Actionable, timely support from YesWeHack’s triage team helps to eliminate bottlenecks from the remediation process, according to senior security professionals at Argentina’s largest private retail bank.
In this interview, Sebastián Wilke and Christian Gehmlich, respectively the cybersecurity manager and the red team lead at Banco Galicia, explain why the bank launched a Bug Bounty Program, the results achieved and challenges overcome so far, and the best practices they recommend to peers who are pondering adoption of crowdsourced security testing.
This conversation was filmed at Ekoparty, in Buenos Aires, in November 2024, during a YesWeHack hacking event featuring Banco Galicia targets and organised by YesWeHack.
Before we get to the transcript of this interview, Bug Bounty was also explored during a recent series of tech talks delivered to Banco Galicia’s internal product, IT and security teams. In this Spanish-language session, Banco Galicia CISO Pedro Adamovic and José Mengot, account executive EMEA at YesWeHack, espouse the benefits of enlisting ethical hackers to find and fix vulnerabilities before malicious actors can exploit them, and explain why security is not only a technical issue but also a cultural and mindset challenge. Watch the video below to hear their insights.
And now, the transcript from the Ekoparty interview:
Sebastián Wilke on why Banco Galicia launched a Bug Bounty Program…
After several years of having a red team internally, we decided to go further and start a Bug Bounty Program to start looking for new vulnerabilities in our IT assets.
Sebastián on the biggest benefits of Bug Bounty…
The main benefit that we have with Bug Bounty is that hunters have a lot of time to test our applications, our APIs and services – so we have the opportunity to have different kinds of vulnerabilities or reports.
The difference compared to a pentest is that the Bug Bounty Program seems like an eternal pentest!
Christian Gehmlich on the benefits of Bug Bounty…
Well, there are a lot. It’s another layer of security. You have your internal team, you have external teams that test your applications. So you have different perspectives and you avoid bias maybe from our internal teams. So yeah, it's a good benefit for us.
RECOMMENDED ‘Bug Bounty helps us meet regulatory requirements ahead of time’: payments provider KOMOJU
Sebastián on the YesWeHack partnership so far…
We are very close. The triage team is really great. They give us their inputs so we can understand sometimes the different vulnerabilities that are being reported. And when we ask for help, it’s instant: they give us the correct answer so we can move on and fix the vulnerabilities.
Christian on overcoming the biggest Bug Bounty challenges so far…
When we started with the Bug Bounty private program, we didn’t know which hunters we should invite. So we started with a small number of hunters who YesWeHack recommended us to invite. So we start with little steps, little findings.
The big deal is to talk with the product team to fix them. But when you have this process working, it’s very useful for us and for all the company.
Sebastián on the challenges encountered…
One of the main challenges we had was to respond in a timely manner. We didn’t know that we had to respond in a very quick way, because they are expecting your answer to see whether the reports are correct or not, and also they want the reward.
Christian’s advice for launching a Bug Bounty Program…
You need to know your security level. How are you in terms of maturity? How many vulnerabilities can you find? How is your fixing SLA? When you are comfortable with that, then you can – and you should – make that step.
Sebastián’s own launch advice…
Don't be afraid to start a Bug Bounty Program. Just start small with a few assets and a few hunters, and you will see the results immediately.
WANT TO LAUNCH A BUG BOUNTY PROGRAM?
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
