‘Start small – but start now!’ Inside Orange’s Bug Bounty journey with YesWeHack
June 5, 2023
Orange might be France’s biggest telco and serve 270 million customers in 26 countries, but it still scaled its Bug Bounty program up gradually from modest beginnings.
Six years later and Orange France’s private program now encompasses multiple mobile applications and thousands of subdomains – and the program continues to evolve with the company’s needs.
We recently discussed Orange’s YesWeHack journey so far with Yann Desevedavy, Bug Bounty Program Manager at Orange France.
He shared his insights and experiences of managing the program since 2019, including around the value of continuous, crowdsourced testing and a creative way of leveraging bug reports to educate staff internally.
Yann Desevedavy on the value of Bug Bounty to Orange France…
We launched Orange France’s Bug Bounty program early in 2016. Since then, we have received over 2,000 bug reports from security researchers, which we promptly corrected. We have incorporated most of our web-exposed attack surface into our permanent private Bug Bounty program and continue to add more scopes.
Our programs are managed by a team of security experts in charge of the technical reproduction, severity evaluation, hunter remuneration, internal communication and tracking, up to the fix verification.
Our Bug Bounty program has become a key vulnerability detection system for our publicly accessible applications, and we also use its output as a security watch and awareness tool for our employees.
On key factors for a successful Bug Bounty program…
First of all, for the success of any innovative and disruptive project, ensuring effective internal communication and securing [senior] management support are crucial.
My second recommendation would be to start small but start as soon as possible:
➡️ Starting with a small web app with a high level of security, a low number of researchers and a modest reward grid can provide a low-risk way to initiate a Bug Bounty program.
➡️ Upgrade the program as often as possible by adding new scopes, inviting more hunters, increasing eligible vulnerabilities and upgrading the reward grid. This will help you manage the budget while scaling the program effectively.
Lastly, it is essential to view a Bug Bounty program as an ongoing security testing mechanism rather than a one-time security audit or pentest. Bug Bounty programs leverage the expertise of hundreds of researchers with diverse skill sets and unlimited time to thoroughly assess your applications’ security. This is the key strength of Bug Bounty programs.
On the importance of scaling up gradually…
In 2016, we held our first live Bug Bounty with YesWeHack during the event Nuit du Hack in Paris, France. It involved a small web application and helped us improve its security level. However, its main benefit was to introduce us to the concept of Bug Bounty and gain firsthand experience with it.
Soon after we launched a permanent Bug Bounty program for the same application, followed by a second and third application, and so on. As we witnessed the thoroughness of the hunters’ testing and the cost-effectiveness of the program, it became clear that we needed to include our entire internet-exposed surface in the Bug Bounty program.
However, I would not recommend integrating all applications immediately into a Bug Bounty program. It took us years to gain the necessary confidence and maturity to add our larger wildcard scopes such as “.orange.fr” or “.sosh.fr”, which encompass several thousand subdomains.
In order to reach that stage, we had to make significant improvements such as building a dedicated team and implementing new tools and processes. Our program has been expanding and developing continuously, with the addition of more scopes and hunters, until we reached a point where we were ready to take a big leap and go with full scope!
On navigating the challenges posed by Bug Bounty…
The main challenges in Bug Bounty are not technical, but rather related to communication and organisation.
Accepting that anonymous hackers can conduct tests on our production environments, during off-hours and without a contract, requires a lot of awareness and support. This approach needs to be understood and accepted by all stakeholders, including management, developers, operations teams, SOC teams and even internal pentesting teams.
On why the vulnerabilities keep on coming…
For six years we have been engaged in Bug Bounty, and with each passing year we have been able to uncover and rectify more bugs than the year before. The reason for this is that we constantly add new apps, features and technologies to our scope. We also invite more hunters to participate, include more types of vulnerabilities in our program and increase our reward grid.
By going public, conducting white-box testing or allowing public disclosure, you can attract the best hunters to your program. And even if you choose to take no action, technology will continue to evolve and new vulnerabilities will be discovered on a daily basis.
Maintaining a strong relationship with hunters is a critical aspect of ensuring the longevity of your Bug Bounty program. Being prompt in responding to hunters, maintaining transparency and ensuring fairness in the reward system will encourage hunters to continue working with you.
Remember: without hunters there can be no successful Bug Bounty program.
On a longstanding, fruitful relationship with YesWeHack…
From our initial entry into the Bug Bounty world, we have partnered with YesWeHack. They have assisted us not only in creating our first program but also in its ongoing evolution.
This includes determining which scopes to add, which hunters to invite, which vulnerabilities should be eligible, and how and when to adjust our reward structure and organise events. Recently, we also began using the platform’s triage service, which helps us assess bug reports.
YesWeHack stands out due to their extensive knowledge of offensive security and their strong ties with the ethical hacker community.
On the benefits of Bug Bounty…
Bug Bounty is a great solution to address the new security challenges of agile methodologies and organisations that work in DevOps. Regularly and consistently auditing our entire attack surface [internally] is financially impossible, but Bug Bounty offers a cost-efficient solution to this problem.
On using bug reports to improve internal cyber skills…
Presently, we leverage Bug Bounty reports to train our staff.
To achieve this, we replicated a few of our most significant websites, accessible only within our organisation. We intentionally left some of the vulnerabilities that were reported in our Bug Bounty program on these websites. Our employees then take on the role of ethical hackers to identify bugs that were previously discovered on our application
It’s an engaging and effective awareness-raising activity that has been successful within our organisation.
Words of wisdom for launching a Bug Bounty program…
An application without bugs does not exist and there are only two types of bugs: those that we know and can address, and those that are yet to be discovered. Bug Bounty is becoming a security standard and it is the [best] way to take your vulnerability research to scale.
You need to start small – but you need to start now!
Ready to take your bug bounty projects to the next level? Schedule a demo to chat with our experts today!