Back to Decathlon’s Live Bug Bounty

June 15, 2022

Decathlon live bug bounty - medal

As every year, YesWeHack, the global Bug Bounty & VDP platform, organised a Live Bug Bounty during the International Cybersecurity Forum, held in Lille, France. This year, it was Decathlon‘s — the giant sports and entertainment retailer — turn, with its Technology team, to participate in these two days of intensive hacking!

🏃 Ready, Set, Hack!

Operating in over 70 countries, addressing the needs of 500 million users of its products and services and with a community of over 100 million members, Decathlon is a major digital player with high visibility and exposure to cyber risks.

Decathlon’s cybersecurity teams deploy numerous resources and tools to ensure the security of the company’s activities in the 70 countries in which it operates. Among the actions carried out by the company’s cybersecurity teams in order to remain at the cutting edge of innovations, Decathlon has been in a private Bug Bounty program for a year on the YesWeHack platform.

“Bug Bounty is challenging and engaging for us. When researchers detect a vulnerability, they submit a report. And when this vulnerability is critical, we set a deadline to fix it. This reactivity is essential in our commitment to security. It allows us to maintain the high level of requirements that characterises us at Decathlon, and keeps both the bug hunters, and our teams, motivated” explains Matthieu Vanoost, Information Security Manager at Decathlon.

With their participation in this Live Bug Bounty, Decathlon has gone one step ahead in its efforts to collaborate with ethical hackers.

🧑‍💻 Why a Live Bug Bounty?

For corporate security teams, it’s a unique and invaluable opportunity to discuss their findings with researchers, and better understand security bugs. For hackers, it’s an easy way to ask live questions to program managers and YesWeHack’s teams to get more information about the programs and thus go even further in their research. Furthermore, researchers may collaborate with each other to pool their skills and expertise and thus go further in the hunt for new vulnerabilities and exploitation.

“This is the first time that we are embarking on a Live Bug Bounty. It allows us to meet the hunters, to discuss with them, and then, to go further in the search for vulnerabilities.” said Farid Illikoud, Group CISO, Decathlon.

🎯 Exclusive scopes for an exclusive event

During these two days, the Decathlon teams offered exclusive scopes to the researchers attending the event. They wanted to test the robustness of their “OneShop” solution; it is an E-Commerce solution, based on PrestaShop, used by about thirty countries in the world (see the Prestashop Bug Bounty program).

Moreover, in order to test the E-Commerce platform from end to end, Decathlon Technology also wished to include its authentication solution called “Login” and its loyalty solution called “Account” in the scope of the test.

Decathlon Technology’s technical teams were on hand to ensure the rapid assessment and remediation of the reports submitted by the hunters. And what speed! The team had an average response time of only 1 hour 06 minutes during the event 👏

🏆 A podium battled until the last minute

The Live Bug Bounty started on Wednesday 08 June at 10:00. A few dozen hunters were present at the booth and were eagerly awaiting the launch of the program. The Live Bug Bounty was also open to participants of the European Cyber Cup, an ethical hacking competition using eSport codes dedicated to students!

The first submission (aka “first blood”) was submitted by Zax, only 1 hour after the start of the event! Hisxo then quickly took the lead, thanks to several IDOR (Insecure Direct Object Reference) discovered on the scope, followed closely by Zax and Effrite.

As the day progressed, the rankings changed with several reports from the hunter codejump.

After 30 hours of Live Bug Bounty, the overnight research efforts of the BZHunt team (Zax, Doomer and Serizao) finally paid off. The hacktivity revealed a RCE (Remote Code Execution) as well as an SQL injection and some other vulnerabilities, reported by Zax. This allowed him to take the lead and keep it until the end of the event.

And here is the podium of the Decathlon Live Bug Bounty:

🥇 Zax

🥈 Hisxo

🥉 CarlJohnson

Final leaderboard can be found here.

“I really enjoy participating in live Bug Bounty events, it’s really great to meet the community as well as the program managers! During these 30 hours, it was possible to interact with the Decathlon team, who came in numbers. Being able to talk directly with the Decathlon teams allows us to show our PoCs, to have real-time feedback and therefore to go even further in the impact.

As for my team, BZHunt, we are exhausted but delighted. We pushed on until the last few minutes of the event and managed to grab the lead on the podium, carefully held by Hisxo throughout the event. A big thank you to YesWeHack for this great organisation!” said Zax.

🙌 A successful first experience for Decathlon

“After just over a year in private Bug Bounty program, we wanted to reach a new level by running a Live Bug Bounty. Despite some apprehension due to the fact that we were going to test the robustness of one of our E-Commerce platforms with real conditions on the production environment, the event was a great experience for us and a real success on all fronts:

✅ There were no disruptions to the production (the hunters took into consideration the rules of the program which forbade carrying out tests that could cause possible service interruptions)

✅ The allocated reward budget was respected and we were able to pay all the hunters during the event

✅ Our on-site teams did a remarkable job, notably with the qualification of the 64 reports submitted by the hunters before the end of the event and with an average response time of only 1 hour 06 minutes

✅ Our mobilised teams accepted 27 reports, including 3 critical reports, and the first patches were being built even before the end of the event and are currently being deployed throughout the affected area

✅ The proximity with the hunter community was very much appreciated, as it allowed for smoother interactions and the opportunity to be confronted with new approaches to security

In addition, our communications teams enjoyed co-organising the event in partnership with YesWeHack and the result highlighted both our companies through this action.” said Ismaïl Bouafoud, IS Project Manager, Decathlon.

[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop
[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop

🔜 YesWeHack’s next Live Bug Bounty

The next Live Bug Bounty organised by YesWeHack will take place at leHACK Paris, on June 24th and 25th 2022! Be ready, it’s going to be intense! More info here.
Fancy a ticket to leHACK? We might have a few left! Send us an email.

About YesWeHack

Founded in 2015, YesWeHack is a Global Bug Bounty & VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with bug bounty (pay-per-vulnerability discovered), connecting tens of thousands cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices. YesWeHack runs private and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.

In addition to the Bug Bounty platform, YesWeHack also offers support in creating a Vulnerability Disclosure Policy (VDP), a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU

Media Contact:

About Decathlon

Over the past decade, Decathlon has engaged in a strong acceleration of the digital transformation to address new technological challenges and consumption patterns. With more than 3,000 engineers in 67 countries, Decathlon relies on the most innovative technologies, the company works with and develops tools, systems and experiences that help people around the world access the pleasures and benefits of sport. Decathlon, the leading company in the sports market, combines two activities: the creation of innovative sports products and services, and their distribution online and in stores.

With 324 points of sales in France and more than 1,700 worldwide, Decathlon and its 97,000 employees have been working since 1976 to achieve its permanent ambition: to innovate in all areas in order to remain the main partner for the many. With 300 recruitments in 2021 and 420 positions open for 2022, Decathlon Technology continues its development and expands its teams in major metropolitan cities such as Paris, Lille, Nantes and Lyon. Decathlon Technology has more than 1,200 employees based in France and is deploying an ecosystem of 3,000 people around the world (Europe, China, India, Brazil) with tech skills to serve the digitalization of the Decathlon Group. Software engineers, product managers, data scientists, machine learning ops engineers… These cutting-edge skills and expertise are mobilized across all of Decathlon’s business lines, from design to retail and to the supply chain. These tech and digital skills enable us to address the needs of the 500 million users of Decathlon products and services, as well as the Decathlon community of over 100 million members.

Want to discuss crowdsourced security with our experts?