Table of Contents
This interview with Yannick Jost, CISO at Scalingo, retraces his journey—from growing dissatisfaction with traditional penetration testing to the adoption of bug bounty. He explains how this approach enabled Scalingo to implement continuous security testing that is better aligned with its deployment pace.
Scalingo is a Platform as a Service (PaaS) and Database as a Service (DBaaS) solution that enables companies and public institutions to easily deploy, manage, and scale web applications and databases in a secure and stable environment.
Given the high frequency of updates to their assets, Scalingo must test each production release in an agile and in-depth manner to ensure application security and compliance with ISO 27001 and HDS standards.
In this article, we explore how Scalingo structured this approach and the key lessons learned.
Scalingo’s security challenge
Before adopting Yogosha, Scalingo relied on penetration tests performed by specialized service providers. These point-in-time assessments provided a useful snapshot, but their format and limited testing window were difficult to reconcile with a continuously evolving product.
“We were not fully satisfied with the value-for-effort ratio of one-off penetration tests: scope and duration inevitably force trade-offs, and that did not align well with our deployment pace. We wanted to complement them with a continuous setup capable of surfacing actionable vulnerabilities on an ongoing basis.”
— Yannick Jost, CISO, Scalingo
Scalingo’s objective was to find a solution that would provide access to a diverse range of security researchers, in order to obtain more relevant, comprehensive, and continuous feedback.
The bug bounty model—where ethical hackers are rewarded based on the severity of the vulnerabilities they uncover—quickly emerged as the most effective alternative. It naturally incentivizes researchers to focus on critical flaws and hard-to-reach attack paths.
After evaluating several options, Scalingo ultimately chose Yogosha for the diversity of its security researcher community and because it is a French company—an important criterion in their selection process.
Bug bounty: a continuous and deeper testing approach
It has now been over a year since Yannick Jost and his team launched a bug bounty program with Yogosha. Unlike a traditional pentest, where a small number of consultants are paid for a fixed engagement, Scalingo works with a broad community of researchers and rewards them per accepted vulnerability. This strongly encourages exploration of edge cases and blind spots, especially since critical vulnerabilities are highly rewarded.
“The bug bounty approach stands out for its ability to generate more detailed reports and to mobilize a larger number of researchers, which is a major advantage. Unlike traditional penetration testing, bug bounty financially rewards the most critical findings, encouraging the discovery of vulnerabilities in less explored areas.”— Yannick Jost, CISO, Scalingo
The solution was integrated very smoothly. The onboarding process was fast, taking around two weeks. Yogosha’s support was key in defining the program, security scopes, and reward levels. The Scalingo team quickly adopted the platform, which integrated seamlessly into their security stack and became a complementary layer of their overall defense strategy.
Today, their vulnerability management workflow is well established:
- A new report or comment on an existing report triggers a Slack notification.
- Scalingo’s security team performs an initial triage, often creating a temporary ticket in their tracking tool.
- A Jira ticket is then created to track remediation through to production deployment.
- Once the fix is implemented, Scalingo asks the reporting researcher to validate that the vulnerability has been effectively resolved.
More recently, Scalingo also launched a Vulnerability Disclosure Program (VDP) to formalize and streamline the handling of unsolicited vulnerability reports. This is particularly useful for managing incomplete or low-quality submissions—often vague messages that require scoping (affected assets, proof of concept, impact) before they can be properly analyzed and prioritized.
Improved coverage of legacy paths
Another key benefit has been the discovery of vulnerabilities that had never been identified before. Yannick Jost explains: “We identified vulnerabilities in historical components of the platform, on low-frequency or uncommon scenarios.”
The bug bounty approach encourages security researchers to go deeper in their investigations, beyond the most obvious attack surfaces.
Time savings and operational efficiency
The Yogosha platform has had a positive impact on the day-to-day work of the security team by saving time and rationalizing workflows. Instead of handling a monolithic pentest report in Word format, the team manages individual, vulnerability-level tickets. This makes tracking, prioritization, and communication significantly clearer and more efficient.
Yogosha: attentive to customer needs
Yannick Jost is highly satisfied with Yogosha’s customer support. Communication is smooth and responsive, with regular check-ins to ensure the program is running effectively. He also highlights the product’s evolution and its ability to adapt to customer needs—illustrated by the development of a tailored executive summary document that helps Scalingo demonstrate the robustness of its security programs to its own clients.
Don’t rely solely on automated testing
Yannick Jost’s closing message to organizations that are still hesitating is clear: “Don’t rely solely on automated testing. Nothing replaces humans and a diversity of profiles when it comes to finding security flaws.”
Looking ahead, Scalingo plans to continue leveraging both bug bounty and VDP programs, while exploring new opportunities with Yogosha such as Pentests as a Service. They also intend to expand program coverage to new features and additional database technologies, in line with the evolution of their platform.
Want to learn more about how Yogosha helps secure SaaS applications and cloud platforms?
Contactez-nous
