TX Group AG (formerly Tamedia AG) is the largest private media group in Switzerland. It publishes a portfolio of daily and weekly newspapers, magazines and digital platforms that, collectively, reach over 80 percent of the Swiss population every day. One of its titles — 20 Minuten, a free newspaper available at every Swiss train station and every stop, as well as via a digital portal — reaches 60% of the population every week.
Media companies like TX Group remain firmly in the bullseye for cyberattackers. Media companies must be extra-vigilant in order to protect themselves. And this is a considerable challenge for TX Group which, among its 3,700 staff and across all its individual companies, employs 500 developers at 50 locations worldwide. TX Group manages over 500 developers in 50+ locations and is constantly launching new digital products and services.
In November 2020, the company was subjected to a daily barrage of DDoS attacks. TX Group went public and confirmed that other media companies had been attacked as well. This open collaboration resulted in shared information about how to better deal with such an attack and ramp-up DDoS protection.
TX Group brought the same open-minded approach to vulnerability discovery through the adoption of bug bounty programs on the Bugcrowd Security Knowledge PlatformTM as a core strategy. The company now runs two public programs that have superseded annual audits at the group’s digital companies, vulnerability scanning of on-premises legacy solutions, and a managed SOC.
TX Group chose Bugcrowd after considering proposals from several major bug bounty solution providers, including Bugcrowd, HackerOne, YesWeHack, and Synack. Proposals were evaluated based on a cost-benefit analysis (price), availability of a managed platform, availability of pre-built integrations (e.g. Slack, Jira etc.) and — most important — the ability to provide the SecDevOps team with a customized solution.
TX Group’s managed bug bounty program has delivered outstanding results. Even with the company conducting initial audits before commencing programs, up to 20 times more vulnerabilities were discovered in some cases, and a significant number of vulnerabilities were designated as critical.
Not only are TX Group assets now more secure, but its investments in security can now be more directly tied to results because bounties are paid only for validated vulnerabilities. In contrast, a classic audit always incurs costs, whether valid vulnerabilities are found or not.
To learn more, read the TX Group Case Study here.