navigation

August 2021

API Personal Access Tokens for scripts and automation

A new authentication method is available for our API : personal access tokens.

Personal access tokens can be easily generated from YesWeHack platform and then used to authenticate any application (or user) on YesWeHack API, with a predefined set of rights, to either access or modify data.

How to generate a Personal Access Token (PAT):

First, let’s note that only users with one of the following role could generate PATs :
- Business Unit Owner
- Business Unit Manager
- Program Manager

If you have one of the above role, once logged in on YesWeHack, you will find a Personal Access Token management page in your MyYesWeHack menu:

Then, if you click on ‘Create Token’, a creation form will prompt so you could name the PAT, set its validity period and its extent (i.e. program(s) and type of access).

Now, when you validate the form : be careful and make sure to save the newly generated token, as it won’t be accessible afterwards.

You will find the list of your Personal Access Token(s) from this same menu, to make sure it’s still valid or double check the associated scope(s) and role(s).

Notes regarding PAT’s validity:
- If you set an expiry date, you will receive a reminder notification 7 days before its expiration;
- If your membership to a given program (or BU) is revoked, your corresponding PATs will be automatically revoked as well;
- You may revoke a PAT at any time.

How to use it:

You will find some details on our API documentation here
Please note that when you use PAT instead of OAuth2 flow, you shall use ‘api.yeswehack.com’ instead of ‘apps.yeswehack.com’.

In a nutshell, to use PATs, you just need to add the following header in your requests : X-AUTH-TOKEN : {personal_access_token}

Here is an example of valid request with PAT :

Important notes:
- Mind the type of role granted with your PATs as it will affect the requests/actions you can perform through the API
- Only requests for the following endpoints can be made :
- /programs/*
- /reports/*

And laslty, traceability being of utmost importance, actions carried out through the API are identified as so in your Audit Logs and will show which Personal Access Token was used:


With Personal Access Token, you can now painlessly manage a large range of API use-cases.

Any question? Need help? Get in touch with our support team : support@yeswehack.com

And there is more to come - keep an eye out for it ;)

July 2021

Credentials Management

Let us introduce a new feature that will please both hunters and program managers : credentials management.

In a few words, this new program-related feature will enable import of credentials pools, from which invited hunters could retrieve one or several dedicated accounts to test an app.

N.B.: credentials management can only be used on private programs.

As a Program Manager

Where you used to - somehow - manage test accounts distribution to hunters over emails or other means, you can now manage and monitor credentials provisioning directly on YesWeHack platform.

For better understanding, let us take an example:
-> You have a web application with 3 types of accounts : basic user, advanced user and admin.
-> You want to achieve in-depth security and you are willing to provide test accounts for each type of users to let the hunter play around with it.

In your Program management frames, you will find a ‘Credentials Management’ menu :

From there, you create and manage up to 10 different ‘credentials pools’ of up to 500 accounts each.

When you create a new pool, you will give it a title - obviously -, provide a short description to better contextualize where & how those credentials can be used, as well as a number of accounts provided per hunter (e.g. each hunter will be assigned 2 set of credentials).

Once the pool created, you may now provision it with available set of credentials, i.e. valid login/password couples ;)

To add more credentials in a given pool, you may import a .csv file or add them manually.

N.B: you can immediately assign a given set of credentials to a specific hunter just by filling-in the ‘assigned to’ field with hunter’s username.

Here, in our example, we created 3 separated pools, one for each type of access.

Then, for each credentials pool, you can :
- edit the pool (title, descriptions, nbr of accounts per hunter);
- consult the status/assignement of credentials;
- revoke/update assignements;
- disable the whole pool.

At any moment, you can check who claimed his credentials, how many sets are still available or, on the contrary, how many credentials request could not be addressed and thus make sure to add enough in your next batch.

Pro-tips:
- make sure to add new sets of credentials before inviting more hunters on the program so they could get up to work right away
- you can list and monitor credentials that were previously distributed outside of the platform by using the ‘assigned to’ option

And if you ever need help from us to setup your credentials management, reach out to support@yeswehack.com – we’re here to help!

As a Hunter

Now, if a program offers test accounts you will immediately see it in the ‘Credentials’ section at the very bottom of the program’s page.

Here you can browse the different credentials pools that are available for this program and request your own account(s) in one-click.

Moreover, you will find some details about where to authenticate and what type of accesses are granted with a given type of credentials (if provided).

