With the boom of data-driven organizations and the adoption of technological advancements, cybersecurity threats are also getting more sophisticated. The fast-changing nature of cybersecurity and the sheer amount of threats and vulnerabilities requires organizations to stay on top of protecting their assets and data from attackers.
To counteract this, organizations are increasingly turning to ethical hackers and bug bounty programs. Having ethical hackers and security researchers detect vulnerabilities before cyber attackers do, allows organizations to get ahead by acting proactively.
Crowdsourced bug bounty hunting platforms provide organizations access to a large and skilled community of ethical hackers and researchers to test their websites and applications. Researchers also benefit from joining a vibrant community and participating in programs fit for their skills. Bug bounty platforms handle the project and rewards management so hunters can focus on what they do best — hunting.
To kick-off SecurityTrails' Bug Bounty Hunting Month, we are talking with Stijn Jans, the Founder and CEO of Intigriti and Inti De Ceukelaire, their Head of Hackers. Intigriti is the largest ethical hacking and bug bounty hunting platform in Europe and one of the most well-known and loved in the world and the community. Using humour and cleverness to engage, part of Intigriti's success comes from their relationship with the bug bounty community.
In this first interview of BBHM, learn more about Intigriti’s philosophy, how does wisdom of the crowd help businesses and the crowd itself, their biggest wins, and finally find out who is behind their highly entertaining Twitter account.
SecurityTrails: What did the early days of Intigriti look like?
Stijn Jans: Intigriti launched in 2016 — a time when bug bounty and crowdsourced security concepts were still fairly unknown in Europe. For that reason, many of the first programs published on the Intigriti platform were won through evangelizing marketing efforts. We were looking for pioneers in the cybersecurity community to focus on building a healthy and engaged crowd of ethical hackers.
Our target customers were European, so running the company in a European way was critical. However, we knew companies could be targeted by malicious hackers from anywhere in the world. Therefore, our hacking community had to be global as well.
I hired a small team of motivated people who shared my passion for modifying security testing, and they set to work building our community. Meanwhile, I began reaching out to my contacts in cybersecurity, educating them on the benefits of continuous crowd security. Today, we have more than 150 programs live on the platform and over 25,000 researchers (ethical hackers) working with us.
Intigriti is based in Europe. What differences do you see between the cybersecurity industry, and field in general, in Europe vs the US? Is the awareness different among Organizations?
Stijn Jans & Inti De Ceukelaire: The US was the first to embrace crowd security. However, the adoption rate in Europe is steadily increasing. Partly due to legal frameworks, like GDPR, that have come into play, which required businesses to take a step up with their security efforts.
GDPR is one example, but there are many more governmental bodies that European companies have to comply with. It's essential for security teams to have the relevant services and infrastructures in place, and at Intigriti, we take a strong focus on this.
How did you discover the need for a bug bounty platform like Intigriti? Where did the idea for a crowdsourced platform come from?
Stijn: Before Intigriti, I ran a security company that focused on penetration testing. Pen-testing is a time-limited spot check, focused on one moment in time and only one application is tested. For years, the company successfully deployed consultants to one-week assignments testing applications defined by the customer.
Although business was going well, there was one challenge with this type of security testing that customers kept asking me, "Can you guarantee that you have found all possible vulnerabilities after the test?" And the only possible answer was no.
Because companies are so agile nowadays, running spot checks alone is insufficient. I realized there was a strong need for reporting tools that consistently allow one to track and retest vulnerabilities across different testers. The power of the crowd allows security teams to run dynamic and diverse tests and ultimately cover more scope.
What are the main principles behind Intigriti's philosophy?
Stijn & Inti: Three main principles run through the blood of Intigriti:
- Crowd: Everything we do is executed by the crowd.
- Impact: What we do generates a positive impact on the organizations we work with, but also on the lives of our community members. Intigriti offers them a way to make a living on their terms.
- Sustainability: We're building a sustainable way of working for our community, but we also align very well with United Nations Sustainability Goals. The development of more sustainable industries and infrastructures, improving living conditions for our communities, and driving a more socially just world are the three areas where we make a difference.
The world is gradually innovating and becoming more digital. However, this will, unfortunately and unavoidably, create new opportunities for cybercriminals. With the help of our community, we will use our platform to counter these threats and clear the path for the adoption of sustainable technology.
Founded in 2016, you have quickly climbed to the top as one of the best ethical hacking and bug bounty platforms out there. What do you attribute that kind of success to?
Stijn: Our platform is all about being personal, and we try to be as close as we can to our customers. By understanding their business in-depth, we have a better understanding of the impact of a potential vulnerability. Focusing on legal aspects, such as GDPR in Europe, helped us while working on an international strategy.
We also stand out because of our relationship with our hackers. The goal is to offer them a great experience and allow them to be successful. To achieve this goal, a significant amount of our proceedings is reinvested back into our community. We genuinely believe in the value of the crowd, and live and breathe that mentality. In fact, hackers are represented throughout the various layers of our organization, even on our board.
One of the ways Intigriti connects with hackers and the community is via a clever and highly entertaining Twitter account. A lot of us want to know who is behind the account! How did the idea for your Twitter and general community presence come about? How did you know it was right for you?
Inti: Asking about our best kept secrets ;)
The account is maintained by my team and I. As a community-driven platform, we believe it is very important to continuously engage with new and existing members of the hacker community. We've found our social channels to be a valuable way to do so.
We appreciate social media because it provides an honest, non-filtered stream of feedback and suggestions to improve our platform. We're proud of all the features our platform offers, but it is the crowd that makes a lasting impact on our customers. To build a healthy brand that works with many people, you need a personal connection with each of them. We experimented with different approaches and found humor and playfulness important in establishing trust and building serious relationships.
