SEGA and SIX Group: The Value of VDP and Bug Bounty

Why VDP and Bug Bounty?

Mohamed Bensakrane was able to use VDP as a way to establish a point of contact with hackers, as well as proof of value that led to the establishment of a bug bounty program at SEGA.

“VDP was really good to show value in having these kinds of programs for our business and it worked really well for us. VDP and bug bounty have been really good for us in terms of the kind of findings and the visibility that we've been able to get.”
— Mohamed Bensakrane, Senior Security Analyst, SEGA Europe

At SIX Group, Alex Hagenah emphasized the year-round success of going beyond the regulatory requirements of the financial services industry.

“We’re a highly regulated market, so we have to run pentests. But the more we onboarded onto our bug bounty program, the more we see there are issues we haven’t found before — and they’re introduced all the time. When applications are updated, we can say we did our due diligence, but we also have hackers looking at it around the clock. It’s incredible, and we find bugs all year round now.”
— Alex Hagenah, Head of Cyber Controls, SIX Group

A Global Community of Researchers

SEGA develops some games that are published only in specific locations around the world. For this, HackerOne’s global community of researchers has been particularly useful.

“Sometimes we would get a finding for a game that I didn't even know we made. It’s been super helpful for us in not only understanding our games, but also having a 360-degree view. Communication across SEGA Europe, SEGA of America, and SEGA of Asia can sometimes be challenging. That’s what’s great about the VDP — they find vulnerabilities for us and let us know.”
— Mohamed Bensakrane, Senior Security Analyst, SEGA Europe

Unmatched Creativity

Focused on making the Swiss financial market secure, SIX Group relies heavily on the creativity of bug bounty security researchers.

“Whatever team I build up, they cannot replicate the creativity and man-hours being put in by ethical hackers on a bug bounty platform. We run pentests, then put it into a private program, then after putting it into the bug bounty, we still find critical vulnerabilities that weren’t found previously. You cannot replicate that creativity — they're specialists in all kinds of areas, and it’s super important for us to apply to them.”
— Alex Hagenah, Head of Cyber Controls, SIX Group

Time Spent

A common question our panelists received was, “How much time do you spend on bug bounty, and do you have dedicated team members who work on it?” While every organization and security team is different, the amount of time teams need to dedicate to managing the bug bounty program was resoundingly reasonable.

“Thank god we have the triagers at HackerOne. We don't spend too much time, and when the triagers confirm the bug, it comes to us only and the effort is not a lot. We have a person dedicated to bug bounty in my team, but it's not a full-time job for her.”
— Alex Hagenah, Head of Cyber Controls, SIX Group

While the time spent is reasonable for the team at SEGA, Bensakrane emphasized the importance of managing development teams of different sizes and capacities. 

“I manage the VDP and bug bounty, just me. And yeah, it's pretty easy. The triaging ability saves me a lot of time. The only thing I deal with is we have some very large development teams and we have some very small development teams. That’s one thing to be aware of and build a process for, because they’re the ones actually fixing the vulnerabilities.”
— Mohamed Bensakrane, Senior Security Analyst, SEGA Europe

Leadership Buy-in

Perhaps the top concern from our event audience was the effort of receiving leadership buy-in and what methods our customers have used to champion the value of bug bounty and VDP in their organizations. At SEGA, Bensakrane used VDP to build a case for bug bounty.

“The first hurdle that we overcame was establishing a VDP, which was quite an easy use case because it created a point of contact and that was really good for us. The findings that we were able to get from that built up a case. I did a lot of internal PR: I would do presentations every three months, sharing ‘this is what we found on HackerOne today, and this is a super cool finding that we found.’”
— Mohamed Bensakrane, Senior Security Analyst, SEGA Europe

“Traditionally, you have your return on investment, which can be harder to express with bug bounty. How I sell it internally is you have the return of mitigation or return of prevention. If you just tell them ‘Give me that amount of money for our bug bounty program,’ they think, ‘But what do we get in return?’ Well, if we have a breach, it's going to cost you millions. Then, it's actually not a lot of money, right?”
— Alex Hagenah, Head of Cyber Controls, SIX Group

Budget

Leadership buy-in and budget allocation go hand-in-hand. And for SEGA, Benaskrane ties bug bounty budget directly to its value.

“It’s not that much in terms of our global security budget. It is a big chunk of my budget, but it honestly pays for itself. Not only do you have that kind of coverage, but we also use it to complement our security testing life cycle. So, it’s 100% worth it.”
— Mohamed Bensakrane, Senior Security Analyst, SEGA Europe

At SIX Group, Hagenah has used another approach to enhancing the bug bounty budget. 

“For me, it was essential that we incorporated bug bounty into our comprehensive information security strategy. Otherwise, we wouldn't be able to achieve what we want to achieve. This approach has been crucial in securing and spreading the budget for it over a few years.”
—  Alex Hagenah, Head of Cyber Controls, SIX Group

Thank you so much to our customer panelists with SEGA Europe and SIX Group. To learn more about the value gained by HackerOne customers, watch the full on-demand webinar.