When you ask for credentials, two options :

1 - Some credentials are available : login/password will be accessible few seconds later in the ‘Credentials’ menu

2 - All credentials are already assigned : program managers will be notified of your pending request and you will automatically retrieve your credentials as soon as the program managers add some to the pool.

In any case you will be notified as soon as your credz are available.

An email can get lost, a logged request on YesWeHack does not 😎

Efficient, transparent and effortless – in short : better.

Multi-language Vulnerability Disclosure Policy (VDP)

For those that missed it, we offer a set of features that allow Organizations to easily set-up and manage a Vulnerability Disclosure Policy (VDP) (introduced in September 2020 changelog).

It is virtually essential for organisations operating around the world to present their security posture in various languages and, today, we’re proud to announce that our VDP publication & management features support multi-language options!

When editing its policy, a given organisation can now set multiple translations of its policy through its VDP settings :

Once a new translation is declared, the following elements can be customized for the selected language :
- Website title
- Page titles
- Redirect links
- Disclosure Policy (or any other text section)
- Image files

Once those modifications saved and published, anyone who browses the VDP page can select its preferred language (if existing).

This way, no one would be left behind :)


ENJOY (your summer) 🤘

June 2021

Introducing Audit Logs

Imputability and traceability are two important dimensions of Information Security.

The more programs, reports, members and hunters you have to deal with, the more complicated it is to keep an eye on everything.

From now on ‘Business Unit Managers’ have access to Audit Logs where they can track each and every new action (creation, modification or deletion) or event related to their :

It can be filtered by timeframe, search criteria, author, programs and event types.

We described the various types of existing actions as explicitly as possible, promoting readability, but if you ever want to look into details you can click on links (highlighted in red) that will redirect you to the related reports or programs.

Lastly, Audit Logs can be exported in different formats (.csv, .xls, .json and .pdf) for later review, presentation or integration :

N.B: when you apply filters, they will also apply to the generated export (see above)

Where to find your Audit Logs?
Login > ‘My Business Units’ > ‘Audit Logs’ – if you have Business Unit access rights, of course ;)

You’re all set!

Cheers,

May 2021

New tracker supported (YWH2BT): ServiceNow

Our bug tracker integration tool (ywh2bt) offers a new service now : ServiceNow integration.

Effortless and efficient follow-up on corrections being decisive to any Organisation willing to use Bug Bounty as a key component in its vulnerability management process, we do our best to continuously enrich our list of supported trackers to cover the great diversity of use-cases and practices observed among our customers.

In our latest release (2.3.0) we introduced ServiceNow to our list of supported trackers, with the exact same level of features and syncing options as per other trackers (incl. 2-way integration, customizable syncing options, and much more)

To refresh your memories or simply discover what our Bug Tracker Integration tool is capable of, check these Changelog entries:

N.B: in YWH2BT 2.2 we introduced minor updates, including the option for creating ‘confidential issues’ on GitLab.

Want to setup a Bug Tracker integration for your programs? - Reach out to support@yeswehack.com and we’ll help you find the best way to implement it.

We’ll be back soon with more exciting news - take care! :)

March 2021

Bug Tracker Integration updates (YWH2BT v.2.1)

We keep on improving our Bug Tracker Integration tool (ywh2bt) with game-changing features that will make any Program Manager’s life (way) easier.

With this new version, we introduce bi-directional integration, enabling the automatic retrieval of updates and comments from your Bug Tracker ticket directly into the corresponding Bug Bounty report.

No need to go back and forth to know where you stand on a given vulnerability’s status.

How does it work?

For example, let’s say that you’ve confirmed a finding and transferred it to the responsible team for them to apply a fix.

But they have some questions in order to better understand the exploit path.

They will post a comment in the Bug Tracker ticket and it will be synced on the corresponding vulnerability report.

Then, you can reply back, directly on the report, and they’ll have their answers (thanks to 2.0 version release).

A bit later, they will get to the root of it, deploy the fix… and update the Bug Tracker ticket accordingly.

The report will be immediately updated to ‘Ask for fix verification’ status. Now it’s in the hunter’s hand to confirm the fix!

“Has it been fixed yet? Is there any missing information for my developers to work on it?”

These questions are no longer relevant.

Once the integration properly configured, you will find everything you need directly on YesWeHack platform, where you need it most.

