizierung erhalten und streben auch die Zertifizierung nach ISO27001 an. Diese Standards erfordern die eingehende Untersuchung der mit unseren Prozessen verbundenen Risiken. Ein offensichtliches Risiko in Unternehmen wie dem unseren ist natürlich das unbefugte Eindringen Fremder in unsere IT-Systeme.
Every organization is concerned by cybersecurity and most of them can see that traditional solutions (penetration testing & scanners) are not sufficient anymore. As a result, whatever the size or industry, they are increasingly numerous to opt for Bug Bounty.
By 2022, crowdsourced security testing platform products and services will be employed by over 50% of enterprises, up from less than 5% in 2018.
Gartner 2018 Market Guide on Crowdtesting
Indeed, Bug Bounty is the only solution that can pretend to exhaustiveness, responsiveness and continuity in the tests. More importantly, Bug Bounty meets organizations growing need for agility > https://www.yeswehack.com
For all that, any organization that wishes to set up/implement Bug Bounty programs is not ready to manage by itself yet; indeed the Bug Bounty process involves:
• The program‘s creation : determination of the scope, rules, researchers’ reward grid, etc.
• The program’s day-to-day management and interaction with the researchers
• Vulnerabilities and researchers’ test reports validation and management
Lacking time, resources, skills and process, some organizations can be intimidated by the implementation of a Bug Bounty Program in spite of unrivaled benefits they could get out of it.
YesWeHack is delighted to be included in the 2018 Gartner Market Guide for Application Crowdtesting Services.
For the first time, Gartner references a European Bug Bounty platform. It is a landmark for us as we are the leading European platform, not only in terms of quantity of hunters, but also in terms of active public programs.
Guillaume Vassault-Houlière, YesWeHack CEO
According to Gartner: “By 2022, crowdsourced security testing platform products and services will be employed by over 50% of enterprises, up from less than 5% in 2018.” Based on that assumption, YesWeHack is the right company at the right place: the crowdsecurity market window is wide open and very promising indeed.
Once again, YesWeHack strengthens its growth and asserts its genuine European belonging by complying with European legal framework.
Bug Bounty by YesWeHack
YesWeHack is the first European Bug Bounty platform, it provides a community of 7000+ cybersecurity researchers to organizations seeking to improve their global security.
A Bug Bounty program maximizes your return on investment by rewarding researchers on results only. It is an ideal complement to traditional IT security audits, which are, by nature, limited in time and without guarantees or performance requirements.
Presentation of Matrix Requirements and your position
Before we co-founded our German company, Matrix Requirements (matrixreq.com) in 2014, we were project managers in a medical devices company and it was clear to us that we needed a better tool to manage the traceability of the design. We built MatrixALM for ourselves and later on we created Matrix Requirements to launch our application independently.
Matrix Requirements team is 4 people which is quite honorable compared to our results so far: we have about 100 customers totaling about 700 users.
30% of our customers come from the US, about 30% from Germany and the remaining in rest of Europe, Israel, Australia, India, Canada.
My role in the team is more on the back-office, network, databases, Linux servers. Needless to say I’m very concerned about security.
What are the reasons that led you to embark in the bug bounty exercise ?
Even though we are quite small, we are certified ISO13485:2016 and on the way to be ISO27001, and this type of standards mandate that we study the risks of our processes. Of course one obvious risk in our type of business is the intrusion of our information systems.
We’ve had intrusion attempts in the past an we protected ourselves with quite elaborated active rules on our firewalls. We’ve had an audit from a group in KULeuven, and one of their recommendations was to go through a bug bounty exercise.
Why did you chose YesWeHack ?
We first asked a well known US bug bounty company but the pricing was out of reach for us. Then we discovered YesWeHack, through the OVH DLP accelerator (we are also members). We contacted them and found out quickly that their offer matched what we were looking for: a group of researchers that could investigate our security in BlackBox mode. In particular we wanted to be able to talk to the researchers in English and that is a given on that platform.
What are the results of your private phase ?
The private phase was achieved with a group of 10 researchers, and they came back with 5 vulnerabilities. Frankly, we were relieved that none of the reported vulnerabilities were severe, which confirmed that we already had quite a good security maturity.
Of course we can never rest in this field, but what were returned to us were subtle weaknesses that wouldn’t allow by themselves anyone to actually enter our site.
We rewarded the researchers anyway, understanding that sometime a combination of small weaknesses could lead to an actual attack vector. The exchange with the researchers were very fruitful and they gladly checked that our fixes were efficient as well.
