Our Information Security Management System (ISMS) obtained ISO/IEC 27001 certification in 2022. Our latest ISO 27001 certificate and statement of applicability can be provided on demand.
TRUST AND SECURITY
We build trust as the foundation of our work
Our ISMS certification was extended to ISO/IEC 27017 in 2023 – strengthening our security controls for using and delivering cloud services and documenting the shared responsibility model of our services.
Our certification covers all organisational units, sites and IT infrastructure involved in building, running and delivering our services. This includes our corporate offices in Paris, Rennes, Rouen and Singapore.
We partner exclusively with European cloud providers, hosting and processing your data only within the EU.
2FA- and SSO-compatible
All platform users can set up Two-Factor Authentication (2FA) via Time-Based One-Time Passwords (TOTP). Customers can enforce 2FA to access their data and set up Single Sign-On (SSO) using SAML 2.0.
Hunter VPN service
Our dedicated SSL VPN can be used to securely tunnel YesWeHack hunters’ packets. Hunter traffic thus appears to originate from a fixed IP address, which can be whitelisted and/or monitored by the customer.
Access to the platform is TLS-encrypted with an A+ security rating. Our servers and backups are AES 256-encrypted. Passwords are salted and hashed. Our backbone network uses encrypted WireGuard tunnels.
Secure by design
Our in-house-developed SaaS relies on reputable frameworks and technologies and follows security best practices, including: regular code reviews, CI/CD, and separate development, pre-production and production environments with no shared data.
Security put to the test
Our thorough vulnerability detection and remediation process relies on our public Bug Bounty Program and Vulnerability Disclosure Policy (VDP), complemented by other preventive best practices, such as system hardening, automated checks and penetration tests.
Proactive and transparent
We actively monitor our systems and strive to promptly assess, resolve and learn from all information security incidents, and to rapidly notify customers, users and authorities. Our platform uptime is publicly monitored on our status page.
Our multi-tiered, multi-location, multi-provider and regularly tested backup strategy, combined with our infrastructure-as-code process, gives us a proven capability to swiftly recover from severe events with minimal to no data loss.
We isolate each internal system within its own VLAN, applying a default "deny all" network policy and whitelisting individual flows on server and backbone firewalls.
Attack prevention and detection
Our platform is protected from DDoS attacks. System administration is carried out through a dedicated VPN, using a bastion host with 2FA. All system and application logs are centralised by a SIEM.
CUSTOMERS IN FULL CONTROL
Customers have full control over who can access and edit their data thanks to our finely tuned Role-Based Access Control (RBAC). User accounts, including those of YesWeHack program management support teams, require an invitation with an assigned role in order to access a customer’s tenants. User account roles can be easily reviewed and revoked.
Vulnerability reports are stored by the platform and encrypted with a unique key, itself encrypted via a master key stored on another server. This robust application-level encryption and decryption process, in conjunction with RBAC, is performed automatically, under the hood.