You don’t fancy full automation/integration? - No worries, everything can be configured to suit your needs, thanks to a simple GUI.

Supported Bug Trackers:

If you plan to setup the Bug Tracker integration, feel free to reach out to support@yeswehack.com and we’ll help you find the best way to implement it. ;)

Dashboard filters

Bug Bounty is not a sprint, it’s a long-distance run.

Also, your metrics may be changing over time and you might need to analyse how they evolve throughout the year(s).

You may now filter your dashboards on the following :

In case you wondered, these filters can be applied to all dashboards and charts you will find for your Business Unit or a specific Program.

Finer and more precise management : enabled.

Have a good one :)

February 2021

Ranking Points calculation update

To ensure a fair and representative ranking points system, we decided to reshuffle the cards in order to even the odds.

Why those changes ?

We observe a great diversity when it comes to reward policies, either in terms of max pay-out or reward curve.

Allocating the same number of points for a 1000€ “medium” and a 1000€ “critical” just felt not right anymore.

We thought we could improve the accuracy and fairness of our ranking point system by addressing the following points:

With this new ranking points system, we aim at offering everyone the same chance to shine and rise, no matter what program he’s participating to, by giving more importance to reports’ impact, instead of absolute reward amounts.

So, how does that work ?

For all the Fields medalists out here, and to be 100% transparent about it, our best mathematicians issued the following formulas :

First, let’s consider this reward grid :

In this case, points will be calculated as follows :

And if you ever wonder how many points you earned with a given report, just check the report logs :)

It goes without saying, but we’ll say it anyway : this change is not retroactive, it does not impact previously rewarded reports.

Wishing you a lot a +50 points findings,

Cheerz!

January 2021

Hunters Collaboration on private programs

Fellow hunters,

When hunting on private programs, you are not alone anymore.

Hunters collaboration in a nutshell :

Hunters Collaboration has been up on public programs for a year now (here), collaboration on private programs works pretty much the same except that only those who are also invited on the program may join, so here is a simple use-case to make sure everyone gets it right:

Context : Hun73r has been going round in circles on a given program. Hun73r has a lead on something intriguing but he would need an extra-pair of eyes to confirm and dig.

What to do ? - First, let’s see if the program accepts Hunter Collaboration

© indicates that the collaboration is allowed and enabled on this program - good news!

Let’s find some help now, but how ? Hun73r needs a way to ask for help on this specific program without disclosing its name to anyone who’s not participating.

Each private program with hunter collab enabled has a unique ‘Collaboration ID’ that you can directly share on twitter (or anywhere else) to ask for help.

For one to verify if he’s invited on the same program and answer the call, two options :

It’s one thing to know that you could work together, but keep in mind that one shall seek mutual consent before sending collaboration invites ;)

Now let’s say that Hun73r has found a collaborator, and thanks to their combined skillz, they found the hidden gem : time to report.

Hun73r is famous for his top-quality reports, he will compile the findings for the team, then invite his collaborator to share reward.

Once the report filed and submitted, Hun73r will find a ‘COLLABORATORS’ menu at the top right of the screen where he could manage the group (invites, bounty values, etc.)

When managing collaborators, it’s possible to have an immediate estimation of each hunter’s share, depending on the bounty values and number of invitees.

A few things to note about collaborators management :

End of story : Hun73r’s SQL33t injection has been accepted and fairly rewarded

N.B : to avoid decimals, collaborators rewards are rounded down to the lower integer and the remaining €/$ are granted to the hunter who submitted the report.

“I’m a Program Manager, what’s in it for me ?” - It’s 100% seamless for you, nothing to lose but all to gain ;)

TL;DR : we have a nice report collaboration feature available on private programs, check it out!

December 2020

Unwrap your new Dashboards !

It smells like new on our platform’s dashboards, and it’s not all looks.

The kind of cockpit you need to smoothly drive your security down Bug Bounty avenue.

So buckle-up Program Managers, you’re in for a treat!

New looks:

Forget about the old pie chart (or camembert as we frenchy like to call it) and other not-so-handy displays.

Here is your new dashboard view : a better interface for a more effective oversight of your programs management.

Pretty neat huh?

You will also note that there are some new categories here :

New features:

Some features can only be seen (and used) by authorised users, check our role-matrix if you have any doubt ;)

One last thing, just in case : here is presented a ‘Business Unit Dashboard’ but ‘Programs Dashboards’ work just the same.

