navigation

December 2019

Hunter selection

Who should we invite to our private Bounty party? That’s a question you may ask yourself.

Well, first, you could have a look into our hunter selection feature as it lists the most hacktive hunters of the platform, based on their ranking points and latest submitted reports.

And if you are looking for the best match, you can also filter the list and target a location (Europe/Worldwide) or search for KYC verified hunters only. Your call.

Where to find it?

Then, go to your program’s ‘Hunter Management’ tab and click on ‘+ Select hunter’ (see below)

In this case, go to the ‘Settings’ of your Business Unit, then ‘Groups’, and click on ‘+ Select Hunter’ (see below for more info about groups)

@Hunters : want to be on the list? Be pro-hacktive and get ranking points! - Just saying.

Groups of invitations

New program does not necessarily mean new team. You might want to invite the same members and/or hunters to participate in.

It is now possible to manage invitation groups for both members and hunters. Thus, you won’t have to invite them one by one on your new programs.

How to manage groups?

1 – Go to your Business Unit menu

2 – Select ‘Settings’ > ‘Groups’

From here you can create, edit and delete groups.

To invite new members to a group, you only have to add their username or email address in the list using any of the following separators : coma, semi-colon or new line.

How to invite groups on a program?

1 – Go to your Business Unit menu

2 – Select ‘Programs’ > Pick one > ‘Hunters Management’ or ‘Members Management’

Whether you are inviting members or hunters, you can now access a new tab called ‘Invite Hunters (or Members) from group’. From there, select the appropriate group to invite, click ‘Send’ and all members of the group will receive an invitation and notification.

Show must go on!

Transaction history export

Remember how many bounties you paid on a given program over the past year? Probably not.

With this aim in mind, we offer you to export your transaction history in different formats: CSV, XLS, JSON and PDF.

You will find this handy export feature in the ‘Wallet’ menu of your Business Unit (see below).

N.B : all filters applied to your transactions history will also apply to the generated export.

Remember how many bounties you paid on a given program over the past year? Now, you know.

Cheers :)

November 2019

Bug Tracker Integration

We promise, we deliver : our Bug Tracker integration script is now available on our github !

It will automatically crawl for reports with “Ask for integration” tracking status (see October changelog), create a corresponding issue in your bug tracking system and post a comment with a direct link on the report’s page. And it comes with a handy readme file that will help you configure it.

3 different bug trackers are natively supported : GitLab, GitHub and Jira.

Undoubtedly useful and ready to roll – you’re welcome ;)

If you plan to use it, please contact support@yeswehack.com for more info.

Executive reports

Once more, program managers are served with a new feature they probably dreamed of: here comes the executive report!

What’s in it for me?

Simple maths: less time spent on reporting equals more time left for {insert added-value task}.

This new export gives you all the key takeaways for a given program since its very beginning, in a concise and easy to read format:

A few examples below :

How can I get it?

You will find it in the Reports menu:

Select the desired program in the left panel > Click on ‘Export’ button at top right > Choose ‘Executive Report’ > Download the report once generated.

Voilà.

October 2019

Advanced Filters

Dear Program Managers,

We know you were waiting for this one : use advanced filters in your ‘Reports’ menu and focus on your priorities. \o/

You can now apply and combine filters on 4 criterias :

For each criteria, you can select multiple values, as displayed on the screenshot below.

« It would be cool if we could use these filters to generate exports » - Well, we got that covered as well ;)

Once your filters applied, if you generate an export at program level (see August 2019 Changelog), export will be filtered, so that you only find reports that match your search criterias.

Pretty neat, right ?

Upload files in Program Description

Sometimes, an image (or a .pdf) is worth a thousand words, we say. It’s no different when it comes to Bug Bounty.

Therefore, we generously offer to host your documents in case you need to put them in your Program Description.

How does it work ?

First, you have to upload your file(s) at the bottom of the program edition page.

Accepted formats are : .pdf, .png, .jpeg and .txt

Once uploaded, an ID will be generated for each file. In this case : YWH-P69.

