/ YesWeHack guides each customer in specifying their Vulnerability Disclosure Policy (VDP), with models based on best practices: disclosure requirements & guidelines, legal protection (“safe harbor”) etc.
/ If a VDP has already been drawn up by the client, YesWehack reviews it and make recommendations.
/ The researcher is invited to provide information on the vulnerability through a secure online form.
This may include: name & scope of the vulnerability, CVSS score and impact, description, exploitation, PoC, risk, remediation etc.
/ This set-up reduces « noise » (irrelevant submissions) and improves reporting quality.
Other providers publish both VDP and Bug Bounty programs on the same platforms without making a clear enough distinction between the two approaches:
/ This can be confusing for researchers who would expect a reward for their efforts.
/ This confusion leads to the inflation of reports submitted to the organisation.
With YesWeHack, the client’s VDP is published on his domain and nowhere on our platform.
/ Our platform ensures end-to-end encryption of reports.
/ Our platform ensures the traceability of reports by anchoring the proof of deposit within a dedicated private blockchain.
/ Reports available on YesWeHack vulnerability management platform interface.
/ Seamless integration of the reports within Clients tools/workflows through YesWeHack API & connectors.
Optionally: reports triage (including interactions with researchers) by YesWeHack dedicated team