Bug Tracker integration v.2.0

It’s been a year now that we support Bug Trackers integration with our YWH2BT app, now is the time to enable new features, tools and use-cases.

For those who are one train behind schedule : everything was previously detailed here and there.

For those who want to take it a step further, here it goes :

Install & config GUI :

Bug Tracker integration setup should not be another daunting task, hence our wish to make available tools to smoothen the process.

In particular, the Graphical User Interface (GUI) will allow you to create, modify, validate and convert your YWH2BT configuration files.

Report updates synchronisation :

Since vulnerability reporting is not always a one-shot, you may collect valuable information after report submission and integration. Precious details you might need to share with other parts for proper analysis and fixing.

From its integration to its closing, now you can have a full-synchronisation between your YesWeHack reports and Bug Tracker issues by enabling one or several of the following options :

Selected options will then apply to the reports integrated through the given config.

Here’s a glimpse of how it would look on GitLab, GitHub and Jira :

For example : if you have configured the integration for ‘Program 1’, and enabled the ‘private comments’ and ‘status updates’ options, for every report from ‘Program 1’ that has been integrated, further private comments and status updates will be systematically and automatically added to the corresponding Bug Tracker issues.

New comprehensive documentation :

Everything you need to know, from features description to install steps and configuration options - just read me


Long story short, we keep on making life easier for Program Managers and triage process even faster for everyone.

@ Hunters : don’t worry, we are cooking something special for you too :D

And for this last changelog of the year, let us tell you how thankful and proud we are to have been able to count on your trust and devotion during this very special year.

Kudos and thanks to all of you!

October 2020

Reward grid reminder on Reports

Remember when we introduced scopes’ security requirements last year ?

Since then, we observed a wide adoption of this new way to manage multi-scope Bug Bounty Programs ; either to put the spotlight on a critical asset or to take into account the hardening of a given scope.

It’s all satisfying and helpful until this fine-grain bounty calculation becomes a brain teaser because you don’t remember what grid applies on what scope.

To ensure a swift process and avoid confusing back-and-forth navigation on the platform, we figured it would easier to find that information where you need it most : in the vulnerability reports.

Program Managers and Hunters can now easily check the applicable reward grid for a given report, at a glance.

Fewer mistakes, no more false hopes, faster rewards – it’s a win !

Reward allocation tags & recap

Calculating and allocating a bounty is one thing, keeping the book straight is another.

Some Organisations might need to keep track of every reward sent through the platform : accounting purposes, computing KPIs, or just for fun (who are we to judge).

For that reason, when awarding a bounty, you can now set multiple tags that will help you keep track of every transaction you make.

N.B : to define several tags at once, you can use comas or tabulation as separators ;)

You can also find a reward recap with the total amount (yes, you can send/receive several rewards for a given report) as well as the reward tags. Need to adjust the bounty or update the reward tags ? There are buttons for that, just click.

Of course the job would not be 100% done if this information was only available at the report level.

Now, if you please, go to ‘My Business Units’ > ‘Wallet’ to find your transactions history.

Here, you can apply handy filters to your reward allocation tags to get the spendings breakdown you need.

In this Changelog, tags were used to identify the vulnerable scope (front-webapp) but it’s just a (not so) random use-case.

This simple user-input feature being permissive enough to cover different needs, it’s up to you to see how you want to use it.

September 2020

Scopes Count

You may have noticed that a new information is now visible on every program : the scope count.

It’s basically a SUM of the scopes listed in a given program, no biggy. Yet we thought it’d be cool to have such information at first glance, for hunters as well as program managers.

The scope count is visible on your ‘All programs’ list

… and in the ‘Program Information’ section too

Now, you could ask oneself who has the biggest? But keep in mind that sometimes, less is more ;)

Vulnerability Disclosure Policy (VDP) with ease

While Bug Bounty is and will remain our platform’s raison d’être, we deployed a new set of features allowing Organizations to easily set-up and manage a Vulnerability Disclosure Policy (VDP).

VDP and Bug Bounty should be considered as complementary solutions, but they are often mixed-up, wich always lead to misunderstandings and unforeseen challenges.

Hence our desire to accompany our customers on that topic as well, with the most comprehensive solution and support, to ensure a clear and unequivocal VDP approach.

