OVH launches Bug Bounty and Reinforces Security
OVH Bug Bounty allows anyone interested in computer security to report potential vulnerabilities found on its infrastructures. Already tested internally, this program is now publicly accessible on the bountyfactory.io platform. All reported vulnerabilities are examined by the OVH security teams who can take necessary action if needed. Each report linked to a proven vulnerability will be rewarded monetarily in most cases - up to 10,000 euros. Cases outside of the scope of the program will be compensated in the form of ‘goodies’ or vouchers.
A platform hosted in France
Created seventeen years ago, the OVH group has always made security a priority, and bug reporting was already possible via security[at]ovh.net. For Vincent Malguy, SOC (Security Operation Center) team member, “The public launch of Bug Bounty is the culmination of many years of thought. The emergence of the bountyfactory.io platform makes it possible to bring to fruition the project that Octave Klaba wanted.”
The Bug Bounty platforms in existence up to now have all been American. For a company like OVH, which is committed to data sovereignty, it was unimaginable to store the list of vulnerabilities outside of its datacenters in France. The platform which enables OVH to carry out this program is hosted internally on its Dedicated Cloud offer, an infrastructure which has already been ISO 27001 certified for several years.
A consolidated approach to security
Opening the program to the public complements the many internal security measures put in place by the European cloud leader to assure the security of its infrastructures and customers data. Beyond its global certification strategy (ISO 27001 and ISO 27017, PCI-DSS, SOC 1 type II et SOC 2 type II for Dedicated Cloud), numerous intrusion tests are conducted internally and externally each year, assuring that the most critical systems meet the highest standards.
To cover the entire OVH spectrum and minimize the existence of security vulnerabilities, it was decided to standardize the public reporting procedure: “With Bug Bounty, we can constantly test all of our infrastructures with different profiles and various skills. We could never cover such a spectrum over long periods with classical audits,” states Vincent Malguy.
For the moment, Bug Bounty only concerns vulnerabilities dealing with the OVH customer control panel and the API. Very soon it will extend to cover other OVH products.