Hackers descended on the French city of Lille this week to participate in a live bug bounty event, hosted by European platform YesWeHack.
Four organizations participated in the event, which took place on Wednesday and Thursday (January 28-29), as part of the 2020 Forum International de la Cybersécurité (FIC), an annual conference and trade show.
Companies taking part in the hacker competition included The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.
Having put on the event for a second year in a row, Rodolphe Harand, manager at YesWeHack, commented on how the live hacking competition had grown to represent the present bug bounty market.
“Large organizations spend way more on bug bounties than smaller ones, but smaller ones can also manage to get secured through bug bounties,” Harand told The Daily Swig ahead of the two-day bug hunt.
“It’s about how they leverage the outcomes of those programs and, ultimately, how the platform helps them to do so.”
Harand added: “It shows that bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems.”
App attack
Each participating company offered its own program scope during the live hacking event, with prizes for vulnerabilities found ranging from €800-€5,000 ($880-$5,510).
Oui SNCF, a subsidy of the French train operator, offered hackers the change to bank €5,000 ($5,510) for the detection of critical vulnerabilities within its international reservation, authentication, subscription, and account management systems.
French messaging start-up Olvid allowed hackers to attack its mobile applications and server infrastructure, with prizes reaching €1,000 ($1,100) for a critical flaw.
The Red Cross, or CRF, had the security of its applications used for volunteers, funds raised, and task management put to the test. Bounties – up to €750 ($827) for a critical flaw – were paid by YesWeHack.
No denial-of-service attacks were allowed, nor were public disclosures of any discovered bugs. Any hacker was free to take part, as long as they were registered with the YesWeHack platform.
European alternative
Based in France, YesWeHack was established in 2013 to offer an alternative to US bug bounty platforms and encourage more organizations in France to start realizing the benefits of crowdsourced security.
One benefit of hosting a live bug bounty event is spreading awareness of both security programs and the hacker mindset, according to Selim Jaafar, customer success manager at YesWeHack.
“You have hackers, program managers, and owners of the systems that are tested and hacked, all in the same room,” Jaafar told The Daily Swig.
“The hunters can interact with the security team that owns the system to help them figure out the [security] issues, or what an impact of a found bug can be.”
YesWeHack also held a car hacking demonstration in line with this year’s FIC. The platform now has 15,000 hackers participating in its programs, with plans to continue expanding in Europe and Asia.
Source: https://portswigger.net/daily-swig/hackers-bank-big-bucks-at-live-hacking-event-in-france