Want to know more about how we deal with VDP ? Here you go

We’ll be back soon with more exciting news - cheerz!

July-August 2020

Slack notifications

In a fast-paced environment, you may prefer to use instant messaging over emails in order to view, forward or quickly share important Program notifications with your team.

Not only is it now possible, but it is also very easy to setup.

Step 1 : Add YesWeHack app to your Slack workspace(s)

To start Slack integration, please go to ‘My Business Units’ > ‘Settings’ > ‘Slack’ and you’ll end up here :

Now, once you click on ‘ADD A SLACK WORKSPACE’, you’re redirected to Slack in order to allow YesWeHack app to perform actions in your Workspace. At this point, make sure to select the appropriate workspace – you don’t want to flood the wrong guys.

Once workspace selected (top-right), click on allow to add YesWeHack app to your workspace. We care about your security and privacy, that’s why our app will require minimal authorization as you can see.

Step 2 : Setup the channel(s) on which you want to push notifications

Step 3 : Enable/Disable notification channels for your program(s)

You can link each of your Bug Bounty Programs with one of your configured Slack channels using the drop-down list next to Program’s name.

To activate/deactivate Slack notifications for a given program just click on ENABLE/DISABLE.

Few things to note:

Easy peasy!

@Hunters : we know it’s not the most interesting feature release you’ve seen, but hey, anything that could help faster triage & reward … ;)

May-June 2020

After two months of unrelenting efforts, we are happy to announce the deployment of two major features that you will certainly enjoy :

1 - Direct link to Program’s page in reports

This one is clearly a game-changer.

As you can see below, while reviewing a bug or just checking for updates, Program’s page is now one-click away.

Click on the Program’s name and you land on the Program’s page. It also works with ctrl + click to open a new tab. Magical.

2 - Copy 2 Clipboard for attachments reference

Whether in the bug description or in a report comment, it’s a common thing to add screenshots and or txt files to get to the point.

We know that it can be confusing, and time-consuming, to select the attachment ID, then copy and paste it in the [description,comment].

For your upmost convenience, we decided to give a little help by adding a ‘copy reference to clipboard’ button.

You still need to paste it somewhere though. ¯\(ツ)

This batch of new features is lazy-user-compliant, obviously.

But wait, there is more!

As you can tell by the tone of this changelog, there is nothing to brag about on the functional level.

We have devoted our time and efforts to an important infrastructure and technical components upgrade, to prepare and support our platform’s future.

Happy hunting, happy fixing

April 2020

April Tools

(We’re all safe, thanks!)

No big release this month, we have been busy working on technical upgrades.

What have we been working on ?

Hasta la vista (⌐■_■)

March 2020

Twitter sharing

Got a bounty recently ? Then you must have seen that you can now “share your skills on twitter”.

We know how good it feels to be rewarded and esteemed for hard-work. It would be a shame not to share that pride :D

So, if you click on that link, a post like this will be automatically generated :

And if you ask why the reward amount does not appear in the post : it’s not always about how big the bounty is, don’t you think?

From now on, nobody could ignore your l33t Bug Bounty skillz!

Clients UX/UI improvements

Menus reworking:

We’ve been adding more and more features for program managers during the past months.

We had to take a step-back and find some way to reorganize all that to make sure it comes out handy.

We decided to split the header menu in two parts :

We also modified the submenus of your Business Units for you to have a quick access to the most used menus

As clear as it gets.

License activation process reworking:

Let’s be honest, when onboarding on the platform for the first-time, or renewing your license, you want it to be effortless.

License (re)activation is now a two-click process.

Look at all that time you saved to focus on your programs ;)

February 2020

Hunter Collaboration

Team-up to ramp-up!

Hunters can now collaborate on a report to dig deeper, extend the impact of found vulnerabilities and share rewards accordingly.

This feature is only available on public programs.

As a Hunter

If you find a circled © next to a program’s name, it means that Hunter Collab is accepted on this one.

You will then find a short explanation of Hunter Collab feature in the program’s description.

Now, let’s say that you want to submit a report on such program:

Tell me more about bounty sharing :

/ Hunter1 - Bounty value = 10
/ Hunter2 - Bounty value = 5
/ Total Reward = 2000€
/ Reward Hunter1 = Bounty value1 / (Bounty value1 + Bounty value2) * Total Reward
/ Reward Hunter2 = Bounty value2 / (Bounty value1 + Bounty value2) * Total Reward

In this case, Hunter1 will get 1333,34€ and Hunter2 will receive 666,67€ (screenshot above)

And if you want to retrieve the reports on which you collaborated, go to your ‘Reports’ menu and search for ‘Collaborative Reports’ in the dropdown list

N.B : Hunter who submitted the report can manage invitations and, eventually, revoke invited collaborators.

