Bug bounty is significantly more cost-effective than penetration testing

November 5, 2019

For this instalment of our Customer Stories, we talked with Kevin Dubourg, Bug Bounty Program Manager at Yousign. Yousign provides electronic signature (eSignature) services and aims at protecting both its services and users.

Why did you choose bug bounty?

Kevin Dubourg, Bug Bounty Program Manager, Yousign:

There are a number of platforms out there, mostly U.S.-based. We requested certain guarantees from the hunters invited to our programs, and YesWeHack offered those guarantees and the confidence to launch a bug bounty program.

What value does bug bounty bring compared with traditional cybersecurity solutions, such as penetration testing?

Kevin Dubourg, Bug Bounty Program Manager, Yousign:

It offers diversity in terms of perspectives and skills. Every hunter has his own approach, his way of doing the thing: a unique approach that makes a particular attack. This is different from penetration testing, and it provides a much stiffer challenge. With bug bounty, we left the penetration testing world behind, in order to benefit from 10, 20, or 30 different views and really challenge our teams.

It is also interesting that not all hunters are necessarily ‘cybersecurity professionals’. The entire ecosystem is represented here, and we can pick up individuals based on their nationality, skill set, and ranking on the platform.

However, the primary value of bug bounty is the continuity, recurrence, and ‘annualisation’ of the tests: as soon as we release a new version, we integrate the existing program and receive immediate feedback on the security of the new version. We don’t need to wait a year for the next penetration test to check on the security of our update. This approach is embedded within our project lifecycle.

Our scope evolves constantly, and bugs evolve at the same time. Security flaws turn up every day, not just once a year, and bug bounty enables us to detect and fix these in time. It helps us monitor our services almost constantly, which is very reassuring. It would also be impossible financially to do a penetration test on each delivery, although we would need to.

The return on investment is compelling too. Yousign carries out one penetration test each year. And this is quite expensive, compared to a bug bounty program. It’s a bit crazy when you think about it: they cost more or less the same, but bug bounty covers an entire year, whereas an audit only lasts a week.

Do bug bounty programs spell the end for penetration testing? Or will they remain complementary?

Kevin Dubourg, Bug Bounty Program Manager, Yousign:

For Yousign, the two will continue to be complementary. It could mean the end of penetration testing in some industries, but not in ours: as a trusted third-party provider we are required to carry out regular audits. In a less stringent regulatory environment, I would probably consider only using bug bounty.

However, bug bounty is very important for our sales and marketing: it’s clearly a differentiator to large prospect accounts. We mention it systematically in our request for proposal submissions as it’s seen by the market as a quality hallmark.

How do the results compare between penetration testing and bug bounty?

Kevin Dubourg, Bug Bounty Program Manager, Yousign:

I’ve had the same reports from both, but there are many more reports from bug bounty than from penetration testing. Moreover, after we have carried out a penetration test on a given scope, running bug bounty always brings additional vulnerabilities.

One of the problems with penetration testing is that results mainly depend on the expertise of the penetration tester. Our last penetration test showed up some relevant things, but when you compare the results with those of the bug bounty program we launched afterwards, there was no comparison.

Have you seen any changes among your teams since using bug bounty?

Kevin Dubourg, Bug Bounty Program Manager, Yousign:

Yes, definitely. I initially managed the programs on my own, but soon afterwards involved the development teams so that they could manage processes like replying directly to hunters and fixing bugs. Most reports concerned the applications team, so they had to face up to reality and take things forward.

What’s more, we quickly saw that their interactions with the hunters affected their delivery and working methods: not only do they integrate security into their development work more effectively, but they also started to ‘think’ differently, always keeping in mind the security aspects. You could say that they are not only delivering for clients, but for the hunters too!

What’s next?

Kevin Dubourg, Bug Bounty Program Manager, Yousign:

The next step is to extend the use of bug bounty. Besides the current programs in our production and ‘staging’ environments, we want to embed bug bounty within our CI/CD workflow to add to our battery of functional and unit tests. This should make us even more agile. Bug bounty is certainly a key component of our CI/CD approach.

In time, we may move to a public program.

If you want more informations about Bug Bounty & YesWeHack, drop us a line.

About YesWeHack:

Founded in 2015, YesWeHack is the #1 European Bug Bounty & VDP Platform.

YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.

YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.

In addition to the Bug Bounty platform, YesWeHack also offers support in creating a Vulnerability Disclosure Policy (VDP), a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.