What are the main benefits for companies to have a bug bounty program VS running a classic penetration test or having in-house security researchers?
Stijn: There are many benefits of bug bounty programs, but I'll try and summarize them into four main points. The first is a penetration test focused on one moment in time, whereas bug bounty programs are continuous. You may get a certificate saying you're secure at the end of a pentest, but how can you prove that's still the case the next time you make an update? This is particularly relevant for online companies today, where cybersecurity has to be agile.
The next benefit is monetary. With bug bounty programs, you pay for results rather than time. What you pay also depends on how critical the vulnerability is. You pay according to impact.
This brings me to my third point, pentesters' ability to scale is limited, which creates a challenge. Whether you work with one consultant or a team of pentesters, that is the extent of expertise you have available to utilize. There is also a restricted amount of scope covered in the allocated time allowance. Bug bounty programs enable businesses to cover more ground and draw upon a crowd of skillsets, knowledge, and experiences. By leaning on the creativity of many, you benefit from several different ways of thinking.
Finally, you'll be the first to know about new security developments. From the moment a new technique comes out, researchers will start crawling through bug bounty programs. In turn, this helps educate and develop your in-house team as well.
What are some of the biggest myths you've heard about bug bounty platforms?
Stijn & Inti: The most common myth is, signing up for a bug bounty platform exposes your business to external security threats. But that myth is pretty easy to rectify. The sad truth is, you're already exposed to malicious hackers, and they won't seek your permission before making you a target. Rewarding individuals for ethically reporting impactful security risks doesn't expose you to more malicious attacks. It adds greater protection against them.
Intigriti connects ethical hackers across the globe with organizations in a safe environment. One way we offer assurance is all researchers must undergo an identity check before participating on the platform.
What does collaborating with a community, such as Intigriti's, bring to companies in the modern technology space?
Stijn & Inti: Collaborating with a bug bounty platform allows you to connect with some of the brightest and most experienced researchers on earth. The landscape of modern technology is constantly shifting, and security teams have to keep up with that. For one or two people, or even a small team, that is more difficult. But by leaning on a crowd of experts, it's much more achievable. Bug bounty platforms allow modern businesses to scale their security efforts and optimize cost.
The other benefit of a community like Intigriti's is you can engage with a group of people who want to make the Internet a more secure place. With a shared concern, you can involve people who may not work for your brand but still feel like they're part of it.
If you're a big brand, chances are you're bringing in the help of the people who know your product best, your users! More than a fifth (22%) of our community says they're attracted to a bug bounty program from a familiar brand.
Inti, you had a long and successful time as a bug bounty hunter before managing Intigriti's community. How did that change look for you, what are the most valuable insights you as a researcher bring?
Inti: I'm fortunate enough to do bug bounty from time to time! Last week, I even took the week off to participate in a befriended platform's live hacking event!
I've submitted my first bug bounty report in 2011 and have seen the industry and community around it grown ever since. I've seen multiple platforms fail simply because they did not manage to get a grip on the community. You can have the most beautiful and advanced platform in the world, but without a crowd of active researchers, it's worthless.
We do not take our community for granted: that's why their input is part of every decision we make at the company, and why hackers are present in all layers of our organisation up to the board of directors.
The bug bounty landscape has changed tremendously in the last few years and platforms like Intigriti are there with that change. How are bug bounty platforms contributing to the community?
Stijn & Inti: We asked this question to our community very recently. According to our recent survey, 70% of our researchers hack via our platform to learn and 40% do it "for the challenge." To sum up hackers, they're naturally curious people, and bug bounty platforms are the perfect environment to scratch that itch!
Of course, many security researchers (63%) hack via bug bounty platforms for the extra cash they can earn. The majority of our crowd uses the platform as an additional source of income. However, around 10% of our community works full-time on hunting for vulnerabilities. We enable a particular group of people (those who wouldn't want to be a pentester, for example) to work independently. They don't like structural testing and would prefer to focus on their own research.
We also feel like the collaborative part of bug bounty has seen an immense increase in popularity. Even in work from home times, it allows our researchers to feel connected to their peers and build friendships.
What was Intigriti's biggest record of detected and resolved vulnerabilities and do you plan to break that record?
Stijn: Live hacking events are a big part of our product offering. They allow the most skilled researchers from all around the world to come together and find hundreds of vulnerabilities within a short timeframe. Our bug bounty record is €180.000 paid out in one day during one of these events. We very much look forward to holding physical events again and crushing the previous reports — hopefully by the end of 2021!
What does the future hold for Intigriti, and what are your plans for making 2021 better than the challenging year 2020 was?
Stijn & Inti: Last year, COVID-19 led to a new normal for work, and many businesses had to adapt quickly. 2020 required security teams to be extremely reactive, but 2021 is already seeing teams move towards proactivity. More security teams are buying into bug bounty programs because they're seeking out a solution that only crowd security can offer - continuous security, scalability, and agileness.
This growing interest in bug bounty contributed to us securing funding last year. We plan to use the extra resources to grow our team, support current and new customers, and empower our community.
We also recently announced our partnership with the European Commission to launch a new vulnerability rewards program that keeps Matrix, Zimbra, and Moodle as secure as possible. The scheme was funded under the open-source part of the ISA² program.
We hope you've enjoyed the first interview for the SecurityTrails Bug Bounty Hunting Month. You can expect much more interviews with your favorite bug bounty hunters and people from the community. While waiting for our next sit down with industry experts, take a peak at what is to come during #BBHM here.