YesWeHack, the crowdsourced security testing and vulnerability management platform, is the European Commission’s new preferred provider of bug bounty services under a cascade model.
The European Union’s main executive branch has run bug bounty programs to harden open source assets used across EU servers and systems since 2019. A new tender was launched this year to relaunch an expanded initiative. Having outscored rival platforms, YesWeHack has signed a four-year framework contract potentially worth up to €7,679,875 as the most-favoured provider of bug bounty services.
YesWeHack will support the Commission’s Directorate-General for Digital Services (DIGIT) in organising a series of bug bounty programs as well as vulnerability disclosure policies (VDPs). A roster of handpicked security researchers will test digital assets used by EU entities, including popular open-source technologies. The Commission will collaborate with YesWeHack (and, where applicable, affected open-source projects) to promptly evaluate, validate and remediate any vulnerabilities they discover.
The Commission has long promoted the adoption and development of community-built software within EU institutions, making the security of open source a strategic priority. Amid rising cyberthreats, the latest phase of the Commission’s bug bounty strategy expands the scope to a wider range of open source projects, as well as any EU institutions wishing to leverage crowdsourced security testing to harden their own applications.
Miguel Diez Blanco, Team Lead for Interoperability Enablers and Open Source at DIGIT, commented: “We have high expectations for this new framework contract, and we are confident that YesWeHack, as the first awarded company, will play an important role in achieving our objectives to secure the software we produce, as well as in supporting our ongoing initiatives to better protect open-source projects.”
Public-sector pedigree
The Commission joins government bodies in France, Singapore, Germany, Catalonia, Finland and Quebec on YesWeHack’s diverse client roster.
YesWeHack also has strong credentials in the open-source domain. For instance, the German government’s Sovereign Tech Agency runs various programs for popular open source projects on the platform – including for Log4j, the source of one of the most damaging vulnerabilities of all time, ‘Log4Shell’. The ubiquity of open source, allied with many projects being volunteer-maintained, highlights the importance of the Commission’s bug bounty initiative.
Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack, states: “We’re honoured that the European Commission has entrusted us with securing assets of such critical importance –not only to EU institutions but also to millions of citizens.
“It’s a testament to the spectacular progress we’ve made since launching a decade ago that the world’s largest trading bloc chose YesWeHack after an exhaustive tender process. This decision cements our position globally as the leading alternative to US vendors. However, the real hard work starts now.”
The news swiftly follows two other major milestones for YesWeHack: its first-ever acquisition (of French cybersecurity auditing company Sekost) and its designation as a CNA, or CVE Numbering Authority.
About YesWeHack
YesWeHack is a leading Bug Bounty and Vulnerability Management Platform. Founded by ethical hackers in 2015, YesWeHack connects organisations worldwide with more than 100,000 ethical hackers who uncover vulnerabilities in websites, mobile apps, connected devices and digital infrastructure.
The YesWeHack platform offers a range of integrated, API-based solutions: Bug Bounty (crowdsourcing vulnerability discovery); Vulnerability Disclosure Policy (creating and managing a secure channel for external vulnerability reporting); Pentest Management (managing pentest reports from all sources); Attack Surface Management (continuously mapping online exposure and detecting attack vectors) and ‘Dojo’ (ethical hacking training).
YesWeHack complies with strict security, financial traceability and privacy requirements. YesWeHack’s services are ISO 27001- and ISO 27017-certified and accredited by CREST. YesWeHack’s infrastructure uses EU-based, GDPR-compliant private hosting that meets the most stringent standards: ISO 27001, ISO 27017, ISO 27018, ISO 27701 and SOC II Type 2. The YesWeHack platform is also permanently subject to a public Bug Bounty Program. Since 2025, YesWeHack has been a CVE Numbering Authority (CNA).
Press Contact
press@yeswehack.com
