There’s always vulnerabilities,” said Erik Täfvander, head of cybersecurity at ATG: those you know about, those you don’t know about, and those yet to be created.
When it comes to finding them, he told YesWeHack in the interview below, Swedish betting brand ATG has found Bug Bounty to be more productive than pentesting in multiple ways.
In the video and writeup below, Erik also explains how ATG has optimised its approach to crowdsourced security testing, praises YesWeHack’s customer support and triage team, and assures his peers that they “have very little to lose” by road-testing their own program.
Erik Täfvander on ATG's mission and why security is paramount…
ATG is short for Swedish words – AB Trav och Galopp – and we’re a unique betting company. We’re based in Sweden, and we’re owned by the horseracing industry. We try to offer our customers the world’s best betting experience. And it provides about 30,000 daily jobs in Sweden.
Security is important for us. We need to keep our customers’ trust, and one thing is to make sure that if you bet at ATG, your money is safe and your bet is fair.
On what prompted ATG to launch a Bug Bounty Program…
It was good timing actually. We had been looking into it for a bit. It didn’t really tip over at first, but we did struggle with traditional pentesting. We needed something to keep up [with our needs] – to not only [test assets at] a point in time but continuously get reports.
And what kind of tipped the scale was also the business model: that we reward hunters for providing us with valuable information, and we only reward them when we get the information.
On the program’s evolution since launch…
If I’m not mistaken, we launched in 2021. And we started with a private program with a small, limited scope to see if this was something for us. And frankly, in the beginning, I was a little bit bored, because we had for a couple of weeks not a single report. It was that quiet. And then, something happened – we got an instant 20 reports.
After that, we tried to evolve the program to include new scopes, new assets, improve on our reward levels to keep it attractive. And since, I think it’s two years now, we have been running a public program, which has a wildcard scope – so you’re allowed to basically try anything out that is [one of our digital assets].
On the biggest challenge they’ve overcome so far…
Oh… good question. The first challenge we met was: who will help us to patch these bugs? That wasn’t that clear in the beginning, so we kind of developed our own documentation and developed techniques to find out who’s responsible for what line of code, and it’s been running much smoother after that.
On the value of YesWeHack’s customer support and triage service…
I appreciate that you make me feel like a partner more than a client. I really, really, really want to send some kudos to the triage team. They are on the ball 24/7 almost, really rapidly giving us their insights on reports that we receive, and helping us during the process.
On the best thing about Bug Bounty…
I think it gives you great insights into what’s going on, because you use basically the same techniques for malicious hacking, and we learn a lot from that. Also that we pay a reward to someone who is trying to help us.
And you get fast return on investment. If we get serious vulnerabilities reported to us, it’s worth it all day long to reward the hunter for those vulnerabilities.
On the merits of Bug Bounty versus pentesting…
I would say the political answer is it’s complementing pentesting. But with that said, we have had, I would say, 20 really serious reports that we would never get from a traditional pentest. The collective knowledge that we get from a Bug Bounty Program is huge, compared to a pentest where you hire a couple of researchers or consultants to help you.
On keeping hunters engaged after three years and counting…
We’ve done a lot to keep it attractive but that’s a challenge that we need to work on. It was easier in the beginning – when you started to ramp up scopes, you started to ramp up rewards.
But now we’re in a wildcard situation, we can’t add many scopes because they are already there. Now we work with how we interact with hunters – that we are really keen to keep them in the loop, appreciate their work, collaborate and try to be as rapid as we can when we pay out the rewards.
On the recipe for Bug Bounty success…
It’s a collective effort because you need colleagues within development, operations and other parts of the business to remediate the bugs reported, because knowing that you have a bug is one thing, but when you actually solve it and patch it, then you have completed the loop.
On whether running a Bug Bounty Program is time-consuming…
From my point of view, there’s not a lot to do. I try to keep my fingers out of the ‘cookie jar’, in terms of looking at the reports! My team manages it beautifully. That’s one [great] thing about this kind of service: the main focus is on remediating vulnerabilities.
Advice for organisations that haven’t yet launched a Bug Bounty Program…
I would suggest trying it out. You actually have very little to lose, because it’s easy to start, easy to quit if you want – but I don’t think you will. You learn about your security posture in a way that you probably didn’t know before.
If you try and you don’t get any reports, I would probably have to buy you a drink or something like that! Because I was afraid in the beginning for us, but now we receive reports continuously. And now, it’s like a self-playing piano in some way.
With the knowledge that we have about ourselves, we know that there’s always vulnerabilities. There’s those that you know of, those that you don’t know of yet, and those that you haven’t deployed yet. So there’s continuous work to be done in terms of keeping your application secure.
Check out ATG’s public Bug Bounty Program for further details on rules, rewards and scopes.
Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management platform? Contact our team to schedule a demo with one of our experts.