CrowdSecWisdom #6

CrowdSecWisdom #6

OffSec insights for CISOs

Welcome to the sixth edition of CrowdSecWisdom from YesWeHack – curating offensive security insights from our own blog and elsewhere for CISOs, security teams and security-conscious devs. 🛡️

We start our latest edition with fresh Forrester advice to CISOs: make securing supply chains, securing business-critical IT assets and tackling tech sprawl your top priorities for 2025. 📈 “While security leaders say budgets will increase this year, so will tech sprawl, with software costs doubling up spend on hardware and also outpacing personnel costs,” observes the market research firm in its 2025 Budget Planning Guide For Security And Risk Leaders. VentureBeat has penned a useful summary of the results if you don’t want to trawl the full report. 📰

Similarly, the 2024 Security Budget Benchmark Report from IANS Research and Artico Search also observes increases to cybersecurity budgets, albeit the days of double-digit growth are over and a significant minority of security teams are having to perform increasingly complex jobs with either flat or falling budgets. 📉

Clearly, handling myriad threats – not to mention the growing compliance burden and spectre of personal liability – in the context of tight budgets makes for a stressful vocation. 😓 It seems appropriate then to bring to your attention a Q&A between Intelligent CIO and Steve Bray, head of Australia & New Zealand for Cloudflare, about the prevalence of CISO burnout, the factors at play and how to protect security executives from mental overload. 🧠🛡️

Betting big on Bug Bounty

Our latest customer success story sees the cybersecurity chief of a Swedish betting brand ATG reveal that, through Bug Bounty, they have received “really serious reports we would never get from a traditional pentest”. ATG, which powers Sweden’s horse racing industry, has enjoyed a more-than-satisfactory return on investment, according to Erik Täfvander. In the video interview below, Erik discusses why ATG decided to crowdsource security testing, the process of launching and growing the program, and the benefits and challenges encountered along the way. 🐎🔍

In another new customer video, Guillaume Kermarrec, who oversees L’Oréal’s Bug Bounty Program, discusses the iconic cosmetics brand's preparations and hopes for a live Bug Bounty shortly before the event began during leHACK in Paris, over the summer. 💄 Incidentally, we’ve also previously published a recap of the event on our blog and video highlights of the hacking competition. 🏆

Malta considers national VDP… while citizen bug reporters await court date

A public consultation is underway in Malta on a government proposal for a national coordinated vulnerability disclosure policy (VDP). While we must confess to bias insofar as we have a VDP product to pitch, such a policy is surely necessary when you consider the arrest of three computer science students over their reporting (in good faith, they claimed) of a vulnerability in Malta’s largest student application, FreeHour, to the vendor. The university students had asked for a bug bounty but were reportedly ‘rewarded’ instead with being strip-searched, having their computer equipment seized and a court date in March 2025 (their lecturer is also being charged as an accomplice). 🚔

Malta is also holding a consultation over its transposition of the NIS 2 Directive, which means (like many member states), it is leaving it rather late to transpose the expansive new cybersecurity rules into national law. 📜 (A reminder that we have previously detailed key NIS 2 insights and implications for SecOps strategies).

Closing holes in open source

In reassuring news about open source security, project maintainers are spending three times as much time on security than they did three years ago and have become less credulous of contributors following the XZ backdoor calamity, according to a report from open source security firm Tidelift. 🔒 Less reassuringly, they remain mostly unpaid and overworked. Moreover, given how discouraging this status quo is, they are ageing as a cohort. 😓

This is precisely why in 2023 the Sovereign Tech Fund launched the Bug Resilience Program, which helps time-poor open source maintainers prevent and patch vulnerabilities through technical debt reduction, secure code audits and Bug Bounty Programs managed by yours truly, YesWeHack. 🛠️ Our army of bug hunters have been entrusted with hardening a number of open source libraries that are benefitting from STF funding, including the near-ubiquitous systemd and Log4j, the site of possibly the most impactful vulnerability of all time, no less. 🐞

Relatedly, our very own VP of product, Aïmad Berady, is starring in a panel debate at a Sovereign Tech Fund event on 30 September in Berlin. Aïmad will examine the conclusions of a new STF report to explore the public sector's role in Bug Bounty and discuss the risks and opportunities that arise from publicly funded security initiatives for open source projects. 💡While this is an invite-only event, policymakers, researchers and industry professionals interested in open source security can still enquire about attending. 📩

Relatedly, Stephanie Domas, CISO of Canonical, the makers of open-source Linux operating system Ubuntu, has written about what the EU’s Cyber Resilience Act means for open source in Forbes.

AI compliance and liability

The potential impact of AI in almost every human endeavour is both mind-blowing and unpredictable – and with unpredictability, comes all manner of risk. Organisations should therefore be extremely mindful of the safety and security risks of using AI in any use case, and this includes AI cyber-defense tools - especially now that the US Department of Justice (DoJ) has updated guidelines (PDF) aimed at enterprise compliance officers with instructions to start evaluating the potential harms of their AI applications and how to mitigate these risks. Organisations, the rules make clear, will be held accountable for the misdeeds of their AIs. 🤖⚠️

Artistic impression of the prediction method used in large language models (Photo from Google DeepMind)

A trio of other interesting stories to highlight this month:

  • A dispute between Automattic and WP Engine, which has been banned from WordPress.org, has “left “thousands of end-users without security updates and, by extension, millions of internet users exposed to potential hacks”, reports Bleeping Computer
  • Eugenio Benincasa, senior researcher in the Cyberdefense Project at the Center for Security Studies (CSS) at ETH Zurich, discusses the outsize influence of Chinese vulnerability researchers and the geopolitical implications in War on the Rocks
  • A Google Cloud Document AI flaw still allows data theft despite Google having paid a $3k a Bug Bounty according to the researcher who found the issue

Il primo bug bounty live in Italia

Finally, a reminder that, as we mentioned in our last edition, we’re about to hold Italy’s first-ever live hacking event, which takes place tomorrow (28 September) in Rome during Romhack 2024! The hunters will finally discover the identity of the brand in question tomorrow – the anticipation is building! (Learn about the benefits of live bug bounties here.)

October is seriously busy on the conference front for YesWeHack. YesWeHack will be showcasing our vulnerability management solutions at Cyber Security World Asia (9-10 October; Marina Bay, Singapore), Assises de la Cybersécurité 2024 (Monaco, 9-12 October),  GITEX (Dubai, 14-18 October), IT-SA, (Nuremburg, 22-24 October) and Cyber Security Nordic (Helsinki, 29-30 October). 🌍


Italy is about to host its first-ever live Bug Bounty (this pic is from our Louis Vuitton event earlier this year)

PS. Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

PPS. This isn’t the only way to keep track of YesWeHack content about industry trends, relevant legislative developments and live hacking events. You can also follow us on X/Twitter and LinkedIn.

To view or add a comment, sign in

More articles by YesWeHack

Explore topics