Intigriti is proud to announce that Pascal Schulz, better known under his pseudonym ‘Hacksplained’ is joining the community team as hacker enablement manager . The Austria-based security researcher and educational content creator will focus on further growing the community team, enabling the power of the crowd through existing and new product lines, strengthening local partnerships, and creating educational and insightful content for both community members and customers.
We’ve had the pleasure to meet with our future colleague and discuss his new role, his vision on the coordinated vulnerability disclosure industry and his moving plans from the rocky Austria to the thriving city of Antwerp, Belgium, where the Intigriti headquarters are located.
Hello Pascal! Could you first tell us a little bit more about yourself and your background?
Hey everyone, my name is Pascal, I am 29 years old and I am super stoked to join Intigriti. Looking at my career, I finished business school at age 18. After that, I needed a change and signed up for a course at the university that revolved around computer security. During my Master’s degree, I spent my free time working as a security consultant and later on as a researcher at the university, mainly working on a machine learning project. Fast forward (after I got my degree and went on a 7 month long backpacking trip), I joined Dynatrace, an AI-based software intelligence company. Over there, I was tasked to build the security department from scratch with back then 3 other team mates. As the years went by, I became a senior penetration tester and product owner for security testing. My main responsibilities were executing internal pentests, coordinating external pentests and our bug bounty program, automation of pentests and enablement of more than 1000 developers.
How did you get in touch with the security community and the bug bounty world?
I first came into contact with the term “bug bounty” during research for my Bachelor thesis in 2013. At that moment in time, I started joining bug bounty platforms and got hooked immediately. The concept of bug bounties was so interesting to me that we started applying it internally at Dynatrace as well. We launched and promoted our own internal company-wide bug bounty program where employees could earn a monthly bonus if they helped identifying and fixing security vulnerabilities. During that time, I also started joining multiple communities in order to exchange knowledge.
How did you prevent your employees from introducing vulnerabilities and then reporting them through your internal bug bounty program?
Similar to a bug bounty brief, we had a set of rules. Some of these rules specifically revolved around internal abuse and potential consequences. We had a pretty solid reviewing system in place that would check if the found vulnerability was introduced in a recent pull request among other controls. Suspicious commits or irregularities would have got flagged. In the end however, nobody tried to trick the system and we eventually abandoned those checks. An important part when running an internal bug bounty program is trusting your employees and making sure they’re well informed about the rules.
In the recent months, you’ve decided to grow out your educational YouTube channel called ‘Hacksplained’ to share your hacking knowledge with the community. What led you to do that?
First of all, COVID kicked in and all of a sudden, I had a lot of spare time on my hands during the evenings and weekends. I’ve always been passionate about teaching and raising awareness, and I needed an outlet for that. I started off blogging, but soon found that I wanted to talk out loud, speaking to my audience. YouTube then became the obvious choice to pursue creating. I did some research on established channels that I liked and went from there. My main goal always was to help people to improve their skills, to motivate them and to jumpstart their careers in infosec (especially around bug bounty). I started off with one video, and one became ten and now I believe I’m at 83.
A lot of people are interested in bug bounty, but don’t know where to start. As a mentor and educational content creator, what would you recommend to them?
One of the barriers that lots of starters see is the broad range of vulnerability categories. A lot of times, I hear that beginners don’t know where to start. There’s simply so much to learn and people can get overwhelmed quickly. A common mistake many people make is to compare themselves with experienced professionals that have been doing bug bounties for years. What they sometimes do not realise is that all those people also had to start somewhere. So, my general advice for people would be “don’t quit before you start”.Start small. There are some excellent resources out there, such as Burp Suite’s web app sec academy, where vulnerability topics are structured in different classes. Start with one or two and take it from there, and test your newly gained knowledge on responsible disclosure targets with a big scope. Once you get a grip on it, you can move over to bug bounty programs that provide rewards, and earn your first bug bounty!
As a hacker enablement manager, how are you going to help us further grow and strengthen Intigriti’s bug bounty crowd?
I want to facilitate the people’s entry into the bug bounty world. A lot of people feel the excitement of bug bounties and want to jump into it, but think it is too hard. So, one of my main goals is to help people out overcoming this hurdle, coaching them and kickstarting their careers. I’ll be doing this through various channels, such as videos, articles, personal coaching sessions and presentations. I will focus on building communities and providing them with the right resources, but also gathering feedback and data to ensure that Intigriti can set them up with the best experience they can possibly get.
You’re moving countries to join our team! How exciting! Have you ever been to Belgium?
I have been to Brussels once, but I’ve never been to Antwerp before. After the initial job interview, I did some research on the country and it all looked very exciting to me. I’m generally speaking a very open-minded person, so I’m not afraid of moving between countries and meeting new people. During my first few weeks, I will focus on finding a flat, getting my rental place furnished and finishing some paperwork. I am also super happy that Intigriti has shown great support in helping me with the relocation! Once I’m settled, I’m very happy to go out and meet some new friends (of course only when Covid allows it again) – so if anyone is in the area and wants to grab a drink, hit me up! You can always reach out to me at https://twitter.com/PascalSec.