Then, you can either :

Before updating your program, you can make sure that it’s as beautiful as expected by using the preview mode, and congratulate yourself.

N.B : if you don’t use a direct link or an image inline, attached files won’t be available on your program’s page.

Bug Tracking

It’s one thing to track and manage the Hacktivity on a Bug Bounty Program. It’s another to track the tasks it triggers internally.

Thereupon, we are proud to annouce the release of our Bug Tracking feature.

What is it ?

On each vulnerability report, in the report details section, you will find a new status : Tracking Status.

From there you can update the status with 3 different values : Untracked, Integration Asked and Tracked.

Is that all ?

Nope.

This feature comes with a Bug Tracker integration script that we’ll make available for you on our GitHub very soon. Make sure to keep an eye out for it 😉

With this integration script, you will be able to update the tracking status and push tracking information directly from your bug tracker in the report via private comments.

For example :

Now you can identify, follow and access the issue created in your Bug Tracker directly from the report’s page.

Feel free to contact support@yeswehack.com if you want to know more about this coming feature.

ENJOY !

September 2019

Email alias for Hunters

When onboarding on a new scope, we know you have better things to do than creating temporary email adresses or aliases you won’t remember.

To make things easier for you, we deployed the Email Alias feature, in order to let you focus on what matters the most : testing and reporting.

How can I use it ?

An email alias is automatically generated for all user accounts.

If you want to use it, you just need to go to your ‘My Yes We Hack’ menu and activate your alias by clicking on the ‘Enable’ check-box. (see below)

Then, all emails sent to this alias address will be automatically forwarded to your actual email address, i.e. the one you used to register on the platform.

As simple as that.

As a program manager, what’s in it for me ?

Well, since all these aliases are on yeswehack.ninja domain, you can now easily differentiate organic traffic from registration and actions that are bug bounty related.

Hacktivity sum-up

Want to keep an eye on your hacktivity level ? - We’ve got your back !

From now on, you will receive an email on the first day of each month with a sum-up of your hacktivity : number of reports submitted and amount of rewards received during the month (and much more to come !)

Here is an example of what you may receive (if you put some work into it 😉)

Thanks for your commitment and hard-work - keep it up !

August 2019

Response Template

Program/Hunters interactions are a big part of a Bug Bounty Program’s success. In order to make things easier, for both veterans and new comers, we offer you a range of pre-written answers for most status changes (screenshot below) and the possibility to create and use your own response templates.

How does it work ?

When you update a report (change status, comment, etc.), you can select a response template by clicking on ‘Select a template’ at the top of the comment text-field. The content of the selected template will be automatically loaded in the comment text-field.

Now you can edit your comment, personalize it, or just send it as it is.

What if I want to create my own templates ?

Nothing more simple : go to your ‘Business Unit’ menu, then to ‘Settings’ sub-menu. From there you will be able to ‘Add a response template’, to edit and to delete your response templates.

Once created, you will find your response template in the ‘Select a template’ list.

N.B : Only Business Unit Managers and Business Unit Owners can create new templates, but any member of your organisation can use it (except from user with a Viewer role).

Supported Languages

As our community is always growing, we have more and more countries represented on our platform. If most of our platform’s content is in english, ‘Supported Languages’ feature should help in making Program/Hunters interactions more fluid.

Program Languages :

There is a new section in the Program Rules that allows Program Managers to inform hunters about the languages supported on their program.

You will find this section at the beginning of your Program Rules (see below), where you can add as many languages as you speak.

Once updated, Program’s spoken languages will appear on the program page :

Hunter Languages :

Hunters can also specify their spoken languages by editing their profile page. BTW, don’t forget to set your profile as public ;)

Thus, it will be easier for both parts to choose another language than english – if it’s not the best match.

Reports Export

To better suit your needs in terms of reporting and budget control, it is possible to export reports in different formats : CSV, XLS, JSON and PDF.

You can either export all the reports of a given program (see below) or a report in particular

To export all the reports of a given program :

Exports History :

For a given program, you can browse your export history and retrieve previously generated exports (up to 7 days).

