‘Our businesses are reassured that we’re protecting their activities’: Les Mousquetaires CISO on leveraging live hacking events

June 6, 2024

Dozens of vulnerabilities discovered and promptly remediated is a reliable measure of a Live Bug Bounty’s success.

However, the immediate hardening of applications used by certain European supermarket and DIY chains was apparently not the only benefit of a live hacking event that took place at leHACK, in Paris in 2023.

The then Digital Lab technical lead at Les Mousquetaires said findings from the live hacking event – which also featured scopes from the French Red Cross – would help the French distributor and symbol group “anticipate corner cases” in software development and implement “security by design”.

And in an interview with YesWeHack, Fabrice Bru, CISO at STIME, the IT department of Les Mousquetaires Group, observed that live hacking events facilitated fruitful collaboration with ethical hackers and offer stakeholders reassurance about their security posture.

Read or watch the interview below to also hear Fabrice Bru’s reflections on the Bug Bounty journey so far and the benefits of partnering with YesWeHack, for both continuous security testing and intensive live hacking events.

Les Mousquetaires (‘The Musketeers’ in English) operates 4,100 retail stores in France, Belgium, Portugal and Poland, as well as logistics hubs and support services. Retailers in its stable include Intermarché, Netto, Bricomarché, Bricorama, Brico Cash, Roady and Rapid Pare-Brise.

FABRICE BRU ON THE BUG BOUNTY JOURNEY SO FAR…

We started the Bug Bounty initiative in November 2022, initially on the intermarche.com website, which is an e-commerce site, with around 10 researchers to start with, and gradually we increased the number of hunters to 80.

The whole point for us is, beyond having an occasional overview of the security state of our site, to have a constant monitoring of all the vulnerabilities and potential cases of fraud that we could have on the e-commerce site, since we carry out daily updates on this site.

ON THE LIVE BUG BOUNTY SCOPES…

For this Live Bug Bounty, we obviously included the Intermarché e-commerce site in the scope. We also wanted to add the e-commerce sites of our DIY stores: Bricomarché, Bricorama and Brico Cash. We are also in the process of opening up a new application to our suppliers and shops, which will become an essential part of their day-to-day operations at points of sale, and we also wanted to assess its security through this event.

ON THE LIVE BUG BOUNTY SO FAR [THE INTERVIEW WAS CONDUCTED PARTWAY THROUGH THE EVENT]…

So far, the Live Bug Bounty is going very well for us. Four people from the STIME teams are here – three from the cyber teams and one from the development teams – to try and assess as fully as possible the business impact of the four vulnerabilities identified by the hunters [at the time of the interview].

I have to say that, for the time being, we're actually achieving our objectives, since we’ve started to identify some very interesting cases.

ON THE VALUE OF PARTNERING WITH YESWEHACK…

The collaboration with YesWeHack obviously began before we started our Bug Bounty Program.

We worked very closely with the [YesWeHack] teams. We were able to review the solution and, above all, when we started, what we really enjoyed was the quality of the hunters, their relationship with the YesWeHack teams and the quality of the triage, which saved us an immense amount of time and enabled us to focus on what is essential.

And when you start this kind of initiative, you never really know how much you're going to spend in rewards, and the whole point of being supported by YesWeHack has been to gradually learn how much to value a vulnerability reported by the hunters.

Today's collaborations are very fluid and close-knit. During the event today, we have managed to meet hunters who regularly hunt on our sites, so it's a great way of networking and getting close to them. It’s amazing!

ON THE VALUE OF HARDENING DIGITAL ASSETS THROUGH LIVE HACKING EVENTS…

For STIME, taking part in this event is also about demonstrating the dynamism of our cyber teams, using all the techniques and innovations that exist in our profession today to assess the level of maturity and security of our sites, and reassure our businesses about our ability to protect the company’s activities.

Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to reach out to us.