Bug Bounty - Help us reinforce our security!

The program for reporting bugs on OVH infrastructures is accessible to all at bountyfactory.io. The objective: to continually improve the security of the services offered by the European cloud leader.

Presented on July 2 during the 14th edition of Nuit du Hack (one of the oldest French underground hacking events), held in Paris, France, OVH Bug Bounty allows anyone interested in computer security to report potential vulnerabilities found within the scope of the API and the Customer Control Panel. Tested internally, this program is now accessible on the bountfactory.io platform. The principal is simple: all reported bugs are examined by the security team and if required, corrective action taken, then a reward issued.

To attract the best to the OVH Bug Bounty program, rewards can reach up to 10,000 euros. Each report linked to a proven bug will result in a reward, monetary in most cases and sometimes in the form of ‘goodies’ or vouchers for bugs that are not within the scope of the program.

"To attract the best to the OVH Bug Bounty program, rewards can reach up to 10,000 euros. Each report linked to a proven bug will result in a reward, monetary in most cases and sometimes in the form of ‘goodies’ or vouchers for bugs that are not within the scope of the program."

Security, at the core of the OVH group

Created seventeen years ago, the OVH group has always made security a priority. Bug reporting was already possible via security[at]ovh.net and has led to several improvements. For Vincent Malguy, SOC (Security Operation Center) team member, “The public launch of Bug Bounty is the culmination of many years of thought. The emergence of the bountyfactory.io platform makes it possible to bring to fruition the project that Octave Klaba wanted.” In fact, up until now, the bug bounty platforms in existence were all American. It was unimaginable for a company like OVH, which is committed to data sovereignty, to store the list of vulnerabilities outside of its datacenters located in France. The platform which enables OVH to carry out this program is hosted internally on its Dedicated Cloud offer, an infrastructure which has already been ISO 27001 certified for several years.

Today, the platform is open to all, from computer security specialists to enthusiasts, anyone can participate. Just create an account and report any vulnerabilities found. The SOC team members will be notified immediately and issue any required patches. OVH’s quick response is obviously one of the keys to the program’s success. A secondary benefit - white hats are quickly rewarded for their work, within a week, maximum. OVH has a simple rule: if a report leads to a patch, the person responsible for making the report shall receive the reward. This rule will provide transparency to the white hat community, without whom this type of program would not have any value. In addition to contributing to more fluid communication, the bountyfactory.io platform permits OVH to manage the reported bugs in a structured and transparent manner.

“Bug Bounty reinforces our security arsenal”

Opening the program to the public complements the many internal security measures in place assuring the security of our infrastructures and customers’ data. Numerous intrusion tests are conducted internally and externally each year, assuring that the most critical systems meet the highest standards. To cover the entire OVH spectrum and minimize the existence of security vulnerabilities, it was decided to standardize the public reporting procedure: “With Bug Bounty, we can constantly test all of our infrastructures with different profiles and various skills. We could never cover such a spectrum over long periods with classical audits,” states Vincent.

Reinforcement of security procedures has also meant obtaining a battery of certifications, including ISO 27001 and ISO 27017, PCI DSS - the standard for hosting financial data and we are currently working towards becoming certified to host data associated with healthcare. All of these tools and certifications allow OVH customers to host, with complete confidence, their data and applications in the European Cloud leader’s datacenters.

WANTED: API Experts

For the moment, Bug Bounty only concerns vulnerabilities dealing with the OVH customer control panel and the API. Very soon it will extend to cover other OVH products.
According to the SOC team, in order to find the most interesting bugs, it is important that Bug Bounty participants understand the underlying principles of our API: “Perl is the main programing language with micro calls to the API written in Python,” explains Vincent before reminding us that all data is stored in PostgreSQL and MySQL databases. Operations that manage the configuration of requested resources are all handled by bots, this is to say that asynchronous processes carry out these tasks. Depending on products and communication protocols, actions taken can vary from the execution of a bash script to a PowerShell call. Within OVH, Debian is the most widely used operating system with most teams exploiting the grsecurity kernel.

"Just one report demonstrating that you can run code on one of our servers will get you 10,000 euros. You would have to find 200 XSS vulnerabilities to get the same result…"

“Even though obscurity was not chosen for a method of defense, it would be difficult to say any more without revealing details of the about the infrastructures,” explains Vincent. “I can tell you that we have an impressive arsenal of vulnerability detection tools at our disposal which we use on a regular basis. If you use these types of tools to help you find a bug, I am telling you that we have already done so and this type of reporting will not yield any significant rewards. To be honest, we recommend that you go off the beaten path and concentrate on quality. Just one report demonstrating that you can run code on one of our servers will get you 10,000 euros. You would have to find 200 XSS vulnerabilities to get the same result…”

Contribute to Bug Bounty