That dialogue is really the positive aspect of the exercise: we forced ourselves to reply quickly to the remarks, and they were very quick to answer back and offer suggestions to solve the issues if needed.
What are you waiting from the public phase ?
Opening the bounty to all the ethical hackers on the platforms in YesWeHack should lead to much more return for us, and should help us solidify even more our application and its API. I hope nothing too bad will come out of it but of course I prefer hearing about it this way: we have to detect potential security issues as soon as possible.
A bug bounty program is a practical way to put your work to the test. We hope to learn a lot from this public phase – through ways that we wouldn’t have thought about ourselves.
Today more than ever (think Facebook, British Airways, …) we must stay humble and remember that ‘Security through obscurity’ doesn’t exist and it’s only by putting your cards on the table and be pro-active that you can ensure a decent level of security.
Fort d’une reconnaissance déjà acquise dans de nombreux pays, YesWeHack aspire à convaincre les organisations suisses préoccupées par le renforcement constant de leur sécurité et la recherche de services innovants.
Dans ce contexte, YesWeHack est fier d’annoncer l’ouverture d’un bureau à Lausanne.
A travers cette présence locale, YesWeHack servira au mieux les organisations publiques et privées helvétiques, en mettant à leur disposition sa plateforme de Bug Bounty (la première en Europe).
A la lumière des derniers incidents ayant affecté les services de santé de Singapour et le site internet de British Airways, il en résulte que des millions de données personnelles ont été divulguées, les entreprises et organisations suisses doivent être plus mobilisées que jamais pour sécuriser leurs systèmes. YesWeHack, à travers sa plateforme de Bug Bounty, apporte une solution innovante, simple et efficace, destinée à devenir incontournable dans l’arsenal défensif des entreprises et des administrations helvétiques.
Guillaume Vassault-houlière, CEO de YesWEHACK
Le Bug Bounty façon YesWeHack
YesWeHack, la première plateforme européenne de Bug Bounty met au service des organisations désireuses d’améliorer leur sécurité, une communauté de plus de 5400 chercheurs en cybersécurité.
Un programme de Bug Bounty maximise votre retour sur investissement en rémunérant les chercheurs au résultat. Il complète idéalement les audits de sécurité traditionnels, ces derniers étant, par essence, limités dans le temps, et sans garantie ni obligations de résultats.
YesWeHack is proud to be one of the numerous Platinum Sponsors of #NDH16 ! We are longing for having Fun and meeting you Folks in this temple of science.
In this age of panic where the powers in place are trying to mitigate “fake news” (well… let’s say more precisely propaganda or misinformation), La Cité des Sciences et de l’Industrie symbolizes knowledge in many ways, Science is one the best allies to counterattack lies and conspiracy theories.
As a famous place in Paris, La Cité des Sciences et de l’Industrie provides through three levels : a 900 seat amphitheater, 2000m2 of exhibition area and one space called the « Loft » with its 1000m2 fully dedicated to hacktivities and games orchestrated by the HZV’s Team <3
As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.
In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.
In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.
Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.
Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.
In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.
In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.
The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.
In this exercise we have the support of the management and technical teams.
Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.
Since September 2017, BlaBlaCar has been managing with a select number of security experts a private Bug Bounty program to enhance the operational security of its platform.
Previously accessible only by invitation via YesWeHack.com, YesWeHack’s bug bounty platform, this program has enabled BlaBlaCar to remain proactive on the cyber security of its services.
Thursday April 19, BlaBlaCar’s program is public
What is your role at BlaBlaCar?
I am a backend developer profile, today overseeing application security. When I joined BlaBlaCar, I was in charge of the platform’s performance and security. In mid-2015 and early 2016, our operational security needed to level up significantly, especially following our major fund-raising campaigns, which put BlaBlaCar under the light and pressure. So at that period of time, i took the lead of a small team to mitigate these attacks, and audit/consolidate the platform.
What is your approach to security, including coordinated vulnerability disclosure?
We have kept application security in-house for a long time. Previously, we used classical audits conducted by various companies, by several basic pentest applications, by using static analysis tools, etc. I think it helped to rough out a lot of little things that would have been detected by bug hunters.
In addition, we received a few troll messages on Twitter reporting vulnerabilities without notice and without any details… We also have some emails via customer support about potential security holes, but nothing was disclosed by these contacts, they first wanted to be paid and this, without proof of the existence of a security flaw, so it was impossible for us to enter the game.