As a Program Manager

By default, hunter collaboration is enabled for all public programs.

But you can enable/disable it by ticking/unticking the ‘Report Collaboration’ checkbox on your program edition page.

When ‘Report Collaboration’ is activated, the program’s page will automatically be completed with a paragraph explaining its key features.

With Hunter Collaboration, you can now interact with several hunters on a given report and benefit from their skillz, without worrying about reward sharing.

That’s all folks!

January 2020

Dry January

Nothing to show this month ¯\(ツ)

We’ve been working hard on the next big releases.

Stay tuned!

December 2019

Hunter selection

Who should we invite to our private Bounty party? That’s a question you may ask yourself.

Well, first, you could have a look into our hunter selection feature as it lists the most hacktive hunters of the platform, based on their ranking points and latest submitted reports.

And if you are looking for the best match, you can also filter the list and target a location (Europe/Worldwide) or search for KYC verified hunters only. Your call.

Where to find it?

Then, go to your program’s ‘Hunter Management’ tab and click on ‘+ Select hunter’ (see below)

In this case, go to the ‘Settings’ of your Business Unit, then ‘Groups’, and click on ‘+ Select Hunter’ (see below for more info about groups)

@Hunters : want to be on the list? Be pro-hacktive and get ranking points! - Just saying.

Groups of invitations

New program does not necessarily mean new team. You might want to invite the same members and/or hunters to participate in.

It is now possible to manage invitation groups for both members and hunters. Thus, you won’t have to invite them one by one on your new programs.

How to manage groups?

1 – Go to your Business Unit menu

2 – Select ‘Settings’ > ‘Groups’

From here you can create, edit and delete groups.

To invite new members to a group, you only have to add their username or email address in the list using any of the following separators : coma, semi-colon or new line.

How to invite groups on a program?

1 – Go to your Business Unit menu

2 – Select ‘Programs’ > Pick one > ‘Hunters Management’ or ‘Members Management’

Whether you are inviting members or hunters, you can now access a new tab called ‘Invite Hunters (or Members) from group’. From there, select the appropriate group to invite, click ‘Send’ and all members of the group will receive an invitation and notification.

Show must go on!

Transaction history export

Remember how many bounties you paid on a given program over the past year? Probably not.

With this aim in mind, we offer you to export your transaction history in different formats: CSV, XLS, JSON and PDF.

You will find this handy export feature in the ‘Wallet’ menu of your Business Unit (see below).

N.B : all filters applied to your transactions history will also apply to the generated export.

Remember how many bounties you paid on a given program over the past year? Now, you know.

Cheers :)

November 2019

Bug Tracker Integration

We promise, we deliver : our Bug Tracker integration script is now available on our github !

It will automatically crawl for reports with “Ask for integration” tracking status (see October changelog), create a corresponding issue in your bug tracking system and post a comment with a direct link on the report’s page. And it comes with a handy readme file that will help you configure it.

3 different bug trackers are natively supported : GitLab, GitHub and Jira.

Undoubtedly useful and ready to roll – you’re welcome ;)

If you plan to use it, please contact support@yeswehack.com for more info.

Executive reports

Once more, program managers are served with a new feature they probably dreamed of: here comes the executive report!

What’s in it for me?

Simple maths: less time spent on reporting equals more time left for {insert added-value task}.

This new export gives you all the key takeaways for a given program since its very beginning, in a concise and easy to read format:

A few examples below :

How can I get it?

You will find it in the Reports menu:

Select the desired program in the left panel > Click on ‘Export’ button at top right > Choose ‘Executive Report’ > Download the report once generated.

Voilà.

October 2019

Advanced Filters

Dear Program Managers,

We know you were waiting for this one : use advanced filters in your ‘Reports’ menu and focus on your priorities. \o/

You can now apply and combine filters on 4 criterias :

For each criteria, you can select multiple values, as displayed on the screenshot below.

