Bug Bounty is primed to muscle in on the Swedish market for compliance-related penetration testing.
That’s a message YesWeHack’s Head of Nordics, Mats Ögren, conveyed during a recent panel debate about Bug Bounty programs at the Royal Institute of Technology (KTH), a prestigious research university in Stockholm.
“I said that Bug Bounty is evolving into covering compliance-related pen testing – going through certain checklists as part of a Bug Bounty program,” recalls Ögren, who was speaking at the CDIS Spring Conference 2023, organised by the Centre for Cyber Defence and Information Security (CDIS). CDIS was co-founded by KTH and the Swedish Armed Forces.
How YesWeHack already supports compliance
Bug Bounty programs can already be used for compliance purposes, even if pen testing remains the primary vehicle for fulfilling compliance obligations.
YesWeHack can, for instance, provide proof of audits through executive reports that detail findings from a client’s Bug Bounty program or pen testing engagements. Many YesWeHack clients leverage their programs to attain ISO 27001 certification, specifically in relation to ‘Technical Vulnerability Management’.
The Bug Bounty model already has some powerful advantages over pen testing, including greater agility and coverage, impact-based pricing and continuous provision through the testing skills of tens of thousands of bug hunters. By also offering comparable compliance coverage, Bug Bounty platforms could deliver yet another compelling benefit.
Sweden plays catchup
Ögren’s fellow panellists included Avanza Bank cybersecurity chief Camilla Lundahl, Microsoft National Security Officer Sandra Barouta Elvin and Carnegie Mellon University professor Virgil Gligor. The panel was moderated by David Olgart, Head of Section and Coordinator for R&T Cyber Defence in the Swedish Armed Forces.
“Generally speaking, a conclusion that I presented is that bug bounty is a great option to secure organisations, including public organisations, but it hasn’t come far in Sweden yet, especially among public sector organisations,” Ögren says. “There is, however, great interest in it among the Swedish cybersecurity industry.”
The panellists also discussed the differences between private and public programs, how Bug Bounty programs compare with pen testing, and how vetting and incentivising hackers burnishes their ‘ethical’ prefix.
CDIS, which was founded in 2020, aims to bolster Sweden’s cyber defences by conducting security research, developing infosec tools, facilitating knowledge sharing between organisations and delivering cybersecurity training to military personnel.
French Army Live Bug Bounty
As Ögren also mentioned during the CDIS debate, YesWeHack already has experience in the military arena, having worked with the French Ministry of Armed Forces on several campaigns since February 2019. The French Cyber Defence Command (COMCYBER) regularly conducts Bug Bounty programs on several dozen internet-exposed assets of the ministry.
Unusually, only army personnel or reservists can participate as bug hunters, which demonstrates the adaptability of YesWeHack’s model to client needs.
In the summer of 2022 the latest and fourth annual live program saw 50 army personnel with cybersecurity expertise uncover 100 valid vulnerabilities on 21 internet-exposed websites and applications, up from 17 targets in 2021 and 13 in 2020. The next phase could involve testing weapons systems.
The CDIS Spring Conference took place on 25 May 2023 and was open to the public. Other talks addressed topics including software supply chain security, defending against advanced persistent threats in Ukraine and academia, and leveraging prototype pollution to achieve remote code execution in modern web applications.
Want to learn more about how YesWeHack’s Bug Bounty platform can help you fulfil your compliance obligations? Click the button below to schedule a demo with one of our experts.
Founded in 2015, YesWeHack is a Global Bug Bounty & VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands of cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.