“We backed the right horse and have never regretted our decision,” said TeamViewer’s Patricia Leppert of the company’s five-year partnership with YesWeHack.
Patricia, team manager for customer trust and security at the digital workplace platform, was speaking during a two-day live hacking event at Nullcon Berlin organised by YesWeHack, where the company presented live targets to participating researchers.
In the interview below, she explains how TeamViewer built a Bug Bounty Program that is both effective and scalable, how it has evolved since launch, and where the company plans to take it next. She also shares practical advice for security teams looking to optimise their own programs and build productive relationships with researchers.
This is our second TeamViewer customer story, following an interview with the company’s senior project manager for security in 2024.
Patricia Leppert on TeamViewer’s mission and global reach…
TeamViewer is a global technology company headquartered in Göppingen, in Germany, best known for its remote access and support software. It was founded in 2005 with the goal of reducing the need for physical travel by enabling users to connect to computers and devices remotely.
Today, it serves over 660,000 customers worldwide, ranging from small businesses to large enterprises.
On the importance of security to TeamViewer’s solutions…
Security is a top priority for TeamViewer because the company provides remote access and control solutions that handle sensitive data and systems.
Without strong security, TeamViewer’s core services wouldn't be viable, especially for industries such as healthcare, finance, and government.
On why TeamViewer launched a Bug Bounty Program…
We were looking for a supplement to our penetration testing program. Classic penetration testing is important and indispensable for us, but a Bug Bounty Program brings additional benefits and covers aspects that classical penetration testing cannot offer to the same extent. This naturally includes the huge pool of researchers and the exploratory approach to testing.
RECOMMENDED ‘We wanted a lot of researchers testing our scope’: Entrust’s experience scaling a Bug Bounty Program
On choosing to partner with YesWeHack…
At the time, YesWeHack presented itself to us as an up-and-coming company with great ideas and a comprehensive concept.
After several years of working together, our impression has been confirmed that YesWeHack is one of the most successful and sustainable players in the Bug Bounty business – and I can confidently say that their support has helped us shape and grow a Bug Bounty Program that is both effective and scalable.
Their platform and community have enabled us to engage with top-tier researchers. The partnership has been smooth, professional, and incredibly valuable.
We backed the right horse and have never regretted our decision!
On the evolution of TeamViewer’s Bug Bounty Program so far…
We started in 2021 with a private program. This allowed us to learn the processes and peculiarities in a very controlled environment. We have continuously developed the program and launched additional programs, including a public program. Our programs are now an essential part of our security efforts.
On expansion plans for the program…
We will launch a brand-new program for TeamViewer DEX and continue to develop our existing public program for TeamViewer Remote. We also want to further expand our private programs, which give hunters exclusive access to special enterprise features.
On the program’s scoping strategy…
In our regular Bug Bounty Program, we limit the scope as little as possible. Our program is essentially a wildcard. We pay for any type of real security vulnerabilities that could affect our users and customers.
On best practices for keeping researchers happy and engaged…
Always be honest and fair to the hunters. However, don't make exceptions, or as few as possible. Never break the rules or bend them. That usually backfires. All in all, we have mostly had good experience communicating and working with researchers. The triage team also always helps us a lot.
On other necessary ingredients for running a successful Bug Bounty Program…
Define as few restrictions as possible. Set up the program broadly. Let the hunters search and find, and make use of their various specialisations. If you want to draw attention to something specific, then put a high bounty on exactly that thing.
On what she would you do differently if she launched the program again…
Honestly, nothing. We are completely satisfied with how our Bug Bounty Program was launched and how it has evolved. The program has delivered exactly what we hoped for: meaningful engagement with the security community, early detection of vulnerabilities, and a stronger overall security posture.
Her advice for security teams launching or about to launch a Bug Bounty Program…
You need to prepare your organisation. Processes must be set up and coordinated. Internal SLAs must be appropriate and functional. Start slowly and develop it over time, depending on what your organisation can and wants to handle.
Check out TeamViewer’s public Bug Bounty Program for further details on rules, rewards and scopes.
LAUNCH A BUG BOUNTY PROGRAM
Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management platform? Contact our team to schedule a demo with one of our experts.
MORE CUSTOMER STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