« It would be cool if we could use these filters to generate exports » - Well, we got that covered as well ;)

Once your filters applied, if you generate an export at program level (see August 2019 Changelog), export will be filtered, so that you only find reports that match your search criterias.

Pretty neat, right ?

Upload files in Program Description

Sometimes, an image (or a .pdf) is worth a thousand words, we say. It’s no different when it comes to Bug Bounty.

Therefore, we generously offer to host your documents in case you need to put them in your Program Description.

How does it work ?

First, you have to upload your file(s) at the bottom of the program edition page.

Accepted formats are : .pdf, .png, .jpeg and .txt

Once uploaded, an ID will be generated for each file. In this case : YWH-P69.

Then, you can either :

Before updating your program, you can make sure that it’s as beautiful as expected by using the preview mode, and congratulate yourself.

N.B : if you don’t use a direct link or an image inline, attached files won’t be available on your program’s page.

Bug Tracking

It’s one thing to track and manage the Hacktivity on a Bug Bounty Program. It’s another to track the tasks it triggers internally.

Thereupon, we are proud to annouce the release of our Bug Tracking feature.

What is it ?

On each vulnerability report, in the report details section, you will find a new status : Tracking Status.

From there you can update the status with 3 different values : Untracked, Integration Asked and Tracked.

Is that all ?

Nope.

This feature comes with a Bug Tracker integration script that we’ll make available for you on our GitHub very soon. Make sure to keep an eye out for it 😉

With this integration script, you will be able to update the tracking status and push tracking information directly from your bug tracker in the report via private comments.

For example :

Now you can identify, follow and access the issue created in your Bug Tracker directly from the report’s page.

Feel free to contact support@yeswehack.com if you want to know more about this coming feature.

ENJOY !

September 2019

Email alias for Hunters

When onboarding on a new scope, we know you have better things to do than creating temporary email adresses or aliases you won’t remember.

To make things easier for you, we deployed the Email Alias feature, in order to let you focus on what matters the most : testing and reporting.

How can I use it ?

An email alias is automatically generated for all user accounts.

If you want to use it, you just need to go to your ‘My Yes We Hack’ menu and activate your alias by clicking on the ‘Enable’ check-box. (see below)

Then, all emails sent to this alias address will be automatically forwarded to your actual email address, i.e. the one you used to register on the platform.

As simple as that.

As a program manager, what’s in it for me ?

Well, since all these aliases are on yeswehack.ninja domain, you can now easily differentiate organic traffic from registration and actions that are bug bounty related.

Hacktivity sum-up

Want to keep an eye on your hacktivity level ? - We’ve got your back !

From now on, you will receive an email on the first day of each month with a sum-up of your hacktivity : number of reports submitted and amount of rewards received during the month (and much more to come !)

Here is an example of what you may receive (if you put some work into it 😉)

Thanks for your commitment and hard-work - keep it up !

August 2019

Response Template

Program/Hunters interactions are a big part of a Bug Bounty Program’s success. In order to make things easier, for both veterans and new comers, we offer you a range of pre-written answers for most status changes (screenshot below) and the possibility to create and use your own response templates.

How does it work ?

When you update a report (change status, comment, etc.), you can select a response template by clicking on ‘Select a template’ at the top of the comment text-field. The content of the selected template will be automatically loaded in the comment text-field.

Now you can edit your comment, personalize it, or just send it as it is.

What if I want to create my own templates ?

Nothing more simple : go to your ‘Business Unit’ menu, then to ‘Settings’ sub-menu. From there you will be able to ‘Add a response template’, to edit and to delete your response templates.

Once created, you will find your response template in the ‘Select a template’ list.

N.B : Only Business Unit Managers and Business Unit Owners can create new templates, but any member of your organisation can use it (except from user with a Viewer role).

Supported Languages

As our community is always growing, we have more and more countries represented on our platform. If most of our platform’s content is in english, ‘Supported Languages’ feature should help in making Program/Hunters interactions more fluid.

Program Languages :

There is a new section in the Program Rules that allows Program Managers to inform hunters about the languages supported on their program.

You will find this section at the beginning of your Program Rules (see below), where you can add as many languages as you speak.

Once updated, Program’s spoken languages will appear on the program page :

Hunter Languages :

Hunters can also specify their spoken languages by editing their profile page. BTW, don’t forget to set your profile as public ;)

Thus, it will be easier for both parts to choose another language than english – if it’s not the best match.

