YesWeHackEDU: Addressing talent shortage through Bug Bounty

March 26, 2020

YesWeHackEDU, a fully-fledged educational platform, mobilises real-world hacking techniques for training purposes. YesWeHackEDU provides a reliable approach for reporting vulnerabilities and is a tangible evaluation tool. The platform offers free subscriptions for two months starting from 1 April to help universities during the COVID19 outbreak.

Through getting together ethical hackers (‘bug hunters’), and organisations committed to improving their cybersecurity, bug bounty platforms play an essential role in implementing coordinated vulnerability disclosure and surfacing bugs to reduce cyber risk.

Cybersecurity is both an economic and societal issue. Yet, this sector suffers from an imbalance between the state of the threat and the market’s defence capabilities. Thus, the capacity of public and private actors to detect and correct shortcomings professionally and ethically must be rapidly strengthened. To remedy that imbalance, we need comprehensive training and better information sharing.

Putting our shoulder to the wheel, we released YesWeHackEDU in November 2019, a unique and fully-fledged educational platform aimed at students and teaching crew alike. Due to the current COVID19 outbreak, we have decided to provide basic two-month free licences to learners and instructors, enabling skill-building to continue despite the pandemic.

Interested? Read on, then.

Formal training vs self-education: complementary yet insufficient

Although more and more universities and training initiatives sprawl, they are unlikely to mitigate the growing skills shortage. Formal cybersecurity education is unable to replenish the talent pool at a pace that follows the increasing complexity of cybersecurity challenges. In contrast, an overwhelming majority of ethical hackers operating today are self-taught. Self-education is possible thanks to abundant online resources and expanding events which increasingly feature a Capture-the-Flag (CTF) type of activities.

Both formal education and self-training have shortcomings. University curricula remain too theoretical, students setting foot in real-world operations solely during their internship. The latter often happens at the Bachelor or Master’s level. Pluridisciplinarity is still challenging to achieve, a hurdle especially damaging to cybersecurity and computer science curricula.

Self-education, on the other side, relies on the individual’s commitment and ability to identify security-focused courses available and select the ones most relevant to the issue at hand. Even with a performant self-directed learning resource set at hand, the lecturer still plays a central role in online education, albeit their role becomes one of a learning catalyst and knowledge navigator.

The broader connected society understands the challenge. The outcome is new education tools for security, aiming to solve the cybersecurity skills gap through an approach outside the classroom. Both free and paid-for coursework designed by ethical hackers features amongst those tools, all encouraging and relying on collaboration into the cybersecurity community.

The bug bounty platforms all have a dedicated “Resources” page. A closer examination of these pages, however, concludes to a high uniformity of available content.

YesWeHackEDU builds bridges between universities and communities

Bug bounty programs include concrete incentive structures and processes designed to encourage individuals with a range of experience and talent to identify and report potential security vulnerabilities. Embracing this idea requires a real sense of agency on the individuals. Yet, relying on the person alone is short-sighted at best. Collaboration through practical situation awareness thus leverages an innovative way for formal education to keep up with the rapidly evolving talent need landscape.

YesWeHackEDU is a unique and fully-fledged educational platform in both its approach and outreach. It mobilises real-world data in a structured way. Alongside diverse training environments matching different student levels, YesWeHackEDU provides a reliable methodological approach to vulnerability report composition and constitutes a tangible evaluation tool.

Academia needs to capitalise on the available online tools for teaching and welcome innovative approaches to training. YesWeHackEDU is one such progressive development. Three main educational scenarios made possible by YesWeHackEDU: as part of a cybersecurity curriculum; as a module for Computer Science curricula more broadly (e.g. software development, data science); as part of life-long learning programs.

YesWeHackEDU as part of a formal cybersecurity curriculum

Crowdsourced security invests organisations with the skills, experience and nonstop coverage of creative and experienced security researchers. These hunters work to identify vulnerabilities before criminals exploit them. Such a proven model for crowdsourcing the right expertise, applying it when and where need be, and rewarding for results is what YesWeHackEDU enables in the classroom.

Through engaging students and the teaching crew with the training environment, YesWeHackEDU offers a blended learning approach for cybersecurity curricula. The educational set-up streamlines learning effectiveness in building upon students’ pre-existing technical knowledge and fostering their proactivity, autonomy and rigour. Since YesWeHackEDU reliably tracks contributions, teachers can follow progress and grade based on a formal and harmonious delivery process.

The ongoing COVID19 outbreak has drawn learners and teachers away from the classroom. Still, cybercriminals are riding the pandemic wave, often adding a cyber crisis to the health crisis. Aligned with YesWeHack’s mission to build bridges between ethical hackers and organisations, we have decided to provide free licences to any university, starting 1 April. Those licences span two months. They will enable teachers and students alike to benefit from top-notch pedagogical resources during the COVID19 pandemic.