Fighting malware at the roots

November 12, 2019

YesWeHack organises bug bounty programmes to disclose and correct vulnerabilities before malicious tools get in. A year after joining the Paris Call, we look back at how have we contributed to furthering peace in the cyberspace.

On 12 November 2018, hundreds of partners gathered to launch the Paris Call for Trust and Security in the Cyberspace. The Paris Peace Forum kicked off on 12 November 2019, to continue building upon the Call and showcase peaceful global governance from the world over.

YesWeHack is Europe’s bug bounty leader and a first-hour Paris Call signatory. Bug bounty bridges the gap between discoverers and vendors, thus structuring a Coordinated Vulnerability Disclosure (CVD) process and clarifying benefits for all. Bug bounty is , therefore, an accessible legal and value-generating framework preventing state and non-state actors from stockpiling vulnerabilities.

Furthermore, by enabling actual CVD, bug bounty is a viable economic alternative to vulnerability-oriented black markets. Our active contribution to decreasing the proliferation of malicious uses of digital products is thus twofold.

Protecting NGOs and civic-tech initiatives

YesWeHack promotes proactive vulnerability disclosure by providing bug bounty programmes for NGOs and civic tech initiatives, forebears of democratic values. Those programmes unfold during the International Forum for Cybersecurity (FIC) held yearly in Lille, France. More specifically, YesWeHack provides the full operational power of its ethical hackers’ community and ensures that researchers get an adequate reward for reporting vulnerabilities to the participating NGOs.

For its 2019 edition, “le FIC”, as it is known amongst its French-speaking community, hosted a two-day long bug bounty we organised. A unique line-up of NGOs benefited from our hunters’ skills: HelloAsso, iRaiser, Croix Rouge, CapCollectif, OpenStreetMap and Destination Rennes. Its 2020 edition will witness again YesWeHack’s recurrent effort to improve the security of NGOs’ infrastructures. The 2020 edition is coming up end of January, and we are currently convening NGOs to join (so, watch this space for more!).

Coordinated Vulnerability Disclosure, a sustainable way to root malware out

A CVD process aims at reducing risk and ultimately mitigating the potential damage caused by a security vulnerability. Even though patch deployment or report publication are indicators of efficient cooperation between vulnerability discoverers and the affected service editors, the CVD process cannot be reduced to any of those events alone.

Instead, Coordinated Vulnerability Disclosure is the process of collecting information from security researchers, coordinating the sharing of that information amongst concerned parties, and subsequently disclosing the existence of vulnerabilities and their mitigation measures to various stakeholders, including the general public.

Bug Bounty ensures and fosters such coordination. YesWeHack thus remains true to its values and commitment to the Paris Call’s Principle 5 by actively participating in establishing a harmonious CVD approach. By consistently promoting CVD as a means to significantly increase the likelihood of success of any vulnerability response process, YesWeHack thus aims at bringing about a meaningful alternative to malware proliferation.

And in the end, everyone wins.