The Bug Bounty Program (BBP) for Entrust (formerly Onfido) Identity Verification solution would be worthwhile had it only ever produced a single valid vulnerability, according to Luca Sangalli, a security engineer at the company.
This is partly because Bug Bounty Programs surface flaws missed by other testing mechanisms, said Luca in a YesWeHack webinar about Entrust’s experience with crowdsourced security testing so far.
A single-bug outcome for their private BBP would also have been cost-effective, he indicated, since YesWeHack’s pay-by-results model keeps investment proportionate with the number and severity of validated vulnerabilities.
Onfido switched to YesWeHack after managing a one-year program with a rival platform, and the YesWeHack program continued after Entrust acquired Onfido in 2024. With YesWeHack’s help, Entrust’s security team also launched a Vulnerability Disclosure Policy (VDP). Given the workload involved in evaluating findings from several hundred hunters, “it’s really worth having YesWeHack’s triage,” said Luca.
Scaling up rewards
“Bug bounty is not a ‘set and forget’ program,” said Luca. “You need to keep hunters engaged.”
Initiatives such as live hacking events or VIP programs granting early access to new features can help in this regard, he suggested.
But the most obvious tool for sustaining engagement is gradually increasing rewards to reflect the fact that bug discovery becomes harder over time. Accordingly, Onfido rewards range from €50 to a maximum of €12k based on the severity.
“The more hunters you have testing, the more issues they will find, and your product or service will mature security-wise,” explained Luca. “So increasing rewards is also a sign that your service is becoming more secure.”
Of course, you can’t be too aggressive when scaling up rewards. With the help of their YesWeHack customer success manager (CSM), organisations can ensure that bounties reflect asset criticality and decrease significantly as you move down through severity tiers, from critical down to low, recommended Luca.
‘Fair and honest’ with hunters
Nothing can sour relations with hunters more than disagreements over which of these tiers a vulnerability should fall into, given the impact on their earnings. “We tend to discuss the CVSS score with the hunter and try to be fair and honest,” said Luca.
The InfoSec engineer said they always make themselves available if hunters want to discuss an evaluation they disagree with. In fact, in rare cases, hunters have successfully convinced them to increase severity after a CVSS downgrade by Onfido’s security team. It’s counterproductive to be inflexible on this issue, irrespective of the evidence presented, suggested Luca.
YOU MIGHT ALSO LIKE ‘Valuable for fast-growing, frequently updated platforms’: Gong OffSec lead on the merits of continuous, crowdsourced security testing
While hunters are incentivised to argue for the highest feasible severity, “we have also had at least two occasions where, after investigating internally, we found additional impact” – giving grateful hunters an unexpected earnings boost, said Luca.
Another potential source of friction is duplicate reports. “The same ‘low hanging fruit’ might be reported over and over again by different hunters,” said Entrust security engineer Joachim Vanthienen. “You’re only going to reward one hunter, so the others might get discouraged – so you have to keep them engaged.”
‘Super knowledgeable’
In choosing YesWeHack, “the most important thing for us was the exposure because we wanted a lot of researchers testing our scope, and the features the platform was offering,” said Luca, citing pricing, automations and integrations as attractions.
He also praised the YesWeHack CSM for Entrust, Tristan Lewitte, as “super knowledgeable. He proactively tries to help us improve the program.”
Joachim, meanwhile, welcomed the provision of “a certificate that shows our customers we’re doing Bug Bounty and continuously improving our products.”
Any organisation can launch a program, with one proviso
Joachim advised other organisations launching BBPs to prioritise their most critical assets, both to mitigate the greatest risks first and because they should already be the most heavily tested. “It’s best to do an external pentest first, then have more of a mature target,” he recommended.
Onfido had a high level of security maturity when it launched its BBP. Should businesses with very different profiles consider launching a program?
“I think any organisation can be ready to launch because you can customise the program” to suit your goals, said Luca. “You can put a single endpoint in scope and pay €500 for a critical – it’s up to you.”
Even lacking a dedicated security team might not be an insurmountable challenge, he said – so long as there’s a pentester or vulnerability analyst in place to oversee bug reports and, where necessary, modify CVSS scores to reflect true impact within the context of the environment. “It helps us that we have former Bug Bounty hunters on our security team. I think it’s really important to have someone available who can understand the vulnerability,” said Joachim.
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
