OVH launches Bug Bounty to reinforce its security.

Presented on the 2nd of July during the 14th edition of Nuit du Hack (one of the oldest French underground hacking events), held in Paris, France, OVH Bug Bounty allows anyone interested in computer security to report potential vulnerabilities found within the scope of the API and the Customer Control Panel. Tested internally, this program is now accessible on the bountfactory.io platform.. The principal is simple: all reported bugs are examined by the security team and if required, corrective action taken, then a reward issued. To attract the best to the OVH Bug Bounty programme, rewards can reach up to 10,000 euros. Each report linked to a proven bug will result in a reward, monetary in most cases and sometimes in the form of ‘goodies’ or vouchers for bugs that are not within the scope of the programme.

Security, at the core of the OVH group
Created seventeen years ago, the OVH group has always made security a priority. Bug reporting was already possible via security[at]ovh.net and has led to several improvements. For Vincent Malguy, SOC (Security Operation Center) team member, “The public launch of Bug Bounty is the culmination of many years of thought. The emergence of the bountyfactory.io platform makes it possible to bring to fruition the project that Octave Klaba wanted.”

In fact, up until now, the bug bounty platforms in existence were all American. It was unimaginable for a company like OVH, which is committed to data sovereignty, to store the list of vulnerabilities outside of its datacentres located in France. The platform which enables OVH to carry out this programme is hosted internally on its Dedicated Cloud service, an infrastructure which has already been ISO 27001 certified for several years.

Today, the platform is open to all, from computer security specialists to enthusiasts, anyone can participate. Just create an account and report any vulnerabilities found. The SOC team members will be notified immediately and issue any required patches. OVH’s quick response is obviously one of the keys to the programme’s success.

Bug Bounty reinforces our security arsenal
Opening the program to the public complements the many internal security measures in place assuring the security of our infrastructures and customers’ data. Numerous intrusion tests are conducted internally and externally each year, assuring that the most critical systems meet the highest standards.

To cover the entire OVH spectrum and minimize the existence of security vulnerabilities, it was decided to standardise the public reporting procedure: With Bug Bounty, we can constantly test all of our infrastructures with different profiles and various skills. We could never cover such a spectrum over long periods with classic audits,"states Vincent Malguy.

Reinforcement of security procedures has also meant obtaining a battery of certifications, including ISO 27001 and ISO 27017, PCI DSS - the standard for hosting financial data and we are currently working towards becoming certified to host data associated with healthcare. All of these tools and certifications allow OVH customers to host, with complete confidence, their data and applications in the European Cloud leader’s datacentres."