What is Bug Bounty?

Bug Bounty applies the principle of crowdsourcing to cybersecurity: mobilize a community of experts, to test a scope and reward these researchers for each vulnerability discovered, according to its severity and the quality of the report provided.  Initiated by Netscape in 1995, the Bug Bounty transforms the cybersecurity posture of organizations by bringing together security effectiveness, agility and ROI.

What is a Bug Bounty platform?

A Bug Bounty platform allows an organization to push a Bug Bounty program to a community of researchers registered on this platform, and these researchers to seek and report the vulnerabilities detected in this program.

What is the difference between a public and a private program?

A private program is submitted to a specific number of researchers, chosen by the client, and is not subject to external communication. A public program is submitted the entire research community registered on the platform.

How to select researchers for a private program?

YesWeHack helps you choose the number and profiles of researchers best suited to your needs: technical and functional environment of the scope to be tested, specific skills required, maturity/complexity of the scope, budget of your program, etc. YesWeHack therefore guarantees: 1 /the attractiveness of your program: that the selected researchers are the most active as possible; 2 / its performance: that these researchers find as many relevant vulnerabilities as possible; 3 / its budget: that you keep up with your financial constraints and don’t overpay vulnerabilities.

How to define the scope of my first Bug Bounty program?

To launch your first program, we advise you to start with a limited scope, which you know well – and which has been previously hardened. When you get a first experience feedback, YesWeHack support helps you step up gradually, expanding and/or adding scope, making rules more flexible, and/or increasing the number of researchers.

How to plan the budget of a Bug Bounty program?

The total cost of a Bug Bounty program is based on three main criteria: 1/ scopes submitted through the program; 2/ number and profile of mobilized researchers; 3/ researcher’s reward grid. YesWeHack helps you define and refine these criteria, as well as all aspects of your program, to optimize and maintain your budget according to your financial constraints and security objectives.

How to define and control your Bug Bounty budget?

YesWeHack supports you at every phase of building, launching and monitoring your program so that your program (scopes, rules, reward grids, number and profile of researchers) is consistent with your planned budget.

How can you ensure the attractiveness and performance of your program over time?

If YesWeHack detects a lack of attractiveness or a decrease in the performance of a program, our support recommends rules adjustments accordingly. This adjustment generally involves: – scope of the program: maybe too restrictive, or already very hardened by previous audit or bug bounty programs; – number and profile of researchers: in a private program, the teams are regularly renewed or expanded; – reward grid: must sometimes be updated according to the complexity of the vulnerabilities to be discovered

What are the risks of Bug Bounty?

The operational risks are not different from those of an intrusion test. In addition, scopes under Bug Bounty are generally exposed on the Internet, and may be subject to external attacks, regardless of their origin. The cases of researchers diverting their participation to a program for their personal misuse are extremely rare – and nonexistent to this day on our platform.  

How do I know whether my organization is "ready" for a Bug Bounty?

The main prerequisites for launching a Bug Bounty program are: – Minimum capacity to fix vulnerabilities – Minimum capacity to respond to researchers submitting reports Why “minimum”? Because you don’t need a full-fledged team to manage a Bug Bounty program: you can adjust your program(s) to your technical, human and budget constraints. Organizations from all industries and sizes leverage Bug Bounty and rely on YesWeHack: our support ensures your program fits with your actual resources, and suggests the necessary adjustments at every phase of your program life cycle.

Can I interrupt or update my Bug Bounty program?

You can pause and restart, or adjust, at any time, your program, according to your IT or business or operations imperatives (i.e. releases, migrations, patching…). Researchers will be immediately informed.

What is a "researcher"?

A researcher (or “hunter”) is a individual who detects and reports vulnerabilities through a Coordinated Vulnerability Disclosure or a Bug Bounty program – and thus works at the overall improvement of cybersecurity.

How are the researchers rewarded?

For each vulnerability, only the researcher who submitted the first valid report is rewarded. Researchers are rewarded according to a predefined grid for each program: the level of severity of the vulnerability, as qualified by the client, thus determines the amount of the reward. Bounty payment is managed by a third-party payment platform that meets European compliance requirements and thus guarantees traceability of financial flows. Points are also awarded, in particular according to the quality of the report and the remediation. These points allow researchers to climb in our ranking, and thus encourage them to provide a qualitative experience to the client.

What are a hunter's legal, fiscal, and social obligations?

The Hunter is informed that income generated from his/her activity on the YESWEHACK platform must be subject to taxation or social security charges in accordance with taxation territoriality criteria.

In accordance with the T&Cs, the Hunter expressly acknowledges that he/she is solely reliable for finding out about legal, taxation and social security obligations and subscribing to and complying with such obligations.

The Hunter is required to make any declarations required by the competent tax authorities and social security organisations, in accordance with his/her status and country of residence within and outside the European Union.

What is a "duplicate" vulnerability report?

These are reports submitted by different researchers for the same vulnerability. Only the researcher who has first reported a given vulnerability is rewarded, which encourages them to be responsive.

How does YesWeHack guarantee the integrity and ethics of its researchers?

By registering to our platform, our researchers sign our GTU committing them to strictly comply with the rules of each program they participate, as well as the confidentiality of the data to which they are likely to access. Our hunters also agree to comply with the fiscal obligations of the country they legally belong to, according to their status and place of residence. In addition, the financial rewarding of researchers submits them to a prior screening (KYC) through our payment platform. Finally, researchers are rewarded with points used to rank them on our platform. This rating takes into account the quality of their interactions with customers, and thus encourages them to offer the best possible experience.

How YesWeHack guarantees your data confidentiality?

Data flows between YesWeHack and our customers are encrypted end-to-end, using the highest standard security protocols. YesWeHack does not access your vulnerability reports. Our infrastructure is hosted on a sovereign cloud meeting the most stringent security requirements (ISO 27001 certified, CSA STAR, SOC I / II Type 2 & PCI DSS), and our platform is under permanent public Bug Bounty – the best security guarantee and transparency commitment towards our customers. YesWeHack is fully General Data Protection Regulation (GDPR) compliant.

How YesWeHack was created?

YesWeHack was created in 2013 by experts and cybersecurity enthusiasts, deeply rooted in the the researcher’s community, and then holding executive positions as cybersecurity consulting partners or CISOs. Their dual experience as cybersecurity researchers AND professionals led them to the following conclusions: – Organizations lacks proper Coordinated Vulnerability Disclosure process for researchers to safely report vulnerabilities they discover; – Researchers are not encouraged enough for their efforts and contribution to global cybersecurity; – Organizations growing needs for agility are not satisfied by traditional solutions, whose ROI is also difficult to measure; – Those traditional solutions leave too many dead angles on these organizations attack surfaces; – The chronic shortage of cybersecurity skills is a major challenge for both client organizations and service providers. – Based on these findings, they created a platform connecting organizations and researchers ensuring the confidentiality and security expected by both parties: yeswehehack.com.