‘We opted for Bug Bounty for agility reasons’: European Community of Alsace CISO

February 27, 2024

Bug Bounty’s intrinsic cost-effectiveness – thanks to the crowdsourced and, in YesWeHack’s case, results-based pricing model – is a big plus for public-sector organisations.

As well as praising the “cost model”, the CISO of one such entity, the European Community of Alsace (Collectivité européenne d'Alsace), hailed the agility of crowdsourced security testing in an interview with YesWeHack.

In the video and writeup below, Jérémie Piazza explains the strategic decision to launch a Bug Bounty Program in 2022, how the model fosters more secure development, and the strengths underpinning the partnership with YesWeHack.

The European Community of Alsace is a regional government body that provides services tailored to the needs of the Alsace region in France. It emerged from the merger of two departmental councils, Haut-Rhin and Bas-Rhin, in 2021.

JÉRÉMIE PIAZZA ON THE IMPORTANCE OF CYBERSECURITY AT THE EUROPEAN COMMUNITY OF ALSACE…

Security is an important, even strategic, issue, particularly in the context of the convergence of teams, systems and technologies, added to an increasing number of cyber-attacks against local authorities, as well as the possible assimilation to a European institution.

All this means that the local authority’s management really takes security issues into account.

ON THE BENEFITS OF BUG BOUNTY…

Setting up a Bug Bounty Program is part of our vulnerability management process. In this context, we opted for Bug Bounty for agility reasons, particularly in terms of the scope, which can be modified on demand.

Because the cost model is particularly clear, you have a subscription cost and a cost linked to bounties. The notion of bounties also makes development teams aware of the cost of vulnerabilities and encourages them to gradually integrate security by design.

And then we have the advantage of calling on a community of hunters who have very different approaches to managing and detecting these vulnerabilities.

We also use Bug Bounty as part of the approval process for our teleservices.

ON THE PROGRAM’S STEADY EVOLUTION…

We launched our program in 2022, in stages – initially with a limited number of assets and hunters, to enable our teams to mature both in terms of bug resolution and the use of the platform.

ON THE BIGGEST CHALLENGE FACED SO FAR…

The main challenge in setting up a Bug Bounty Program is essentially an internal one. It will depend on your teams’ ability to deal with the bugs reported.

Initially, we were careful to ensure that our teams were capable of handling all the bugs reported by the hunter, to maintain their interest in the program.

ON THE PROGRAM’S NEXT STEPS…

The next steps are to broaden our scope. Today, we only have a certain number of institutional sites. In the future, we hope to add externally hosted sites to this number.

ON HIS RELATIONSHIP WITH YESWEHACK…

Our relationship with YesWeHack is now one of trust, based both on the expertise of the YesWeHack teams in helping us use the platform and on the quality of the bugs reported by hunters.

HIS ADVICE FOR LAUNCHING OR GROWING A BUG BOUNTY PROGRAM…

One piece of advice I’d give to those who want to get started is simply to do it gradually. Give yourself time to mature, both in terms of the type of bug reported and in terms of your teams’ ability to deal with these bugs.

Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to schedule a demo with one of our experts.