‘YesWeHack adapted to our needs’: The Bug Bounty story so far for connected health pioneer Withings

If you’re contemplating the addition of Bug Bounty to your security stack then a private, invite-only program is a good place to start.

That’s according to Loïc Deleforterie, Cybersecurity Engineer and Bug Bounty program lead at Withings, the developer of health-tracking devices.

Deleforterie spoke to YesWeHack about why Withings decided to broaden security testing beyond pentests, the challenges navigated so far, its plans to launch additional programs, and the benefits of working with YesWeHack.

Founded in Paris in 2008, Withings launched the first smart scale a year later and now also distributes smart watches, sleep trackers, temperature trackers and blood pressure monitors to 40 countries.

The connected health specialist has more than 350 employees working across offices in France, the US and Hong Kong.

Withings meets the highest international standards for health data security and privacy. Cybersecurity is integrated on several levels at Withings.

Firstly, throughout the company through awareness-raising, phishing training campaigns and security-oriented training for development teams. Secondly, in the technical projects via code reviews and assistance in creating specifications, but also penetration tests.

Finally, in the implementation of increasingly secure solutions to protect the data of our users and employees.

This has enabled us to integrate our products with “Mon Espace Santé”, a secure digital space for storing personal health data proposed by the French Ministry of Health.

We set up a Bug Bounty program for various reasons.

The main one is to ensure the security of our users’ data. But we also wanted to continuously improve our services, to have a complementary tool to penetration testing throughout the year, and to pay for concrete results.

Our Bug Bounty program was launched late 2020 with only our public API and a limited number of researchers.

At first, we learned how to use the tool. Afterwards, we were quickly able to add more applications to the scope, and then increase the number of researchers and the reward grid to get results quickly.

The main challenge was writing the Bug Bounty program. Luckily, the YesWeHack customer support team was very supportive, which allowed us to get our program out quickly.

The second challenge was managing the first reports. Thankfully, we had a well-structured process in place internally.

For 2023, we set two objectives: the first was to launch a public program with our most mature applications in terms of security; the second was to launch a private program dedicated to our products.

My favourite thing about Bug Bounty is the interaction with researchers from all over the world. Most researchers are very cooperative and don’t hesitate to share some tips.

We chose YesWeHack for different reasons.

First, because it is the European leader in the Bug Bounty field, with a very large number of security researchers.

Secondly, because they offer an easy-to-use interface. Finally – and I think this is the most important reason – because they offer high quality customer support.

The relationship with YesWeHack is a true collaboration; the customer success team is always available and provides good advice. YesWeHack was able to adapt to our needs, which allowed us to quickly achieve our cybersecurity goals.

I advise you to start with a private program, which will allow you to get familiar with the tool, and to gradually increase the security level of your applications and to control your spending.

Interesting in learning more about the YesWeHack Bug Bounty & Vulnerability Management Platform? Click the button below to schedule a demo with one of our experts.

About YesWeHack

YesWeHack is a leading Bug Bounty and Vulnerability Management Platform. Founded by ethical hackers in 2015, YesWeHack connects organisations worldwide to tens of thousands of ethical hackers, who uncover vulnerabilities in websites, mobile apps, connected devices and digital infrastructure.
Bug Bounty programs benefit from in-house triage, personalised support, a customisable model and results-based pricing. Clients include ZTE, Tencent, Swiss Post, Orange France and the French Ministry of Armed Forces.

The YesWeHack platform offers a range of integrated, API-based solutions: Bug Bounty (crowdsourcing vulnerability discovery); Vulnerability Disclosure Policy (creating and managing a secure channel for external vulnerability reporting); Pentest Management (managing pentest reports from all sources); Attack Surface Management (continuously mapping online exposure and detecting attack vectors); and ‘Dojo’ and YesWeHackEDU (ethical hacking training).

YesWeHack is ISO 27001 and 27017 certified and hosts its infrastructure in an EU-based private, ISO 27001, 27017/18, CSA STAR, SOC I /II Type 2 and PCI DSS certified cloud.

Find out more at www.yeswehack.com