Having “access to an unlimited number of security researchers with different skillsets” is among Bug Bounty’s most compelling benefits, according to Vittorio Addeo, Ferrero’s cyber offence manager.
Vittorio was speaking alongside Giulio Maria Gravante, offensive security project manager at Ferrero, at the RomHack conference in Rome last year.
Ferrero is an Italian multinational operating in the sweet-packaged food sector, with its iconic brands including Nutella, Kinder and Ferrero Rocher.
In the interview below, we quizzed Vittorio and Giulio about Ferrero’s Bug Bounty evolution since the launch of its program in February 2023, the hurdles they’ve surmounted, the security benefits observed so far, and their tips for maximising the effectiveness of crowdsourced security testing.
Further down the page you can also watch highlights from Ferrero’s live Bug Bounty at RomHack – Italy’s first-ever live hacking event – which was held in partnership with YesWeHack.
Vittorio on Ferrero’s rise to prominence…
Ferrero began its journey in Italy in 1946, and today it’s one of the world’s largest companies within the sweet-packaged food sector.
Giulio on why they launched a Bug Bounty Program and it’s subsequent evolution…
To enhance the security and the protection of our digital data – in particular to complement the security tests that we perform on a daily basis.
We started with few assets and then we extended it to our related companies.
It was a real success. We were able to identify thousands of criticalities. Additionally, we started with only a few hunters, and today we count more or less 130 hunters.
Our goal is to achieve 200 hunters by the end of this year [Note: the interview took place in September 2024].
Giulio on the biggest challenges so far and how they overcame them…
First challenge: bug reports spiked when we launched the first Bug Bounty Program. As a solution, we expanded our resources mainly on bug analysis and remediation implementation.
And the second challenge is: always keep the program attractive for the hunters. We try every day to add new assets to the scope and keep the level of the rewards as attractive as possible.
Vittorio on the most notable benefits of Bug Bounty…
One of the most important is the ROI, so the return on investment. You just pay for valid vulnerabilities, without having to pay for the time needed to detect them.
Another important aspect and benefit related to Bug Bounty is the access to an unlimited number of security researchers with different skillsets who can discover bugs on your external attack surface.
So you have an unlimited team working with you, collaborating with you, trying to bring the security level of your company to the next level.
ANOTHER LIVE BUG BOUNTY Hack Me I’m Famous #2: Louis Vuitton sets trend with first live hacking event in luxury fashion sector
Vittorio on the key factors for a successful Bug Bounty Program…
Always try to update your program and refresh your scope with new juicy targets, in order to allow security researchers to always work with a continuously evolving attack surface.
Another key aspect is to always try to increase the number of Bug Bounty hunters working in your program, just to keep the level of the competition very high. This is always good for all the security researchers, because they even work together, collaborating, trying to find the most useful bug.
Vittorio’s parting thoughts…
Bug Bounty Programs have become a security best practice nowadays. You have to embed it in your security program. Don’t waste time and start soon!
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
YOU MIGHT ALSO LIKE ‘The collective knowledge ATG gets is huge’: cyber chief on Betting brand’s Bug Bounty story’