‘An efficient way to uncover vulnerabilities’: Doctolib's five years in Bug Bounty

April 30, 2024

In few sectors is cybersecurity as high a priority as it is in healthcare. At stake is huge volumes of highly sensitive personal information and even lives.

It’s therefore a testament to YesWeHack that security-testing of medical software used by 340,000 healthcare personnel and 80 million patients should be entrusted to tens of thousands of our Bug Bounty hunters.

In this interview, Cedric Voisin and Paul Marty, respectively CISO and senior product security engineer at Doctolib, reflected on the European healthcare booking platform’s five-year journey in crowdsourced security so far.

Among other topics, the pair discussed Bug Bounty success factors, a trio of special scenarios for claiming maximum bounties, and a ‘panic button’ for hunters embedded within its production instances.

Cedric Voisin on Doctolib's mission…

One, to ease access to care for every patient. The second mission is to ease practitioners’ lives in providing them with handy solutions, in order to ensure that they can focus on delivering care to patients.

Cedric on the evolution of Doctolib's Bug Bounty Program…

We started our Bug Bounty Program five years ago with YesWeHack, first on a very limited scope on the patient side. Then we expanded it to the pro side, in order to stress[-test] the application that we sell to practitioners.

Then we introduced our IT landscape, to finally make the patient program public and raise the bounties associated to those programs.

Paul Marty on increasing the maximum bounty…

Since then, we did two major updates to our program: first, we raised the maximum bounty to €25,000; second, we have updated our Bug Bounty Program.

High rewards require a very detailed program, which aims to cover all the cases. To address this, we continuously improve, based on the feedback from participants and the YesWeHack team.

Paul on a collaborative vulnerability disclosure process…

The Bug Bounty at Doctolib is a collaborative effort. The YesWeHack triage team will first qualify the report, then a security specialist from our team will take ownership of the entire Bug Bounty process. He discusses [the bug] with security researchers as well as the team in charge of the feature [containing the vulnerability].

Cedric on key factors for a successful Bug Bounty Program…

First, I would say that it is really important to start with a very limited scope, well identified, with which you can act very easily in fixing the vulnerabilities that are shared by hunters, and also limit the financial impact of providing rewards to hunters.

Then, as soon as you gain confidence on that program, it’s really easy to expand it to more and more applications. And the final point is to write a very well-defined vulnerability disclosure policy, in order to state clearly to hunters what is expected from them and what is not.

Paul on what has impressed most about the Bug Bounty model…

Efficiency: it’s a very good way to uncover security vulnerabilities. And when you think about it, the high reward is still a good price for a critical bug.

Transparency: it reflects our willingness to deliver a product with the highest standard of security.

Paul on the support provided by YesWeHack…

YesWeHack acts as a partner that helps us to qualify the reports, improve our program and sometimes to define the high rewards we give to security researchers.

Paul on an exciting new avenue for earning maximum bounties…

We have added three special scenarios where participants can earn the maximum bounty.

First, we have the ‘Game Over’ scenario – if a security researcher can access an environment variable. Second, we have the ‘One Shot’ scenario – if the hunter can access a large dataset of patient health information. And third, the ‘Casper’ scenario – if the security researcher can exploit a critical bug without being detected by the security team.

Paul on Doctolib's ‘panic button’…

All our production instances have a secret button that any security researcher can push at any time to demonstrate that they successfully hacked Doctolib. You can read more about this panic button in our public program.

Looking for fresh bug-hunting targets? Check out Doctolib’s Bug Bounty Program for further details on rules, rewards and scopes.

Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to schedule a demo with one of our experts.