Reports Export

To better suit your needs in terms of reporting and budget control, it is possible to export reports in different formats : CSV, XLS, JSON and PDF.

You can either export all the reports of a given program (see below) or a report in particular

To export all the reports of a given program :

Exports History :

For a given program, you can browse your export history and retrieve previously generated exports (up to 7 days).

N.B : Filters applied on Reports page, e.g. ‘Accepted’, will also apply to the generated export.

July 2019

Report workflow & Ranking points system

Our ranking points system has evolved quite a lot since inception, and some new rating features have been added.

Here is a complete and up-to-date summary of our report workflow

Want more details ? Check our blog post on report worflow and ranking points system

June 2019

Scopes’ Security Requirements

Bug Bounty Managers are able to specify security requirements for one scope by selecting out of three different levels. This feature is useful for hunters to know that reward grids may vary according to the security requirement of scopes.

For instance, one scope implying a Single sign-on (SSO) should be specified as +++.

Please note, in any case, that the amount of rewards is still defined by each Bug Bounty Manager.

Eventually, the rendering of the different reward grids.

May 2019

Hunting Requirements

We provide a better understanding of hunters’ requirements regarding the rules of a program:

April 2019

Wallet Threshold

By configuring the wallet Threshold in your Business Unit section, you will be able to trigger an alarm if your wallet reaches the mentioned amount.

Qualifying bug reports through CWE tagging and remediation resources.

While submitting bug reports, you can select from a menu the right CWE ID to better qualify your findings. Once done, the client will receive not only the CWE ID resource but also a link to a remediation guide.

Enhanced granularity & ACL

Once again, we have improved granularity in member management. A more detailed ACL management enables you to tailor the level of responsibility you confer to your staff. According to your staff’s various skills, you can invite members from your business unit, security team and accountant department. The number of members is still unlimited.

March 2019

New features for quicker and improved Bug Reporting !

Our Dev Team issued two new features for you to save time and gain quality while reporting vulnerabilities.

As shown below, now you can access a new menu entry called My Yes We Hack. This section provides a template manager up to five templates. According to our experience, 5 templates should be sufficient and useful for a majority of bug hunters. In this section, based on Markdown, you can add or edit your templates.

Now, let’s see a second useful feature to better illustrate and/or document your reports.

Generally speaking, now while reporting you can insert images or link to images previously uploaded by mentioning its ID as shown below :

Now click Preview and you will see the results :) Furthermore, our team thought it was relevant to provide syntax highlighting. Through the example below, you will see how to insert a code from Burp Suite, which is rather cool and handy. Then, check the preview instantly :)

Syntax highlighting is available for the following list:

Happy Bug Hunting & Happy Reporting !

February 2019

Enabling Your Public Profile as a hunter

if you want to enable your public profile like Kalin, please tick the box like depicted below :

Click Edit

Then tick the box Public

You can also add

and last but not least Update your profile

You’re done ! Your profile should be awsome as this one :

January 2019

New report workflow

We have reviewed the workflow for qualifying bug reports. It is said that a picture speaks a thousand words so please take a look below:

December 2018

New program structure

We have reviewed the structure of the programs by adding several fields.

VPN

Two-factor authentication (TOTP)

We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New report structure

The details of the bug reports have also been reviewed, providing more clarity to the program manager. The ergonomics of the tools used for qualifying reports have also been redesigned to offer you a greater efficiency. These new programs/report structures linked to the provision of a public API allows an optimal capitalization of vulnerability reports (DevSecOps).

New dashboard

The new dashboard offers you all the statistics related to the reported bugs (severity, status, classification… etc.) but also concerning the amount of paid rewards.

API

We do provide an API so that you can develop or connect your own tools.

Members at all levels

We have improved granularity in member management. You can invite members to your business unit, but also to your programs and reports. The number of members is unlimited.

Profile page

Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking. This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities. Bug Hunter

New programs display

The display of a program’s details has been completely redesigned to provide a better user experience. In addition to the traditional information related to a Bug Bounty program, we improved -in a very visual way- the current activity on the program (number of reports, thanks… etc.) but also the reward bracket that the security expert can expect.

New billing process

We have completely reviewed the billing process. This enables you to comply with the requirements of the tax authorities. Billing

Program versioning

It is not always easy for the hunter to follow the evolution of a bounty bug program over time. That’s why we implemented a versioning feature on the program display. Versioning