Bug Business is a series of interviews in which experts from the bug bounty industry shine their light on bug types and trends. Intigriti’s Head of triage has an interesting viewpoint as an Intigriti triager, active bug hunter, and past penetration tester.
In this interview, he shares with us his experience and insights on the other side of bug bounty.
What did you do prior to Intigriti, and how did you end up here?
During my network and security engineer bachelor, we had a course called “Security”. This course was about the basic security fundamentals of web applications and network infrastructures. I quickly got interested and expanded my knowledge by reading books, for example, the web application hacker’s handbook.
After I graduated, I was still learning about security and got really passionate about hacking. I definitely wanted to work in the security field. From here, I started at a security firm in Belgium as a penetration tester.
Days passed by and I learned a lot about how to find certain vulnerabilities and how to escalate them. But at a certain point, I reached a point where I really wanted to deep dive in specific functionalities of a web application. Unfortunately, as a penetration tester, you are limited within a specific timeframe. This is how I got in touch with bug bounty. I was amazed that platforms like Intigriti, Hackerone and Bugcrowd gave hackers like me the opportunity to hack on organisations without the pressure of management. You can start and stop whenever you like.
I participated as a hacker in one of Intigriti’s live hacking events and got in touch with the Intigriti team, that later made me an offer to join them as a full-time employee.
What are some key points of being a good triager?
Be communicative and transparent with the researchers. It’s important for us that researchers feel like they are talking to a person and not some sort of robot. For every decision we make as a triager, a detailed explanation must be given to the researcher.
Be helpful as a triager. For example, if someone is struggling to assess the impact of a certain behaviour, we’ll be happy to help them understand, so they can grow their skills and knowledge. Being a triager is more than pointing out whether something something is valid or not, it is also helping aspiring ethical hackers crow their career and pointing them in the right direction. As long as someone wants to learn, we’ll be more than happy to invest time in their growth!
Knowledge is key. Triagers should have at least a basic understanding of every vulnerability type. Otherwise it will be very hard to determine the correct severity of the report. We can’t know everything for sure, but the great attention for detail our researchers spend writing their reports helps us understand and assess the correct impact. If a new vulnerability type is released or found, it’s the responsibility of the triager to understand this new vulnerability type. That’s why Intigriti continuously provides learning courses for its triagers and developers.
What does your day schedule look like?
During the week, I wake up, drink a coffee and start working for Intigriti. It’s hard to describe my days in specific because being a triager is more than just validating and forwarding reports. There is a lot of variety in this work. For me being a triager can be divided into 3 different tasks:
- Validating and forwarding a researcher’s report.
- Help customers: If the customer needs assistance to fully understand the impact of a vulnerability, we schedule a call to make sure they fully understand it.
- Help researchers: If a triager or company made a decision and the researcher does not agree, it’s our job to give a proper explanation about the decision and mediate if needed. It’s also important to be transparent and keep the researchers in the loop. Even if there’s no update, the researcher has a right to request an update at reasonable intervals. At the end of the day, we want to provide an enjoyable and fair platform experience, both for researchers and customers.
On the weekends, I mostly hunt on other bug bounty platforms or deep dive in certain types of vulnerabilities.
Mental health is an important thing to consider doing triage, especially when you’re fully remote working ticket after ticket. How do you manage to keep things balanced?
The best advice that I can give is: make sure to have a certain hobby which does not involve the use of a computer. For example, I make sure to go to the gym every day for a maximum of two hours. Another example: every Friday, I go to the pub with some friends.
Besides that, take enough time to rest. A fresh opinion of a colleague can sometimes help to better understand a researcher’s or company’s view on things.
Being a bug bounty hunter yourself, you’re able to better understand your fellow researchers whilst reporting bugs. On the other hand, you need to stay objective and not use researchers tricks in your own bug bounty hunting. How do you manage to do that?
As a triager, I cannot hunt on the programs of Intigriti. The reason for this is simple: We do have inside information and it wouldn’t be fair towards our researchers to use this knowledge to be able to find vulnerabilities. In terms of tricks and tips, we also have a clear policy for that: if the information is not available online, we cannot use it for our own research, but there’s still a lot of publicly available information or knowledge to gather while doing the job!
What are the kind of reports that you love to triage?
The best reports to triage are the ones containing the exploit code to easily reproduce the vulnerability. For example, if a researcher found a CSRF on one of our programs. We really like it when the researcher already provides the needed HTML code to reproduce the CSRF. The quicker we are able to reproduce a vulnerability, the quicker we can pass it to the customer, issue a bounty and work on other submissions in the queue.
What is the best way to write an efficient bug bounty report?
There are plenty of resources about how to write a good and efficient bug bounty report. I recommend reading our post regarding this topic: https://blog.intigriti.com/hackademy/how-to-write-a-good-report/
One of the biggest misconceptions about triage is that we only validate or forward reports. We are here to help!
What are some common misconceptions about triagers?
One of the biggest misconceptions about triage is that we only validate or forward reports. We are here to help both the researchers and customers in providing a smooth platform experience.
Another thing I would like to address is scope: nobody likes to close an issue as out of scope, but to avoid unauthorised testing on third-party systems or just to keep it fair to other users, we can be very strict on that. We do this mainly to keep it fair for everyone and to avoid issues and to respect the guidelines.
Any closing statements?
To all of our researchers, if you do have any questions regarding the decision made of any company or triager, please do not hesitate to comment on your report. We try to monitor each and every report but in some circumstances it could happen that we miss one. We, as triagers of Intigriti, want to be there for you. Our main focus is to give you guys the best experience on Europe’s #1 bug bounty platform, for everyone.
Keep on hunting and hacking.