Rodolphe Harand of YesWeHack explains how the French bug bounty platform is set to disrupt the marketplace
In 2013, having realized the shortcomings of traditional security audits, three ethical hackers set out to create a process in which researchers could report critical vulnerabilities to companies of all sizes in France.
Years later, what was initially nothing but a side-project for Guillaume Vassault-Houlière, Manuel Dorne, and Romain Lecoeuvre, has now expanded into a platform where approximately 10,000 bug hunters are finding and fixing bugs safely, creating awareness of security, and making a few extra bucks in cash to boot.
Built as the European alternative to bug bounty platforms, YesWeHack is set to disrupt the US-dominated marketplace, having raised €4 million (approximately $4.5 million) with investors in February, and with plans to expand its predominately French businesses focus into organizations in Europe and Asia.
At the Swiss Cyber Storm conference in Bern this month, The Daily Swig sat down with Rodolphe Harand, manager at YesWeHack, to discuss bug bounties, security-by-design, and how the company sees itself next to large US-based platforms like HackerOne and Bugcrowd.
Hi Rodolphe! Could you please talk a bit about the idea behind the YesWeHack platform.
Rodolphe Harand: The idea is to be a European alternative to the US [bug bounty] platforms.
If you are a company you already have most of your IT in US hands: cloud services, providers, all those as-a-service providers, so it would be nice, at least, that the security of this environment maintains some form of balance.
If we don’t succeed, what we will have is the Facebook or Google of bug bounties, which means a single platform managing hundreds, or millions, of bugs and exploits together. The repercussions are potentially huge, so I think it’s really important that any non-American companies have, at least, the choice.
That being said, we do not want to be the ‘French resistance’. We want to be the European alternative.
Our community of hunters is international, we get more and more hunters from Asia every day, but we still want to maintain this kind of European quality level label, which I believe is partly about awareness of the importance of confidentiality and privacy.
Are there any major differences between how the YesWeHack platform is run, in comparison to US-based bug bounty platforms such as HackerOne and Bugcrowd?
RH: We’re hosted in France where no such law such as Patriot Act and Cloud Act applies. We’ve integrated GDPR [General Data Protection Regulation] in the very design of the platform, as the data privacy of both customers and hunters is critical in Europe.
What is the market for bug bounties like in Europe, are they well-known and generally accepted as a way of adding to an organization’s security posture?
RH: In France, bug bounties are generally welcomed because our [YesWeHack] co-founders have popularized the topic for almost a decade now. Bug bounties are very trendy and cool, not as much as in the US, but the rest of Europe has a long way to go.
The Nordics are quite advanced, the rest of Europe is still stagnant, but we can see some signs of change.
I think that Switzerland – thanks, in part, to Swiss Post and the e-voting initiative – is going to be an early adopter of bug bounties in Europe.
How many programs does YesWeHack currently run?
RH: We run more than 200 programs, many in France, but more and more are located in the rest of Europe and Asia.
Due to the current maturity of the European and Asia markets (compared to the North American scene), most of these programs are private. We have about 20 or so public programs.
What are the benefits of running a public bug bounty program?
RH: There are different values between private and public programs.
When you run a private program for five years, a public bug bounty is the most logical next step because, at some point, you need some fresh eyes. It’s the extra mile to receive better security.
Then you have a transparency, or communication aspect. A public program is a way of displaying confidence in your system. You’re saying: I’m challenging you to hack me.
Everyone can see the program, what’s in scope, what bugs have been reported, transparency is a huge pillar of security, and bug bounty programs are a great step for companies to achieve that trust.
Do you have any monetary estimate of how many bounties YesWeHack has awarded since it began?
RH: Unfortunately, we cannot communicate such numbers.
OK. What’s the largest value that a hunter can be awarded for finding a critical vulnerability?
RH: As a company, we don’t communicate on monetary values because we don’t want the market to believe that you need to pay $50,000 to have critical vulnerabilities fixed. That’s not the truth.
We have many start-ups who have a $10,000 yearly budget and want to implement bug bounty programs to become more secure. For them, a bug bounty is way more cost effective than a traditional audit, and we want hunters to work with everyone.
All of the small companies can be afraid of bug bounties because of the publicity surrounding huge payouts, and I think that’s really a media thing. Some platforms leverage this appetite of the media to glamorize sexy stories about huge bounties, which may be part of the story, but it’s not all of it.
What are some of the challenges with implementing an effective bug bounty program?
RH: If you run a bug bounty it implies that you will fix the bugs under the scope of your program.
The sad truth is that many organizations do not fix their bugs because they either don’t want to, or aren’t able to, either for technical or business reasons.
Shouldn’t we be focused on designing secure products from the start, rather than endpoint security that something like bug bounties can provide?
RH: We believe that security-by-design is one of the core values of bug bounties.
With bug bounties we can connect developers with the hunters who reported the bug. First, this creates an awareness effect because, as a developer, you speak to the person who actually found the bug on their application and it’s not the same as an audit or consultancy – the hunter will explain how they found and exploited the bug and how to create a fix.
Developers now have this information and they learn to write more secure code. Customers tell us that it’s completely changed their way of working because developers are taking into account the viewpoint of the hunters.
What do you think we can expect from bug bounty programs in the future?
RH: I think that automation is the future of cyber, and in order to automate effectively in cyber you need validated data.
DevSecOps implies automation, to which you need data, and bug bounties provides this data. You get some bugs, with standard information, and this information can be reused by the customer to automate tasks.
This is the right direction, and we see encouragement, but we also see start-ups launching products without any security audit and the same mistakes being done by the new generation of IT players.