N.B : Filters applied on Reports page, e.g. ‘Accepted’, will also apply to the generated export.

July 2019

Report workflow & Ranking points system

Our ranking points system has evolved quite a lot since inception, and some new rating features have been added.

Here is a complete and up-to-date summary of our report workflow

Want more details ? Check our blog post on report worflow and ranking points system

June 2019

Scopes’ Security Requirements

Bug Bounty Managers are able to specify security requirements for one scope by selecting out of three different levels. This feature is useful for hunters to know that reward grids may vary according to the security requirement of scopes.

For instance, one scope implying a Single sign-on (SSO) should be specified as +++.

Please note, in any case, that the amount of rewards is still defined by each Bug Bounty Manager.

Eventually, the rendering of the different reward grids.

May 2019

Hunting Requirements

We provide a better understanding of hunters’ requirements regarding the rules of a program:

April 2019

Wallet Threshold

By configuring the wallet Threshold in your Business Unit section, you will be able to trigger an alarm if your wallet reaches the mentioned amount.

Qualifying bug reports through CWE tagging and remediation resources.

While submitting bug reports, you can select from a menu the right CWE ID to better qualify your findings. Once done, the client will receive not only the CWE ID resource but also a link to a remediation guide.

Enhanced granularity & ACL

Once again, we have improved granularity in member management. A more detailed ACL management enables you to tailor the level of responsibility you confer to your staff. According to your staff’s various skills, you can invite members from your business unit, security team and accountant department. The number of members is still unlimited.

March 2019

New features for quicker and improved Bug Reporting !

Our Dev Team issued two new features for you to save time and gain quality while reporting vulnerabilities.

As shown below, now you can access a new menu entry called My Yes We Hack. This section provides a template manager up to five templates. According to our experience, 5 templates should be sufficient and useful for a majority of bug hunters. In this section, based on Markdown, you can add or edit your templates.

Now, let’s see a second useful feature to better illustrate and/or document your reports.

Generally speaking, now while reporting you can insert images or link to images previously uploaded by mentioning its ID as shown below :

Now click Preview and you will see the results :) Furthermore, our team thought it was relevant to provide syntax highlighting. Through the example below, you will see how to insert a code from Burp Suite, which is rather cool and handy. Then, check the preview instantly :)

Syntax highlighting is available for the following list:

Happy Bug Hunting & Happy Reporting !

February 2019

Enabling Your Public Profile as a hunter

if you want to enable your public profile like Kalin, please tick the box like depicted below :

Click Edit

Then tick the box Public

You can also add

and last but not least Update your profile

You’re done ! Your profile should be awsome as this one :

January 2019

New report workflow

We have reviewed the workflow for qualifying bug reports. It is said that a picture speaks a thousand words so please take a look below:

December 2018

New program structure

We have reviewed the structure of the programs by adding several fields.

VPN

Two-factor authentication (TOTP)

We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New report structure

The details of the bug reports have also been reviewed, providing more clarity to the program manager. The ergonomics of the tools used for qualifying reports have also been redesigned to offer you a greater efficiency. These new programs/report structures linked to the provision of a public API allows an optimal capitalization of vulnerability reports (DevSecOps).

New dashboard

The new dashboard offers you all the statistics related to the reported bugs (severity, status, classification… etc.) but also concerning the amount of paid rewards.

API

We do provide an API so that you can develop or connect your own tools.

Members at all levels

We have improved granularity in member management. You can invite members to your business unit, but also to your programs and reports. The number of members is unlimited.

Profile page

Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking. This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities. Bug Hunter

New programs display

The display of a program’s details has been completely redesigned to provide a better user experience. In addition to the traditional information related to a Bug Bounty program, we improved -in a very visual way- the current activity on the program (number of reports, thanks… etc.) but also the reward bracket that the security expert can expect.

New billing process

We have completely reviewed the billing process. This enables you to comply with the requirements of the tax authorities. Billing

Program versioning

It is not always easy for the hunter to follow the evolution of a bounty bug program over time. That’s why we implemented a versioning feature on the program display. Versioning