Olvid, the ultra-secure messaging app, goes public

This Customer Story of ours is somewhat special: it tells tales as it happens about the journey from a private Bug Bounty to a public one. Olvid, a thriving start-up, is making the jump in only four months, so we give you the fine details.

Could you please briefly introduce us to Olvid?

Olvid is an instant messaging application whose security does not rely on any trusted third party. Unlike others (Signal, WhatsApp, Telegram, etc.) who use a central directory to establish secure channels, Olvid does not need a directory. This eliminates:

The risk of massive hack/leak if an attacker takes control of that directory.
The need for Olvid to collect any personal data (no phone number, no name, no email, no nothing).

Thanks to this new security model and the innovative cryptographic protocols implemented, Olvid offers its users:

Absolute confidentiality.
A strong guarantee on the identity of its contacts, without any risk of identity usurpation, fraud, spam, etc.
Total anonymity towards third parties, including our own servers.

What led you to launch a Bug Bounty programme?

In Olvid, we re-implemented everything from scratch: we rely on a minimum of third-party libraries and we have designed the whole application “in house”.

Having new cryptographic protocols, it was essential for us to have our implementation validated as widely as possible. To achieve that, we started on 3 axes:

A “theoretical” verification of the cryptography, by Prof. Michel Abdalla (from the French National Centre for Scientific Research), internationally recognized, which mathematically proves that our protocols provide the security guarantees that we claim;
A CSPN certification against the ANSSI (National Cybersecurity Agency of France requirements);
And finally, a Bug Bounty programme mobilising thousands of cybersecurity researchers looking for exploitable vulnerabilities in every nook and cranny of our application.

For us, this last verification stage is essential. When you sell a security application, you certainly do not want a hacker to brag about having found a vulnerability in it!

If we want to protect our application from hackers, it must be evaluated by people who use their exact methods and thought process.

We had the opportunity to participate in YesWeHack’s Live Bug Bounty at the International Cybersecurity Forum (FIC), where we started our Bug Bounty experience by being hacked live for two days! We don’t regret it, it has been an incredible experience. We’ve had the chance to discuss our application with cybersecurity researchers; and it was a very instructive experience, from both technical and business aspects.

Today you’re expanding your private programme into a public one–what motivated this choice?

During our four months running a private programme, only a few vulnerabilities were reported by the twenty or so researchers participating; none of these was severe.

Therefore, we have deduced that our system is robust enough to welcome YesWeHack’s entire community. We now want to take advantage of one of Bug Bounty’s major strengths—crowdsourcing: tens of thousands of researchers bringing different skill sets and methods, to test the security of our application.

The reason for our move to a public programme is simple: we want to offer our users the best possible security guarantee. The more hunters scanning and attacking our app, the better it is for everyone!

Any tip for startups hesitating to launch a Bug Bounty programme?

Stop doubting right now! You’ve got to do it! It is indeed a bit scary at first to think that people will actually try to attack your product; but that’s fine, as long as you have the right people doing it.

I guess it’s comfortable to live in denial, thinking that if no one has succeeded to attack us yet, we’re safe. However, someday, an attack will happen. And the only way to be better prepared to this is having your application tested. Penetration testing, certifications, etc. are very important as they provide “stamps” that we can show to our clients.