Why did you launch a bug bounty program?
Julien Levrard, Security Operations Manager, OVHcloud:
Security has always been a part of the OVHcloud DNA. It’s inherent in our business as an infrastructure provider and all of the services that we offer. Our infrastructure security is a permanent focus, as well as a driver of our customers’ trust. That security relies on physical and logical safeguards and oversight activities, scans, internal and external penetration tests, code and configuration reviews, and other security measures. Some of these safeguards are managed non-stop by our teams, while others rely on a partnership with trusted third parties.
We launched a bug bounty program for OVH with YesWeHack several years ago in order to add a layer of security to our existing systems. Our companies share the same core values and evolve in the same ecosystem; we share the same passion and the same European roots. It’s partly for these reasons that we started with this platform: we were one of YesWeHack’s first public program clients, and launched our program during a live bug bounty at the Nuit du Hack (Hack Night) event.
Is bug bounty strengthening the trust you have with your customers?
Julien Levrard, Security Operations Manager, OVHcloud:
Yes, definitely. OVHcloud works with different types of clients. Some of them manage their infrastructure themselves and are highly sensitive to technical communications. Our communication is therefore based on transparency and reliability. Other customers are more mindful as to our ability to bring in trusted third parties, such as certification auditors or external service providers. Bug bounty offers an added degree of trust for some of our customers who demand more than traditional security measures.
YesWeHack works with large strategic organisations such as OVIs (Operators of Vital Importance) and we also play in that market. YesWeHack bug bounty is part of this ecosystem of trust and is becoming a ‘must have’ for organisations like ours. It’s also a question of reputation vis-à-vis the community of hunters, who are stakeholders in this ecosystem: through YesWeHack, we can interact with people who aren’t always available via other channels.
What does bug bounty offer you in terms of the aforementioned services (audits, scans, penetration tests, etc.)?
Julien Levrard, Security Operations Manager, OVHcloud:
Bug bounty puts us in touch with experts with knowledge that complements our teams across the entire spectrum of technologies that we use. This includes OpenStack, Kubernetes, Machine Learning tools, and AI. It’s impossible to find a team of penetration testers with advanced skills in all of these technologies.
YesWeHack gives us easy access to experts in these various technologies who say: “I’m a Kubernetes expert, so I’m going to take a look at all of these bug bounty programs with Kubernetes offers and dig deeper.” This effectively completes our security approach by providing a perspective that complements that of our teams.
Bug bounty also offers a formal framework for vulnerability reporting. It allows us to provide a legally secure point of entry for the hunters. Even if it isn’t the only OVHcloud channel for vulnerability reporting, we recommend to anyone that ‘finds’ vulnerabilities to use our program. This allows us to have one single inflow and a linked process for managing vulnerability reports. It’s therefore a defining part of our CVD (Coordinated Vulnerability Disclosure).
Beyond the advantages of bug bounty as a model, I would highlight the YesWeHack platform, which has a very intuitive user interface. The OVHcloud team managing the bug bounty program gives us excellent feedback on the workflow management, report processing, and interactions with the hunters.
The APIs enable us to integrate useful information into our own tools and dashboards automatically. We can also track our bonus budget and the activity of each program. At a glance, we understand the status of our programs and can quickly report indicators to our management. Bug bounty is fully integrated into our global security strategy.