Swiss Post is very open about the issue. In 2021, she aggressively called on hackers to hunt for weaknesses and security gaps in her e-voting system. She waved high rewards. Anyone who discovers critical vulnerabilities in the system will receive a bounty of up to 230,000 euros. Swiss Post works with the bug bounty platform YesWeHack to hunt for vulnerabilities.
The number of vulnerabilities identified by YesWeHack hunters doubled in 2021 compared to the previous year. Thirty-five percent of the vulnerabilities found were classified as “critical” or “high.” This means that many enterprise systems and applications would have been seriously compromised had the vulnerabilities not been found or fixed. In terms of the vulnerabilities discovered, implementation and design errors (secure design, access control) are the most common for the second year in a row. This trend can be explained in particular by the increasing complexity of the applications used.
In an interview, YesWeHack Senior Account Executive Phil Leatham explains how bug bounty programs work, and mutual trust is key to the success of Hunter programs.
Bug Bounty is not necessarily new. Why do you recommend companies to focus on it now?
Phil Leatham: Bug Bounty has been around since the ’80s, but it’s coming back. Security challenges have grown exponentially, and IT has become extraordinarily complex and agile. In addition, IT is opening up more and more towards the Internet, so it is no longer operated in isolation in the data center and is therefore vulnerable to external attacks. It might not have been so bad in the past if there were a few security flaws because they were often never found. But now you can’t afford it anymore. The world is so interconnected that all vulnerabilities are found very quickly. At the same time, hackers are becoming more and more professional and want to earn their money with it. That’s why companies have to react and look for additional ways.
How does the assignment work? Do customers choose a bug bounty program or several hunters?
On the one hand, we provide 35,000 hunters via our platform, i.e., ethical hackers who hunt for gaps and errors. On the other hand, our customers want to know whether and how a system can be attacked. If companies want to set up a bug bounty program, they register on the platform and set up a schedule with us. You can choose between a private program, accessible only to the hunters selected by the customer, or a public program, open to all of our hunters. We advise customers on which program is best for their needs. This depends, among other things, on what and where precisely the hunters are supposed to hunt. Typically, these are, for example, URLs or a subdomain. Then the company must determine how much it wants to pay for a found vulnerability. So hunters only get the bounty if they find a vulnerability.
So the price is not always the same?
The price depends on the severity of a vulnerability found, from low to critical. Typically, these are in the low three-digit range for less critical vulnerabilities up to five-digit amounts for critical vulnerabilities. This also depends on the client and the system to be hacked. Bank systems, for example, are usually very secure. If you want to hire a bank hunter, you have to offer something more. Otherwise, Hunter can hardly be persuaded to deal with it and look for gaps. Once a program has been set up, hunters are invited to hunt.
But vulnerabilities can exist in entirely different systems. And with digitization, this diversity is increasing. Does every hunter have the same know-how?
We recommend specific hunters to our customers who have worked their way up to our platform through their hunting successes. In addition, they must have the appropriate skills for particular systems. For example, different specialized hunters are needed for IoT systems than for an online shop on a website. One of our customers is a drone manufacturer. You need specialized hunters who know the typical weaknesses of such systems. Once the price and hunters are set, you invite the hunters in, pick a launch date, and then they go out and look for vulnerabilities.
Do you claim to be Europe’s leading Hunter platform? What are you up to?
We have the most Hunters on a European platform. Currently, there are more than 35,000, and the number is growing every month. And we have a large number of huge customers, almost all of whom we are not allowed to name for good reason. One customer is Swiss Post, which has developed an e-voting system for direct dialing in Switzerland. For example, for parliamentary elections. This lighthouse project is interesting because the Swiss Post wanted to do everything possible to make the system more secure. So the company is open about it. It would be fatal for the Swiss Post if elections could be manipulated through a weak point. The Swiss Post voting system is so secure that a hunter receives 230,000 euros if he discovers a critical problem.
Should companies hire Hunter multiple times, or is it enough to test a system before officially launching it?
The problem is that every IT system has weak points. The point is to find and fix as many of these vulnerabilities as possible. For this reason alone, a one-off effort is not enough. In addition, today, there is virtually no final state of IT systems. There are release cycles, but agile development means that new functions are constantly being developed, which can each time bring new weaknesses with them. Everything is almost always live and must be continuously monitored.
How does YesWeHack earn money?
We charge our customers an annual fee for using our platform. The companies pay for the bugs found. Hunters do not have to pay us anything to register on our platform. You enter your contact and account details, they are checked, and you get your money as soon as the vulnerability has been found and verified by us.
The task has a lot to do with trust. Both a Hunter and you could also abuse hunting?
Trust is the key to Bug Bounty. We maintain close contact with customers and hunters and are good at mediating. As a rule, companies are not familiar with the hacker community. If they were to set up a program themselves, hunters might not be involved, and the companies would not know whether the hunters were trustworthy. We offer this trust and help companies set up the right bounties and attractive programs for the hunters. Our ranking system for hunters is also helpful. The customers can award points, and the hunters work their way up. New customers can see who the best hunters are. This is our added value apart from the platform.
How are the vulnerabilities found by the hunters evaluated?
We do that for most of our customers. When a hunter reports a vulnerability, we check if this is the first time the exposure has been written because only the first finder gets the reward—a reason why the Hunters also hurry when they have been selected for a program. We also check the Hunter report for completeness. What did he test? What is the result? Then we check the criticality since a hunter naturally wants to classify everything as critical so that he earns more money. Based on the report, customers can see how many and which vulnerabilities have been reported and then fix them in a targeted manner.
What is the function of a Vulnerability Disclosure Policy (VDP)?
In addition to the professional hunters who earn their money with it, some people find a vulnerability without looking for it. You don’t want to take advantage of vulnerabilities. They must report the vulnerability to the right place. There are always cases where someone says a vulnerability via email, but nobody takes care of it. A VDP, on the other hand, offers hunters or people who have found a vulnerability by accident a structured and straightforward way to report vulnerabilities officially.
What then is the difference to Bug Bounty?
Bug Bounty is proactive while VDP is reactive. However, the process is similar to Bug Bounty. Only there are no bounties offered. Typically, a company would set up a dedicated website to report vulnerabilities. We recommend setting up a policy and explaining how a vulnerability can be reported. And that there is no money for it. In the past, such reports were received via social media channels. The respondent also wanted a reward, although none was advertised. If you’re going to get paid, sign up for the bug bounty program.
Ethical hackers had to struggle with legal problems, especially in Germany. Hunter could make themselves punishable.
The official bug bounty programs and the VDP have solved the problem. Hunters who report vulnerabilities can be sure today that they will not be prosecuted as long as they follow the rules.