Trusting professional pentesters seems like the obvious choice when it comes to finding vulnerabilities in your company’s security systems. But sometimes, a second look from an outsider is better.
Such is the work that bug bounty hunters do. Also called ethical hackers, they spend their days trying to hack into various systems in hopes to find a vulnerability or misconfiguration that, if fallen into the wrong hands, can be exploited for the greater bad. And while these hunters usually prefer to walk alone, sometimes they join forces.
To delve deeper into the topic of bug bounty hunting, Cybernews reached out to Stijn Jans and Inti De Ceukelaire, the CEO and Head of Hackers, respectively, at Intigriti, a bug bounty hunting and pentesting platform.
How did Intigriti come to be? What has your journey been like since your launch in 2016?
Stijn: Intigriti launched in 2016, which was a time when bug bounty and crowdsourced security concepts were still fairly unknown in most of Europe. When we first went to market, we were looking for pioneers in the cybersecurity community who were looking to progress their security testing strategy. Fortunately, bug bounty programs were already in motion around other parts of the world, mainly the United States, so we had that proof of concept already. However, our focus was very much on Europe.
We began with a small but motivated team who all shared a passion for modernizing cybersecurity testing — and one of those people was Inti! Inti is a multi-award-winning ethical hacker, so he was the perfect profile to build our crowd of security researchers. Today, we have over 40,000 security researchers registered on the platform and we’re growing every day. But, having the biggest community wasn’t (and still isn’t) our main objective.
Inti: Absolutely. From the very beginning, we understood that investing in scale does not always mean our clients or community will see direct results. Therefore, in our first years of operation, we zoned in on qualitatively growing our community. We invested heavily in educational resources, built a network of local hacker heroes we can rely on, and established a free “hackademy” (hacking academy) and knowledge base. If we had taken shortcuts here and focused too heavily on our go-to-market strategy, for example, we would not have the competitive advantage we have today.
You take great pride in your bug bounty platform. Can you briefly explain what this practice is about?
Stijn: A bug bounty program engages ethical hackers (at Intigriti, we call them security researchers) to stress test an organization’s cybersecurity defenses. Researchers search for vulnerabilities that bad actors could exploit and then report them to the organization so that their team can fix them. Each program comes with a set of guidelines that detail the rules of engagement. There is also a table of earning opportunities (bounties), which is based on the impact of the finding.
This proactive approach means organizations obtain continuous coverage of their digital assets without the need to increase headcount or put pressure on their internal team. At the same time, the programs generate a positive impact on the lives of our researchers by offering them a way to make a living on their terms.
A significant benefit of working with a platform is that they already come with a large community of engaged researchers. Platforms also provide managed services and additional support. For example, when you sign up for Intigriti as a client, a customer success manager will first have a conversation with you to understand your goals and challenges. Next, they will help you define a clear scope for your program and advise on aspects like what you’ll compensate researchers for and how you’ll manage the budget flow.
Our programs also offer triage services by default. Triage plays a big role in managing incoming reports and will make sure the program’s internal team only receives unique, actionable, and valid reports, meaning they can stay focused on business-as-usual activities.
In your opinion, which industries should be especially concerned with implementing bug bounty programs?
Inti: Let me ask you this: what industry isn’t concerned about being targeted by cybercriminals? If an industry is concerned about cyber threats, chances are, they will also be thinking about cyber defenses — or so they should be! Therefore, it comes down to what type of company should be concerned with implementing a bug bounty program.
While many people still associate bug bounty programs with large, international companies, such as Facebook, Google, and Microsoft, this isn’t actually the case. As long as you have an online presence or digital assets, even without a bug bounty program, you’re already exposed to hackers — both malicious and ethical.
Malicious hackers are obviously a concern, so if there is a vulnerability in your systems that could be exploited, you’d want to know about it, right? The takeaway here is that no matter what industry you operate in, actively involving security researchers through a bug bounty program will streamline the reporting process and empower your security team to build stronger defenses against cybercriminals.
At Intigriti, we work with organizations of varying sizes, industries, and levels of security maturity. We just tailor the solution that we provide to them.
How did the pandemic challenge cybersecurity worldwide? What vulnerabilities were exploited the most?
Inti: The pandemic forced corporations to expose their internal tools and infrastructure to the outside world so their employees could get work done remotely. This had to be done swiftly as work-from-home mandates started to roll out quickly.
In many cases, the cybersecurity aspects of this transition were disregarded because of the time pressure and uncertainties. For example, in the beginning, most businesses only expected the temporary measures to last for a couple of weeks and so they made a call that cybersecurity measures weren’t necessary or worth the investment. People later realized the work-from-home culture was here to stay. Yet, many organizations are still using the same insecure systems and configurations that were set up at the beginning of the pandemic. More specifically, we have seen a rise in misconfigurations concerning VPNs, single-sign-on systems, and internal helpdesks.
How are bug bounty programs different from penetration testing?
Stijn: Bug bounty programs and penetration tests both aim to identify vulnerabilities that could be exploited by hackers — but there are some key differences. For example, pentests focus on one snapshot in time, whereas bug bounty programs are continuous. This is where bug bounty programs work well as a follow-up to pentests because your security posture will change with each new feature release or update.
Another big difference between pentests and bug bounty programs is the pricing model. With a bug bounty platform, the security researcher gets a bounty if they discover and report a previously undetected bug. What bounty amount you pay depends on how critical the vulnerability is — you pay according to impact. Pentesters, on the other hand, are paid for their service and time, regardless of what they find.
