Olvid, the ultra-secure messaging app, moves to public bug bounty program

April 28, 2020

This Customer Story of ours is somewhat special: it tells tales as it happens about the journey from a private bug bounty to a public one. Olvid, a thriving start-up, made the leap in only four months. Here’s how they did it.

Tell us a bit about Olvid.

Olvid is an instant messaging (IM) application whose security does not rely on any trusted third party. Unlike other IM applications – such as Signal, WhatsApp, and Telegram which use a central directory to establish secure channels – Olvid does not need a directory. This eliminates:

  • The risk of a significant hack/leak if an attacker takes control of that directory.
  • The need for Olvid to collect any personal data, for example, no phone number, name, or email.

Owing to this new security model and the innovative cryptographic protocols implemented, Olvid offers users:

  • Absolute confidentiality.
  • A strong guarantee on the identity of its contacts, without any risk of identity usurpation, fraud, spam, etc.
  • Total anonymity towards third parties, including our own servers.

Why did you launch a bug bounty program?

At Olvid, we re-implemented everything from scratch. We rely on a minimum of third-party libraries and we have designed the entire application in house.

Having new cryptographic protocols, we needed our implementation to be validated as widely as possible. To achieve that, we worked on three axes:

  • A ‘theoretical’ ve­­rification of the cryptography, by Prof. Michel Abdalla, from the internationally recognised French National Centre for Scientific Research. This mathematically proves that our protocols delivers the security guarantees that we claim;
  • A CSPN certification against the ANSSI (National Cybersecurity Agency of France requirements);
  • A bug bounty program mobilising thousands of cybersecurity researchers looking for exploitable vulnerabilities in every corner of our application.

For us, this last verification stage is essential. When you sell a security application, you certainly do not want a hacker to brag about having found a vulnerability in it!

If we want to protect our application from hackers, it must be evaluated by people who use their exact methods and thought process.

We had the opportunity to participate in YesWeHack’s Live bug bounty at the International Cybersecurity Forum (FIC). We began our bug bounty experience here being hacked live for two days! We don’t regret it – it was an incredible experience. The event gave us the opportunity to discuss our application with cybersecurity researchers; and it was a very instructive experience, from both technical and business aspects.

You’re now expanding your private program into a public one. What prompted this choice?

During the four months we ran a private program, only a few vulnerabilities were reported by the 20 or so participating researchers. None of these were severe.

We deduced from this that our system is robust enough to welcome YesWeHack’s entire community. We now want to take advantage of one of bug bounty’s major strengths, crowdsourcing: tens of thousands of researchers bringing different skill sets and methodologies to test the security of our application.

The reason for our move to a public program is simple: we want to offer our users the best possible security guarantee. The more hunters scanning and attacking our app, the better it is for everyone!

Any tip for startups thinking of launching a bug bounty program?

Stop doubting right now! You’ve got to do it! It is indeed a bit scary at first to think that people will actually try to attack your product; but that’s fine, as long as you have the right people doing it.

I guess it’s comfortable to live in denial, thinking that if no-one has succeeded to attack us yet, we’re safe. However, one day, an attack will happen. And the only way to be better prepared for this is to test your application. Penetration testing and certifications are very important as they provide ‘stamps’ that we can show to our clients.

Continuous monitoring by expert hunters validating every new update is critical for every business in today’s world.

Anything else you’d like to add?

Hunters, go ahead. Attack us. We’re waiting! There’s still money to be taken from our wallet 🙂

To learn more about Olvid’s bug bounty program or to start hacking on it, click here.

About YesWeHack:

Founded in 2015, YesWeHack is the #1 European Bug Bounty & VDP Platform.

YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cyber-security experts (ethical hackers) across 120 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.

YesWeHack runs private (invitation based only) programs, public programs and vulnerability disclosure policies (VDP) for hundreds of organisations worldwide in compliance with the strictest European regulations.