“Security by obscurity” is no longer a viable strategy in a world of internet-facing assets and expanding attack surfaces, attendees at a YesWeHack Bug Bounty Summit in Qatar were told.
Gaurav Kumar Sharma, assistant director for security architecture and planning at Ooredoo Qatar, was reflecting on the thought processes that led to a partnership between Ooredoo and YesWeHack. Serving 121 million customers with a variety of telecommunications services, Ooredoo had complex cyber, compliance and insurance risks to mitigate, he said. “From an insurance perspective this security control is very important for us,” he said of their Bug Bounty Programs.
When it came to hardening its eclectic mix of internet-facing assets, Gaurav continued, Ooredoo sought continuous, scalable testing, leaner vulnerability management processes, and access to a diverse range of offensive security skills.
As a candidate for helping the Qatari multinational achieve these goals, YesWeHack stood out by dint of its platform, operating model and end-to-end service, Gaurav recalled. “Oreedoo always goes with best-of-breed solutions. I’m happy we went with YesWeHack,” he told the audience of security professionals gathered in Doha in September.
Fast start
The YesWeHack partnership began in 2022 with private programs for Ooredoo’s three primary customer-facing assets. The scopes, comprising web, mobile and API assets, were tested in production environments with real world conditions (so web application firewalls and other protections were in place). A vulnerability disclosure policy (VDP), which Gaurav said was a governance requirement and something demanded by investors, was also launched – enabling his team to benefit from the expertise of any security researchers worldwide.
The Bug Bounty Program had a fast start, with the first reports arriving within minutes of launch and dozens arriving within the first week. There were high severity and critical vulnerabilities among them. Gaurav detailed one critical bug where the hunter had achieved account takeover by manipulating an API’s reset password request to trigger a forged post request, which forwarded the new password to an email address under his control. This potentially calamitous flaw was found and fixed for the sum of $1,500.
Fortunately, Ooredoo and YesWeHack were well prepared for the fast start. YesWeHack’s triage team swiftly reproduced and assessed the vulnerabilities, Gaurav recalled, while Ooredoo’s existing process for handling vulnerabilities withstood the demands of the new testing medium. “Bug Bounty was just an additional input,” he said. That said, the experience did lead to improvements in their vulnerability management process, while the hunters’ findings generated actionable insights about their security tools.
A KPI review was conducted after the first few weeks, after which the security team opted to persist with black-box testing but increase testing coverage. They also resolved to make the customer portal program public by the end of the year – a goal they went on to achieve.
At the time of the presentation, around two years after the partnership had begun, 319 Bug Bounty reports had been closed, while the VDP had delivered 40 reports.
Launch lessons
Echoing sentiments expressed in many of our customer success stories, Gaurav urged his peers in other organisations to launch their own Bug Bounty Programs on a small scale, but to do so as soon as possible. Since Bug Bounty is inherently agile and adaptable, rules and scopes are readily finetuned post-launch, as programs grow.
However, Gaurav advised against starting a Bug Bounty Program before ensuring security, development and other affected teams understand their roles, perhaps with the help of an RACI (responsibility assignment matrix). Mindful of Ooredoo’s busy start, Gaurav also emphasised the importance of being ready to handle reports and mitigate bugs in a timely fashion from the get-go.
Otherwise, the launch process is reasonably straightforward, he insisted – so long as you have a clear idea of your testing goals and strategy. Your customer success manager (CSM) can support you a great deal in this regard.
Happy hordes of hunters
Crowdsourcing their access to hacking skills had proven especially invaluable given it had hitherto been difficult to find testers with the right competences for Ooredoo’s multifarious technologies and use cases. “Pentests might involve just 2-3 consultants; here I have access to thousands of hackers who are ready to go,” said Gaurav.
Given their contribution, which also includes advising on and validating fixes, hunters’ happiness should be top priority for program managers, said the security exec: “Make sure your SLAs and KPIs are met. Sometimes hunters get frustrated if they don’t get rewarded on time because they’re working day and night to give something back.”
‘Real-time threat exposure’
So far “YesWeHack is living up to our expectations,” enthused Gaurav, “because we’re getting certain things that we would not have [otherwise] managed with the resources we have.”
In particular, he appreciated “the always-on dashboard and real-time understanding of my threat exposure made possible by a continuous testing scenario”.
Year-round testing coverage was a huge boon given the pace of release schedules. “Things are changing very fast,” said Gaurav. “Every month or week there is some change in our services, so one pentest cannot be good enough.”
The speaker said this cost-effective and continuous testing layer freed up internal resources to test more specific scenarios or implement other compliance-oriented initiatives.
‘Burden is always offloaded’
Notable time-saving benefits included automated risk-scoring and YesWeHack’s triage service, “so that burden is always offloaded to YesWeHack”. Gaurav said the triagers’ initial severity calculations were valuable, but that he also appreciated the fact that Ooredoo was given the final say on CVSS scores, given their exclusive knowledge about whether vulnerabilities were truly critical within the context of their environment.
The CSM team also brought value in terms of notifying Ooredoo of actionable developments and helping them handpick the right hunters.
In fact, Ooredoo would not have so rapidly launched their public program, which further increased the volume of findings, without this wide-ranking support from YesWeHack, insisted Gaurav.
‘Think about your strategy in a changing world’
Gaurav dismissed concerns about any supposed risks entailed by inviting freelance hackers to probe your digital assets. After all, all organisations have vulnerabilities, he pointed out. Either you recruit ethical hackers to help you identify and eliminate those attack vectors – or you leave malicious hackers to find them instead.
YesWeHack’s managing director, Rodolphe Harand, interjected to add that hunters are vetted and held liable for violations by the platform’s terms and conditions. Customers (or, on their behalf, CSMs) can also handpick hunters according to a variety of parameters, such as relevant skills, performance metrics (points awarded for their findings) or country/region, as well as monitor hunters with user agents or VPNs for extra peace of mind.
As his presentation approached its conclusion, Gaurav implored his fellow InfoSec decision-makers to “think about your strategy in a changing world. The world has moved on,” he said. “Organisations are investing more in resiliency because they know that attacks will happen.”
Check out Ooredoo’s public Bug Bounty Program for further details on rules, rewards and scopes.
Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management platform? Contact our team to schedule a demo with one of our experts.