Table of Contents
With tens of millions of members, 7,000 partner brands, and an annual turnover of €3.3 billion (including VAT), Veepee is a major player in European e-commerce. Operating in more than 10 countries, the group orchestrates thousands of flash sales each year on a constantly evolving digital infrastructure.
To continuously test the security of this ever-changing attack surface, Veepee, in partnership with Yogosha, implemented a Private Bug Bounty program and a Vulnerability Disclosure Program.
Since launch in 2020, Veepee patched 321 vulnerabilities including several critical ones that most likely would have gone unnoticed with vulnerability scanners and other tools.
“Bug Bounty gives us an external, expert, and responsive view that perfectly complements our internal systems.”
— Antonin Garcia, CISO, Veepee
The Challenge: Security Testing an Ever-Changing Attack Surface
With frequent production releases and rapid changes, Veepee’s attack surface is vast and constantly in flux. Traditional penetration tests, while necessary, have limitations:
- They are one-time assessments, leaving long periods without testing.
- They take time to plan and execute, creating a period of uncertainty and stress with untested attack surfaces.
- They don’t simulate real-world attack scenarios.
For Veepee, it became essential to transition from a static strategy to a continuous approach, capable of identifying vulnerabilities in real time while minimizing the impact on internal teams. This approach not only frees up teams from repetitive or time-consuming tasks but also allows them to focus on higher-value missions, boosting their productivity and engagement.
“As an e-commerce site, things change very quickly. Our attack surface is wide, and we wanted to identify potential vulnerabilities in our blind spots.”
— Antonin Garcia, CISO, Veepee
The goal was to set up a continuous, scalable security testing system that complements existing security practices, and, more importantly, to track down these critical flaws before they get exploited.
The Solution: The Yogosha Offensive Security Testing Platform
To address these challenges, Veepee and Yogosha deployed a hybrid security testing approach combining a private Bug Bounty program and a Vulnerability Disclosure Program (VDP). This dual approach not only allows for continuous testing but also allows anyone on the web to securely communicate vulnerabilities.
The Yogosha platform was selected for its ability to scale security tests, simulate real-world attacks with highly skilled security professionals, and facilitate continuous 24/7 testing.
Key Components of Veepee’s Strategy
1. A VDP to Channel External Reports
Veepee set up a public page (https://www.veepee.fr/.well-known/security.txt) that is always active, allowing any security researcher to report a vulnerability legally and securely via the Yogosha platform.
“I’ve had researchers contact me on LinkedIn or by email. Thanks to the VDP, I sent them the link, and within minutes, they had submitted their report.”
— Antonin Garcia, CISO, Veepee
This official channel allows the security team to quickly qualify vulnerabilities while ensuring a legal and secure framework.
2. A Private Bug Bounty for Continuous Testing
A large group of skilled security researchers are mandated to continuously test Veepee’s attack surface.
- Testing on domains, subdomains, APIs, and B2B applications
- Continuous vulnerability research 24/7
- Controlled launch with gradual ramp-up
“We open our attack surface to a community to find the blind spots that targeted pentests don’t see.”
— Antonin Garcia, CISO, Veepee“With Bug Bounty, some hunters really go the extra mile. Some place real orders on the site, so they spend their own money to find vulnerabilities. We’ve never seen that with external pentests.”
– Julien Reitzel, Offensive Security Lead, Veepee
The Results: Continuous Coverage and Critical Flaws Detected
Since 2020, Veepee has built an agile, effective, and cost-efficient security testing strategy:
- 321 vulnerabilities detected, including several critical ones
- Optimized DevSecOps thanks to integrated retesting workflows
- Streamlined budget with gradual ramp-up
- Extended coverage to all assets: domains, subdomains, APIs, B2B applications
- Over €100,000 paid in rewards to the community
“Sometimes, researchers find critical vulnerabilities even when we are already very operational on our cybersecurity. That’s the real value of this approach.”
— Antonin Garcia, CISO, Veepee
Test Your Attack Surface with Yogosha
Veepee’s feedback demonstrates that a continuous and collaborative approach is a strategic asset for strengthening resilience.
Whether you are a scale-up or a large group, Bug Bounty allows you to continuously test the robustness of your systems without slowing down your teams. It’s the ideal way to hunt down vulnerabilities that traditional tests miss.
Contact us today to design a customized security testing program tailored to your needs.