Continuous threat identification is now essential for financial services companies operating in Europe with the Digital Operational Resilience Act (DORA) now in force.
Against this backdrop, the chief product and technology officer (CPTO) of a Luxembourg-based fintech explains why Bug Bounty “fits perfectly” with the company’s complex regulatory obligations.
In our latest customer Q&A, Reda Benzair, CPTO of Sogexia, also highlights the continuous testing model’s ability to keep pace with frequent product updates.
Reda is a technology executive with over 20 years' industry experience spanning infrastructure, cloud and software development, and a former Cloud Native Computing Foundation ambassador.
SOGEXIA SERVICES & SECURITY CULTURE
Hello Reda! Please tell us about Sogexia and your role within it…
Reda Benzair: Sogexia is a payment institution authorised and supervised by the CSSF, Luxembourg’s regulator for the financial sector. We offer online accounts and financial services that are accessible to everyone regardless of nationality, income or circumstances.
Our technology stack includes real-time transaction processing, API-driven services, mobile applications and cloud-based infrastructure built for high availability and security.
I lead our teams across ICT strategy, cybersecurity, product architecture and regulatory compliance under CSSF supervision and DORA.
How would you summarise your security ethos?
Reda Benzair: Security is fundamental. In financial services, trust is everything – and even a single weakness can have significant consequences for customer funds, personal data, operational continuity or regulatory obligations.
That's why we invest heavily in a multilayered security strategy combining strong internal controls with continuous, real-world testing.
In short: security is not just a technical necessity for us. It’s a core part of our value proposition, our regulatory duty and our reputation as a trusted fintech.
RELATED ‘Bug Bounty helps us meet regulatory requirements ahead of time’: payments provider KOMOJU
BUG BOUNTY BENEFITS
Why did you launch a Bug Bounty Program?
Reda Benzair: Bug Bounty is a key part of our security approach. It helps us follow rules like DORA’s requirements for ongoing checks and strong ICT risk management, while also improving the security of our APIs, authentication systems, cloud infrastructure and mobile apps.
Traditional pentests offer limited depth and temporal scope. They deliver a point-in-time snapshot rather than the continuous coverage that DORA Article 25 explicitly requires. They also demand significant internal coordination to scope, contract and manage effectively. Given the breadth and complexity of our platform, no internal team can replicate the diversity of perspectives, techniques and attack scenarios that a community of independent hunters brings. Bug Bounty fills that gap structurally, not just operationally.
But the most important thing is that the program helps us to align directly with DORA’s requirements for continuous vulnerability assessment and independent security testing.
Why did you choose YesWeHack?
Reda Benzair: We were attracted by the quality and simplicity of their service. Our collaboration with YesWeHack is exceptional: they offer the advantage of a large community of hunters and responsive support when we launch new programs.
Indeed, YesWeHack meets all the necessary requirements for a regulated institution. Its data hosting, contractual setup and governance model fit perfectly with DORA/CSSF outsourcing requirements (22/806, 20/750, EBA register) and GDPR obligations, which are essential when working with external security researchers.
What do you like best about Bug Bounty?
Reda Benzair: The combination of continuous testing, advanced creativity and a real-world attacker mindset is essential for successfully releasing major updates or critical features.
YesWeHack can rapidly mobilise 10–15 hunters in less than a few days. This responsiveness is indispensable when we have a regular release cycle.
The result is a more resilient platform and faster detection of high-impact vulnerabilities.
Is there a particular finding that stood out?
Reda Benzair: Bug Bounty operates as an independent validation layer on top of our internal security controls and code review processes. One of the most intriguing outcomes was a hunter uncovering a subtle race condition in a mobile application related to translation. It allowed us to not only fix the issue but also to redesign and improve the underlying logic.
To what extent does the YesWeHack platform facilitate collaboration between internal teams in ways that might enhance security awareness and posture?
Reda Benzair: This aligns perfectly with DORA Article 13 on security awareness and training. Each validated finding becomes a real case study for our engineers.
Compared to other solutions, their interface is very easy to use and simple to navigate, making it easy for exchanges and collaboration between hunters and our internal teams.
What reputational or other benefits can Bug Bounty bring in terms of communicating externally with your customers and partners?
BC: For fintech and finance, trust is everything. A certified Bug Bounty Program significantly boosts our credibility, showing that we take security seriously and welcome responsible disclosure. It shows customers, auditors and partners that we maintain a transparent, mature and proactive security culture.
FINTECH, LUXEMBOURG & CROWDSOURCED TESTING
How well does Bug Bounty align with your security needs as a fintech company where cyber-attacks can have particularly significant consequences?
Reda Benzair: Sogexia’s highly interconnected fintech systems present multiple risks, such as broad attack surfaces, supply chain risk and instant payment fraud vectors. As an ‘always-on’ penetration capability, Bug Bounty perfectly aligns with these needs and DORA’s requirements for continuous security assessment and timely remediation.
Luxembourg launched one of Europe's earliest national cybersecurity strategies and is ranked as a top-tier country in the cyber field. To what extent is Bug Bounty advocated and adopted in the country?
Reda Benzair: Luxembourg has one of the most mature cybersecurity ecosystems in Europe. The culture is strongly influenced by a strict financial services regulator (CSSF) and a financial sector deeply invested in cyber-resilience.
Historically, some organisations in Luxembourg have been cautious about Bug Bounty due to regulatory constraints, particularly around outsourcing and data access. However, Bug Bounty has increasingly proven its value in other industries, such as telecoms, as well as in open source and for both web and cloud applications.
Bug Bounty is still relatively new in the financial sector, which traditionally relies on more controlled and formal security assessments. But with the introduction of the DORA regulation and Luxembourg’s 2024 National Cybersecurity Strategy, which explicitly highlights Bug Bounty and responsible disclosure as modern best practices, organisations are becoming more aware of its benefits.
With growing regulatory support for modern security practices, I strongly believe that mindsets will continue to shift and mature, making Bug Bounty an increasingly accepted and strategic part of cybersecurity programs in Luxembourg.
BUG BOUNTY BEST PRACTICES
Any advice for your fellow security executives at other organisations about Bug Bounty Programs?
Reda Benzair: I would recommend launching a Bug Bounty Program. Who better to stress-test your defences than someone approaching your platform with the same mindset as a real attacker?
The best approach is to start with a private program, integrate it into your testing and release process and ICT control framework, and ensure secure triage processes before you consider launching a public program.
WANT TO LAUNCH A BUG BOUNTY PROGRAM?
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
