The magic of crowdsourced security: netplus.ch's bug bounty story

Tucked away in the scenic heart of French-speaking Switzerland, netplus.ch SA provides a local touch in the vast world of telecommunications. Jean-Blaise Rey, Head of Applications, is focused on delivering secure and reliable services, emphasizing cybersecurity to protect sensitive customer data. To keep pace with the rapidly evolving cyber threat landscape, netplus runs both a private and public a bug bounty program with GObugfree, tapping into the collective intelligence of ethical hackers to strengthen their digital security.

Jean-Blaise, what led netplus.ch to adopt bug bounty programs as part of your cybersecurity strategy?

Working in a competitive and regulated environment with limited resources and a small IT team, we needed a robust cybersecurity strategy. Our experience with traditional pentesting was limited, often constrained by our focus on rapid market delivery. GObugfree's bug bounty program provided us with a proactive and cost-effective solution to enhance our defenses, providing continuous, professional testing by ethical hackers. The experts at GObugfree guided us in our learning journey: we were able to start small and expand the program as we developed the necessary expertise and capabilities in our team.

Given netplus.ch's position as a smaller player, how has the bug bounty program helped you address these challenges?

The bug bounty program allowed us to extend our cybersecurity capabilities beyond the scale of our in-house team, giving us access to an army of skilled allies. By collaborating with GObugfree, we've harnessed the power of this global team of ethical hackers to swiftly uncover and tackle security challenges. In this way, we are able to confidently address vulnerabilities and enhance our security posture, even with a smaller IT team.

Can you tell us a bit about your bug bounty journey - from the initial skepticism to fully integrating the bug bounty program into netplus.ch's security measures?

When we first started with the bug bounty program, cybersecurity was a new topic for us. There were concerns about exposing vulnerabilities and managing the potential influx of reports. So we started small, testing our public-facing developments with a private bug bounty program that was limited to a handful of security researchers.

We quickly uncovered many vulnerabilities, showing us the gaps in our security practices and teaching our developers invaluable lessons. As we learned and fixed these issues, we expanded the program to include a second program. Our productive code is part of a public program, the scope of the private program is new developments.

Initially, I was the only person reviewing reports from the bug bounty program, integrating findings into our workflow as a secondary task. Now, with dedicated colleagues who bring a passion for cybersecurity, we prioritize and address findings swiftly. This journey has not only improved our security but also prepared us for future regulatory requirements and heightened our overall security awareness. The collaborative nature of the program with GObugfree has not only improved our security posture but also fostered a culture of continuous learning and adaptation within our team.

What have been your key benefits and learnings since implementing the bug bounty program?

The program has been pivotal in raising awareness among our developers - across the company, in fact - about the importance of security from the ground up. It highlighted vulnerabilities we hadn't considered and provided invaluable real-world testing. The collaborative nature of the program with GObugfree has not only improved our security posture but also fostered a culture of continuous learning and adaptation within our team.

How does netplus.ch plan to evolve its security practices?

Currently, our efforts are concentrated on testing developments we've created in-house. However, we're exploring extending the program to include third-party provider platforms, recognizing the critical role they play in our overall security landscape. We're in discussions on how to incorporate these components into our bug bounty program effectively.

Moving towards ISO 27001 certification is a significant milestone ahead. We've already begun laying the groundwork for this comprehensive project, slated to extend into 2024-2025. Achieving this certification demands strict processes and practices, a challenge we're prepared to tackle. The insights and progress fueled by our bug bounty initiatives are proving invaluable, guiding us to strengthen our cybersecurity framework to meet the exacting ISO 27001 certification standards.

Would you recommend GObugfree's bug bounty program to other SMEs?

Absolutely. Our collaboration with GObugfree, a Swiss company, has been invaluable and a cornerstone of our cybersecurity strategy. The direct contact with the program's managers and the personalized support have made our journey with them not just effective, but truly enjoyable. Their deep understanding of our needs and seamless integration into our security practices highlight the program's value. My advice to other SMEs is to embrace the bug bounty model with an open mindset. The external expertise and fresh perspectives it brings can significantly strengthen your cybersecurity defenses, making it a worthy investment for any forward-thinking organization.