Until now, the principle of calling upon ethical hackers in a Bug Bounty environment had had a unanimous response: from the CISO, the CIO, the directors, developers, the purchasing manager… and even the financial manager. All bodies concerned were convinced beyond doubt that this approach would improve the standard of applications and architectural security. All? With one exception, the legal department who felt like a hacker having access to an information system represents, by definition, a risk.
How to handle this situation, to deal with the objections that legal departments are inclined to express in regard to the most recent Bug Bounty approaches?
The cases where security flaws have led to the exposure and theft of information, including personal information, are not hard to come by. In its overview of cybercriminality, the Clusif (Club de la sécurité de l’information français) reports that around fifty major companies were victims of this in 2019 (*), from Facebook and Toyota to GitHub and Capital One (106 million clients affected), including Burger King, Nintendo, Microsoft, and in France, Altran, Ramsay Générale de Santé, M6, Rouen hospital, Fleury-Michon… with considerable financial penalties: Equifax, who were victims in 2018, paid 700 million dollars, the Marriott Hotels paid 123 million dollars and British Airways 183 million pounds.
Each company that was a victim of security flaws was liable for the damage, which would not have been as severe had the security breaches been identified and dealt with sooner. Investing in a Bug Bounty approach is the opposite of a non-investment.
In the case of a breach that could have been identified earlier, the responsibilities will always be shared : the CIO or the CISO will not be the only ones held accountable, general management and the legal department will also be liable, for putting their short term interests (peace of mind and the application of a strict prevention principle) ahead of the long term financial impact and image of the company : are they really ready to run that risk?
The fear that hackers could be tempted to exploit the flaws they discover is a persistent one. In reality, Bug Bounty platforms have to perform a rigorous selection procedure in order to determine the hackers who intervene: Yogosha is the only platform that verifies the identity and the e-reputation of every bug hunter, who also have to pass a series of tests in order to validate their technical and pedagogical abilities, with only one in four managing to complete this stage successfully.
But can a legal director seriously run the risk of a hacker finding and exploiting a flaw that could have been identified and eliminated much earlier?
The objection which relies upon it being preferable to conduct an in-house search for systematic vulnerabilities faces two difficulties: firstly, the amount of time needed to do this (the time spent researching flaws could be spent on other tasks), and also it requires an in-depth knowledge of all the architectures, of the operating systems, networks, point of sales terminals, development terminology and the protocols likely to present weaknesses. It is fair to say you would need to be superhuman to be able to consume and exploit such a large amount of information.
Of course, your security teams have a wide range of abilities and skills but what could be better than calling upon ethical hackers who have experience in the field of discovering flaws, in order to identify, exploit and repair them?
The intervention of bug hunters is subject to a contract, which as every lawyer knows, commits the various parties who have signed it. The clauses of said contract can also be negotiated. This is an essential element in order to ensure confidence. Can a legal director have any doubt about the binding power of a contract?
In principle, no…
The Bug Bounty approach is no longer exclusive as it has been considered to be in the past, where a number of geeks would race to see who could discover the most vulnerabilities within a security system. It is becoming institutionalised, common amongst professional stakeholders.
To the extent that companies who do not have a reputation for being indifferent towards security, are putting their trust in this approach. It is the case, for example, for the Thales group in order to protect their products for the e-commerce platform Cdiscount, to secure the data regarding their 9 million clients, without forgetting the public authorities, to test the security of the new platform dedicated to assisting cyberattack victims (cybermalveillance.gouv.fr).
Companies such as Bouygues Telecom, BNP Paribas, Galleries Lafayette, MAIF, L’Oréal or even Swiss Life and Veolia have also become adherents to Bug Bounties. If the trust in Bug Bounty platforms can be expressed through the clients, it also spreads to the investors, who believe in the sustainability of the model, the reality of the needs and in the momentum of the market. Yogosha raised two million euros at the start of 2020 from renowned investors, including BNP Parisbas Development.
There is no doubt that, progressively, the objections made by legal departments will ease as the reality of the situation (limiting risks and guaranteeing the sustainability of an organisation) will prevail over being cautious. There needs to be an intelligent collaboration between the CIOs CISOs and the legal departments, who need to be involved as early as possible in the Bug Bounty process.
 Clusif Panocrim conference, 21st January 2020. Link: https://clusif.fr/conferences/panorama-de-la-cybercriminalite-annee-2019/
Find all the news and cybersecurity trends directly in your mailbox.