Table of Contents
Security researchers can now join the Yogosha Strike Force (YSF) via four selection paths: skills, reputation, co-option and certifications.
From the start of Yogosha’s journey in 2015, we wanted to bring together the very best security researchers in a private, selective and international community.
- Private, because to accept everyone would be to accept anyone.
- Selective, because without a skill assessment, how could one prove expertise?
- International, because talent knows no borders.
This group of experts is the Yogosha Strike Force. It’s what sets us apart from most other platforms, whose communities are unrestricted and open to all — see Bug Bounty: the differences between public and private platforms.
Today, the YSF brings together more than 800 active security researchers every month. 800 profiles with verified identities, carefully selected through a series of technical and redactional tests. They are key to what we offer: without them, there would be no vulnerabilities discovered, and no Yogosha. To these 800 experts, we say a heartfelt thank you.
A Challenging, but Necessary Selection Process
But this commitment to recruiting only the very best comes at a price: time.
First, at Yogosha, where someone is in charge of creating the entire selection tests, different for each session, and reviewing each candidate’s performance. At least 30 a week for over 8 years, that’s a lot of writeups to read!
Next, this selection process demands a great deal of time from the bug hunters themselves. To take the tests, of course, but also beforehand, as the waiting list can sometimes extend over a few weeks, depending on the number of candidates and our need for new researchers.
After 8 years, it’s time to revamp selection processes. But two questions arise:
- How can we accept more researchers in our ranks while maintaining our high standards?
- How can we speed up the selection process without compromising the value of our entry tests?
After much thought, here are our conclusions.
Four Paths to the Yogosha Strike Force
From now on, all security researchers will have four ways of joining the Yogosha Strike Force, compared with just one previously.
- Skills: Our traditional selection tests, i.e. a series of technical and redactional exams.
- Reputation: Direct access for hackers from the All-Time Top 50 of other bug bounty platforms.
- Certifications: Direct access on presentation of certain recognized cybersecurity certifications.
- Co-option: The best YSF researchers (Top 50) can now co-opt their fellow hackers.
With these new ways of joining the YSF, we are thrilled to be able to welcome more experts while maintaining the level of excellence that sets us apart.
Path N°1: Skills — The Selection Tests
This is the conventional way to join the YSF, the one we’ve always had. A series of technical and redactional tests, rather challenging since on average only 10% of candidates pass.
How Do I Take the Tests?
The process for taking the tests remains unchanged:
- Register on the Yogosha platform.
- Complete your profile so that we can get to know you better.
- Apply to take the selection tests by clicking on the “Join Yogosha community” button.
- You are then put on the waiting list. Our team verifies the legitimacy of your application. This step can take up to several weeks depending on the number of applications and our current need for new researchers.
- If your application is accepted, you enter the selection process. A new section appears in your profile: KYC and Payment. Those fields allow us to validate your identity – all nationalities are accepted, but a passport is required – and your tax information so that you can be paid via our platform.
- A member of our team will invite you to take the tests. We usually hold one session per week. After accepting the invitation, you will have 5 days to complete the technical and redactional tests.
- If you are not selected, you may request to retake the test after a minimum of one month. The tests are different for each session to avoid cheating.
- If you pass the tests, welcome to the Yogosha Strike Force!
Path N°2: Reputation — Direct Access for Top 50 All-Time Hackers
The vast majority of competing platforms are public. In other words, anyone can create an account — beginners and pros alike — and access a number of bug bounty programs.
Now, there are some excellent researchers on public platforms, but not all of them are. The lack of selection means that the average skill level is disparate. Script-kiddies and beginners sit alongside experienced bug hunters, some of whom are among the world’s elite.
Yet, climbing to the top of the leaderboard of any public platform is no mean feat. Security researchers are numerous and competition is fierce. Only the very best make it to the top, and it’s not uncommon to come across the same pseudonyms in the rankings of different platforms. Therefore, it seems a bit redundant to ask them to take tests to prove their expertise, when their public profiles speak volumes.
