YesWeHack Won the European Commission’s Latest Bug Bounty Tender

PARIS--(BUSINESS WIRE)--YesWeHack, the crowdsourced security testing and vulnerability management platform, is the European Commission’s new preferred provider of bug bounty services under a cascade model.

European Commission selects YesWeHack to expand bug bounty programs across EU institutions and open-source projects

Share

The European Union’s main executive branch has run bug bounty programs to harden open source assets used across EU servers and systems since 2019. A new tender was launched this year to relaunch an expanded initiative. Having outscored rival platforms, YesWeHack has signed a four-year framework contract potentially worth up to €7,679,875 as the most-favoured provider of bug bounty services.

YesWeHack will support the Commission’s Directorate-General for Digital Services (DIGIT) in organising a series of bug bounty programs as well as vulnerability disclosure policies (VDPs). A roster of handpicked security researchers will test digital assets used by EU entities, including popular open-source technologies.

The Commission has long promoted the adoption and development of community-built software within EU institutions, making the security of open source a strategic priority. Amid rising cyberthreats, the latest phase of the Commission’s bug bounty strategy expands the scope to a wider range of open source projects, as well as any EU institutions wishing to leverage crowdsourced security testing to harden their own applications.

Miguel Diez Blanco, Team Lead for Interoperability Enablers and Open Source at DIGIT, commented: “We have high expectations for this new framework contract, and we are confident that YesWeHack, as the first awarded company, will play an important role in achieving our objectives to secure the software we produce, as well as in supporting our ongoing initiatives to better protect open-source projects.”

Public-sector pedigree

The Commission joins government bodies in France, Singapore, Germany, Catalonia, Finland and Quebec on YesWeHack’s diverse client roster.

YesWeHack also has strong credentials in the open-source domain. For instance, the German government’s Sovereign Tech Agency runs various programs for popular open source projects on the platform – including for Log4j, the source of one of the most damaging vulnerabilities of all time, ‘Log4Shell’.

Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack, states: “We’re honoured that the European Commission has entrusted us with securing assets of such critical importance –not only to EU institutions but also to millions of citizens. This decision cements our position globally as the leading alternative to US vendors. However, the real hard work starts now.”