‘The red team’s security skills have increased considerably’: Bug Bounty at Bancolombia

February 15, 2024

Bancolombia's Bug Bounty Story with YesWeHack

The Bancolombia Group’s Bug Bounty Program (BBP) has diversified the vulnerabilities unearthed in the financial institution’s systems and strengthened the skills of its offensive security team.

That’s according to Lucas Zuluaga Pérez, part of Bancolombia’s red team and manager of the banking group’s BBP at YesWeHack.

Founded in 1875, Bancolombia Group comprises banks in Colombia, Panama, Guatemala and El Salvador, supported by more than 30,000 employees and 80,000 suppliers. It also operates in the US and the Bahamas.

Translated from Spanish, the following interview sees Lucas discuss the group’s approach to expanding the BBP, the security and red team benefits of Bug Bounty, success factors in crowdsourced security, and the reasons for choosing YesWeHack.

LUCAS ZULUAGA PÉREZ ON THE LAUNCH AND EVOLUTION OF BANCOLOMBIA’S BBP…

Security is of the utmost importance to Bancolombia, as we ensure the protection of more than 16 million customers.

Bancolombia’s Bug Bounty Program started around October 2021. We started with a private program in which five of the best hackers in YesWeHack participated. We had a great evolution and within a year we managed to considerably expand the scope of our sites, going from two sites to 30 sites, from five hackers to 50.

ON THE KEYS TO A SUCCESSFUL BBP…

Key factors such as the support of senior management, that our leaders consider cybersecurity as a key element, are very important.

Secondly, having the engagement of the technology teams, which positively welcome reports of some of the vulnerabilities we identify in the environment.

And thirdly, the involvement of the red team, to raise the bar every day with the support of the triage team and hunters of YesWeHack.

ON THE RED TEAMING AND SECURITY BENEFITS OF BUG BOUNTY…

With our Bug Bounty Program, the red team’s skills have increased considerably. We have vulnerabilities in our checklist that we would not have considered before.

We have achieved great maturity and a great process, which allows us to quickly address vulnerabilities that may at some point affect the confidentiality, integrity or availability of information.

ON CHOOSING YESWEHACK OVER RIVAL PLATFORMS…

When we conducted the request for proposal for the Bug Bounty Program, we saw in YesWeHack some differentiators, such as their experience in Europe and Asia, the number of hunters registered on their platform, and the level of vulnerabilities reported, which could fit perfectly into our ecosystem.

In addition, other elements, such as the documentation we found on their portal and the closeness with the triage team, enabled us to establish a good alliance and a good team.

This allowed Bancolombia to engage in business relations with YesWeHack.

ON THE MOMENT THE PROGRAM’S PERFORMANCE ELICITED SURPRISE AT EXECUTIVE LEVEL…

In one of the meetings, one of our bosses asked for the current status of the Bug Bounty Program. When he publicly stated that we had about 50 hackers, we said: “No, boss – not 50, 250 of them!”

The look on his face said it all: “What do you mean, 250? How much have we grown in the past year?”

The truth is that it was a very relevant fact that shows the maturity that we have been able to achieve with the Bug Bounty Program.

ADVICE TO OTHER ORGANISATIONS LAUNCHING A BUG BOUNTY PROGRAM…

Start small, and as vulnerabilities are identified and the security posture of your organisation is evaluated, you can increase the number of sites, the number of hunters and – why not? – have attractive rewards and bounties, so that the hunters, the researchers, are always incentivised to participate in your program.

Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to schedule a demo with one of our experts.