Inti: Yes, and because of that, with bug bounty, there is a direct incentive for the researchers to produce results. And the bigger the impact of the finding, the bigger the reward. Our Ethical Hacker Insights Report showed that money is a big motivator for the community. In fact, 76% said that they have a financial motive when selecting a program to contribute to.
Also unlike pentesting, a bug bounty program doesn’t necessarily follow a set methodology. Hackers are a creative bunch and no two hackers will take the same approach. You’re getting the perspective of an entire crowd of security professionals, whereas, with a penetration test, you’ll depend on the knowledge, skills, and time availability of just one or two experts.
Even though bug bounty programs have gained momentum over the past few years, why do you think it is still not a widespread practice?
Stijn: The general level of security awareness, and adoption of preventative solutions and technologies is generally pretty good. After all, organizations have hundreds of vendors to choose from. And, of course, there are security spot-checks, like penetration tests, that can tell organizations how well their cybersecurity defenses would hold up in the event of a specific type of cyberattack. However, ask any security professional how secure they really are on a continuous basis and they will often raise an eyebrow.
Inti: Yes, the pressure of getting applications, projects, features, and updates to market fast can mean security hoops can sometimes be skipped to ensure deadlines aren’t missed. This is why bug bounty programs have emerged as the next step in security testing. Continuous testing by a wide, diverse, and highly-skilled community of security researchers offers a solution to finding security vulnerabilities for organizations that typically don’t have the resources or expertise in-house to do this.
Stijn: However, despite them being around for decades, many bug bounty myths linger on, and not everyone trusts the idea of working with someone who has the word “hacker” in their job title. But, the sad truth is bad actors won’t seek your permission to hack your business – and a simple yet proven method to protect against cyber threats is to invite ethical hackers in to help.
In your opinion, what are the worst organizational cybersecurity habits? Which bad practices do you come across most often?
Inti: Most of the companies that come to us already have a certain level of security maturity whereby they have cybersecurity best practices and processes in place. However, I can tell you what our hackers will tell you – and that’s a lack of a vulnerability disclosure policy (VDP).
Stijn: Absolutely, and actually, it’s a real problem. Our market research found that 32% of risks reported to companies without a VDP or bug bounty program remain undetected and open to exploitation. How companies make themselves available to the assistance of hackers needs attention.
Inti: A vulnerability disclosure policy is free to create, and having one on your website or bug bounty platform is important. It allows goodwill hackers to assist your business and protect it
from exploitation. You'll also:
- Reduce the risk of potential exploitations going undetected
- Streamline your vulnerability reporting process
- Minimize time-to-remediation
- Show a commitment to information security
- Build trust among stakeholders and customers
This should be a bare minimum.
Which cybersecurity practices do you think are essential for every organization and individual?
Inti: As previously mentioned, it's good practice to have a VDP available on your website — but having a bug bounty program provides another level of assurance because it takes a proactive approach.
On an essential level, every organization should:
- Have a dedicated cybersecurity resource: Even small companies should have at least one person that dedicates time to cybersecurity defenses.
- Educate employees: Raise awareness amongst your staff around cybersecurity best practices. Pay special attention to training around phishing threats, which is one of the most common ways to get hacked.
- Strengthen sign-in processes: Having unique passwords is a practice that is commonly known these days, but whether employees actually follow this advice is debatable. And can you blame them? Having to remember so many unique passwords (each with around 16 randomized characters) is the worst! Make it easy for them and invest in password management tools, and add an extra layer of security to sign-ins with Multi-Factor Authentication (MFA).
- Keep your software updated: Software updates aren’t only about getting the latest features and functionality. They will often contain security patches and new security features too. Even better, subscribe to the update feed.
- Centralize and standardize: Every platform you use requires security governance. It’s best to centralize as much as possible, so find the “one” platform you can use to achieve goals and embed security there.
After this, always be on the lookout for ways to improve how you monitor cybersecurity trends and new threats, and of course, how you’ll improve your own.
What tips would you give to someone looking to break into the field of ethical hacking?
Inti: Traditional educational establishments are struggling to offer comprehensive and up-to-date training in the rapidly evolving world of cyber threats. But content creators and “Hackademies”, like Intigriti’s Hackademy, have stepped in to help fill this educational gap.
As their name suggests, hackademies are online locations where aspiring ethical hackers can come and learn about categories of security vulnerabilities, see real-world examples, and learn how to identify and protect against such weaknesses. There is a lot to learn and, thankfully, a huge and growing number of resources available.
It’s worth checking out our Hacker Heroes videos, where we interviewed some of our most successful security researchers on the platform. One of the best ways to learn is from your peers. But arguably the best way to educate yourself on hacking is to stop thinking about it, take the leap, and start looking for your first bug! In fact, many of our top-performing security researchers have only been bug bounty hunting for one to two years.
And finally, what’s next for Intigriti?
Stijn: The near future for us is to continue what we’ve been doing: serving businesses that have the desire and vision to adopt technology — to drive their businesses forwards whilst ensuring security all the way. At the same time, we want to have a positive impact on the lives of our community members, offering them a new way of working.
Our goal is to help companies that really want to be secure by offering them a crowd-based solution, so in the near future, we’ll focus on new offerings that are crowd-driven and help companies to achieve that better security posture continuously.