That’s why any security researcher who is in the Top 50 All-Time of a bug bounty platform can apply to join the Yogosha Strike Force without passing our selection tests. However, we may refuse entry without further explanation if the researcher’s profile or the quality of the platform in question do not seem sufficiently convincing to us.
How Can I Prove I’m in a Top 50 All-Time?
Well, it’s simple:
- Register on the Yogosha platform.
- Complete your profile so that we can get to know you better – bio, social networks, etc. KYC (identity verification) using a passport is mandatory.
- Send an email to [email protected]:
- specifying the username of your newly created account;
- providing a link or other proof of your Top 50 ranking on another platform.
- Someone will get back to you as soon as possible to confirm your admission to the Yogosha Strike Force.
Path N°3: Certifications — Direct Access on the Basis of Certain Cybersecurity Certifications
Security professionals are well aware that not all certifications are equal, nor do they reflect the real expertise of their holders. Some junior researchers boast certifications obtained in two weeks, while some cybersecurity veterans have none at all.
But as much as you shouldn’t blindly believe in certifications, it’s just as absurd to dismiss them out of hand. Some have earned a well-deserved reputation, and demonstrate a minimum level of expertise of their holders.
Therefore, it is now possible to join the Yogosha Strike Force on presentation of specific cybersecurity certifications. The authenticity of the documents will be verified, and the expertise of the researchers observed with their first reports.
Having said that, at Yogosha we attach great importance to the quality of the services we provide to our customers. To maintain our high standards, we therefore reserve the right to exclude from the Yogosha Strike Force researchers who possess the proper certifications but lack the skills we expect. It goes without saying that we’re not talking here about inactivity or rejected or duplicated reports, but about unprofessional behavior or the repeated submission of poor-quality reports.
What Certifications Allow You to Join the YSF?
Here are the certifications allowing to join the Yogosha Strike Force:
- OffSec Experienced Pentester (OSEP)
- OffSec Web Expert (OSWE)
- Offensive Security Exploitation Expert (OSEE)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- GIAC Cloud Penetration Tester (GCPN)
- eLearnSecurity Web Application Penetration Tester eXtreme (eWPTX)
- Practical Network Penetration Tester (PNPT)
- All CREST certifications (full list available here)
Please note that we may require one or multiple certifications to participate in certain non bug bounty operations such as pentesting in highly sensitive environments. These missions are only offered to security researchers with a CV that meet ad-hoc requirements — which is why it is important to indicate your certifications and qualifications in your YSF profile.
Path N°4: Co-option — Access Based on Recommendations From Our Top Researchers
We have the utmost confidence in our best members, who have long proven their expertise and professionalism. As a token of our esteem, we’d like to offer them the privilege of co-opting their hacker friends, so that they can work together, or simply compete against one another for the top spot.
Also, it is now possible to join the Yogosha Strike Force by being endorsed by:
- two members of the Top 50 All-Time Yogosha;
- or a single member of the Top 10 All-Time Yogosha.
How Do I Get Recommended?
The first step is to befriend a member of the Yogosha Top 50, and this is by far the most difficult! After that, it’s child’s play:
- Register on the Yogosha platform.
- Complete your profile so that we can get to know you better – bio, social networks, etc. The more information we have about you, the easier it will be for us to make an informed choice about your integration. KYC (identity verification) using a passport is mandatory.
- Send an email to [email protected]:
- specifying the username of your newly created account;
- copying the two researchers in the Top 50 who are sponsoring you (or just one if they’re in the Top 10). They must reply to confirm their patronage.
- Someone will get back to you as soon as possible to confirm your admission to the Yogosha Strike Force.
Only researchers ranked in the YSF Top 50 All-Time can co-opt their friends, up to a limit of three referrals per year.
Furthermore, in the event of non-approval, the recommended hacker may not be recommended again for a period of 6 months from the announcement of the decision. However, they are free to take the selection tests.
To those who feel confident enough to take one of the four paths that lead to the Yogosha Strike Force, we say good luck and, perhaps, see you soon!