Bug Bounty: The hunt is on

A Bug Bounty program is a campaign offering a reward to a person who identifies an error or vulnerability in a computer program or system.

“Bug Bounty: pay a reward, not a ransom”: it was the title of the Cybersecurity Breakfast #35 sponsored by YesWeHack, one of the main Bug Bounty platforms in Europe. The topic attracted more than 50 people. Selim Jaafar (YesWeHack) gave a general overview of the Bug Bounty program and its working process before the round table with:

  • Astrid Wagner, Partner at Arendt & Medernach;
  • Rayna Stamboliyska, VP Governance & Publics Affairs, YesWeHack;
  • Sven Clement, Député, Piratenpartei;
  • Yoann Le Bihan, Founding co-chair, IAPP Luxembourg Chapter.

YesWeHack gave advises for running a successful Bug Bounty program for beginners and “intermediate” users. When a vulnerability is found by a hunter, it is important to patch it quickly and to reward him without delay.

“How to make sure the hunter will report to the client and nobody else?”, was one of the concerns expressed by the attendance. YesWeHack explained that they run a KYC process for each hacker who registers to their platform. Not exposing oneself too much during a Bug Bounty campaign was another concern. Different ways were exposed by the panel:

1. it is possible to narrow applications or systems to be tested, so that the whole organization will not be “attacked”;

2. it is also possible to give a development environment to the hunters, so the production systems will not be hit by the campaign;

3. you can choose to launch a “private” Bug Bounty campaign to limit the number of hunters who will target you.

The legal aspects of Bug Bounty were also discussed. Even if the situation is not totally clear about the responsibilities and the status of the hunters, the risk taken by running a Bug Bounty program seems to be much lower than the risk taken by doing nothing. Astrid Wagner pointed the specialties of Luxembourg in terms of legal constraints related to the “Autorisation d’établissement”. Yoann Le Bihan remind us the need to protect the privacy of the users and of the bug hunters.

YesWeHack took the opportunity to present their White Paper on Coordinated Disclosure of Vulnerabilities which aims to reduce the legal uncertainty, to promote proper vulnerabilities disclosure means and to improve the communication between vulnerabilities finders and system managers.

Sven Clement insisted on the needed “cultural evolution” in some branches in order to introduce Bug Bounty. The need for regulatory harmonization across the EU was also pointed.

The interest of the public was very high and the discussions continued after the round-table.

Finally, the only flaw this event is that we ran out of coffee at the end of the discussion, which is probably the worst vulnerability for a (ethical) hacker.