YesWeHack is the first ever community of bug-finders in Europe, with just over 5,000 developers specializing in information security. The startup, created in 2013, claims today around twelve employees in Paris, Rennes, and Rouen. In a few words, the company can be described as a community of experts at the head of which sit a few legends in the domain such as Manuel Dorme, aka Korben, founder at Korben.info and one of the most influential French bloggers specializing in IT. We got really lucky by stumbling upon him at the recent GEN 2018 conference in Metz and having the opportunity to hear out his unique angel on IT, despite the fact that he was scheduled to meet with a host of ministers! In any case, here’s his insiders scoop on YesWeHack below.
(Featured Image: Manuel Dorme, aka Korben, cofounder of YesWeHack, founder at Korben.info and one of the most influential French bloggers specializing in IT, during GEN 2018 conference in Metz, France / Image Credit © GEN / A Flash Story)
What is YesWeHack exactly?
YesWeHack’s creation in 2013 came about rather organically for two closely related reasons. One, there were no “Bug Bounty” style companies in Europe. And two, we just had to meet the need. Since then, we have seen some pretty rapid development, and we’re currently in a phase of quick growth both with regard to product development and personnel.
YesWeHack currently has its activities based on European soil, and it made sure to do so with a clear goal: to pull together the largest community of bug-finders in Europe at around 5,000.
To give a little background on our major principles, we must talk about opportunity, market angle, and legal framework. We like to think of ourselves as an open community with a wonderful opportunity, and we don’t see an end to future progress. We actually use the same market strategy and principles as our American counterparts… except that we have the unique advantage of European sovereignty!
So, yes, we’re based in Europe, and none of our data nor programs go on the American cloud.
For what it’s worth, we do our due-diligence to make sure we’re in accordance with European law, notably laws against money laundering, anti-terrorism, and KYC-Know Your Customer.
Because of this, we have become a solid point of reference for European companies that really need the assurance that external parties will protect their industrial secrets. They don’t want their data stored outside of Europe, for example, and we made sure to comply from the get-go.
“A “Bug Bounty” is a reward that a company offers to anyone who can find, you guessed it, bugs in their security systems and data protection protocols.”
Can you tell us a little more about “Bug Bounty” and YesWeHack’s internal functions?
To start with the basics, you have to understand that our business is two-sided. Our services could prove invaluable on the black market, or even less overtly illegal zones. But at YesWeHack, we believe in acting completely within the legal framework: companies pay in order to one, to purchase away their vulnerabilities, and two, to augment their security.
A “Bug Bounty” is a reward that a company offers to anyone who can find, you guessed it, bugs in their security systems and data protection protocols. Our community of what we call bug-finders locates, analyzes, and brings to the attention of clients any weak points in their security measures. These finders are compensated only at the end and in proportion to the importance of the fault. The price can vary between 100€ and 10,000€ depending on what the client is ready to pay.
The “Bug Bounty” really needs to be seen as another tool in the protective arsenal of a company seeking to reduce its risk. In contrast to an audit, which delivers a “state of affairs” at a given moment T, a “Bug Bounty” operates in the long term, twenty-four hours a day, seven days a week. Participating companies are thus proactive in this partnership because they don’t want to wait and pray that nothing will happen!
“It is worth noting that with this platform, found errors go without financial reward to the bug-finder. The finder simply does his good Samaritan duty by reinforcing global security. Our community is here to work towards the good.”
What novel aspects of the trade does YesWeHack offer today?
We henceforth offer public programs as well as private ones. Private programs are only open upon invitation and only to a limited number of bug-finders—limitations aimed at really drilling out and displaying major problems.
Whereas with a public program, a company will benefit from four times the return! In public programs, companies call upon our entire community to search out potential bugs. It’s an extended hand that says to the community: “Come on, we have no fear of finding bugs!” It has become a categorical “duh” to find errors when they exist, and not to end up in a bind.
Among our many partners we have BlaBlaCar, Qwant and even OVH. We are also working diligently for a nonprofit that doesn’t have the budget for this kind of security but that still can really risk their entire activity by leaving potential loopholes in their systems open to predators. For examples, reporters without borders is one of our clients.
We have also developed a separate platform called ZeroDisclo.com that gives the community the power to contribute to the global securitization effort in the private sector. Whistle blowers can in this way bring up potential problems on the platform that, without action, would leave the company vulnerable to eventual cybercriminal attacks. In this sense, we create the bridge between the bug-finder and a CERT (Computer Emergency Response Team), which can sometimes poorly interpret an intrusion of bug-finders in their systems.
It is worth noting that with this platform, found errors go without financial reward to the bug-finder. The finder simply does his good Samaritan duty by reinforcing global security. Our community is here to work towards the good, and we’re proud of that.
“Bug Bounties are more and more present in Europe, which is counterintuitively a good thing. According to our research, there are over 1000 public ones.”
Do startups ever reach out to YesWeHack?
We don’t have very many startups seeking out our services. For many of them, bringing in a Bug Bounty is difficult and not seen as really necessary. It’s funny because nothing could be further from the truth, as companies only pay for concrete results… or, in other words, if there is a problem! The lack of extensive operation budgets is most often the claimed culprit, and it’s understandable. However, it’s kind of a bummer given that the potential risks are far more sever without a Bug Bounty.
There’s also the fact that in peoples’ imagination, the presence of a Bug Bounty will incite criminal to come attack the company. This is simply not true. You can rest assured that a criminal is not going to wait to attack if he really wants to. Whether there is a Bug Bounty or not doesn’t change a thing.
How does the future look for YesWeHack? Do you have your eyes on reinforcing numerical security?
Bug Bounties are more and more present in Europe, which is counterintuitively a good thing. According to our research, there are over 1000 public ones and even more working in private, especially in the United States. We have also created FireBounty, which aims to aggregate Bug Bounties and offer the community a clear image of Bug Bounties available on the market. We know that our community is not always content with YesWeHack and will thus leave to work for competitors. But our community is our strength. Without them we will cease to exist, and we won’t forget it. Pampering them and showing them a good time is absolutely paramount, and FireBounty is actively engaged in the effort.
“The question of European sovereignty is a subject that we must all ask ourselves as a community. How do we see our own security insofar as we are European?”
In terms of our future, we feel very confident. Cybercrime is only growing, and our workload with it! More seriously, the invent of GDPR legal guidelines is going to bring us more business. We have already realized and prepared for that. The Bug Bounty has become an additional tool to use in aligning oneself with these new obligations in the security of personal data.
We would also like to take action to bring a different vision to cybercrime and to provide better numerical security at the European scale. With that in mind, we joined the Alliance pour la Confiance Numérique (CAN, Alliance for Numerical Confidence, in English). We cannot function all alone, and we must lock arms with other actors at the European level. Together, we are so much stronger.
The question of European sovereignty is a subject that we must all ask ourselves as a community. How do we see our own security insofar as we are European? And above all, must we depend on other actors, such as the United States, or should we be function independently? All of these questions are essential and must be at the heart of discussions on the continent.
We must act in such a way that we bolster the level of security in our companies and in our European institutions.