Bug Bounty & Agile Pentesting Platform

Illustrating Hackers: Changing perceptions by changing how we see hackers

Anyone familiar with the Intigriti brand is likely to know that we illustrate our hackers. If you know our brand but not our quirky cartoons, a glance at our Ethical Hacker Insights Report or weekly hacker interviews will quickly bring you up to speed. In this blog post, we’re going to disclose why we illustrate our hackers, introduce a few members of our community, and hear about the creative process from the illustrator himself.  

Why does Intigriti illustrate its hackers? 

When one of Intigriti’s ethical hackers displays outstanding work or earns a place at the top of our leaderboard, we reward them with an illustrated portrait. Not only digitally, but we send a physical cover in the form of a poster too (so they can proudly show it off!)  

But why go to this effort? Our talented illustrator, Jeroen Van Zwol(topia), puts it perfectly:  

“Ethical hackers are the heroes of the moment who work hard for that spot on the podium, and so they should be represented as such.” 

Jeroen Van Zwol(topia)

The sad truth is a lot of people still don’t trust the good intentions of white hat hackers because of what they read about black hat hackers — but there’s a big difference between the two.  

Malicious hackers are agents who purposefully violate computer security for their personal profit or malice. Like malicious hackers, ethical hackers also break into a target’s computer systems. However, they operate within the confines of the law and follow the specific rules of engagement outlined in the target company’s vulnerability disclosure program (VDP). As the name ‘ethical hacker’ suggests, they have a strong moral compass. Their purpose is to inform companies about their cybersecurity weaknesses, flaws and vulnerabilities to help them minimise the potential for a cyber-attack.  

Changing perceptions around hackers 

The moment we launched, we made it our mission to change the perception of hackers, and the best way we could do this was to illustrate them as the superheroes they are, not the villains they aren’t. 

Like most superheroes, a lot of our ethical hacking community are your everyday people. They’re your neighbours, your friends, your colleagues and your family — one could say their hacking persona is like their second identity. We wanted to give our community the opportunity to personify this second identity and put it into something tangible. The illustrations also better represent the playful personality and close bond our community has. They take security seriously, but not themselves! 

Driving diversity 

Using illustrations rather than photographs to represent our hackers is a way for us to reflect the creative nature of a bug bounty hunter and how they approach targets and bounties. Our community is incredibly diverse, and no two bug bounty hunters work in the same way. We encourage individuality and by commissioning an illustrator, we allow our community to create a visual representation of who they are and how they feel when they’re hacking. 

The creative process 

We spoke to the Intigriti illustrator, Jeroen Van Zwol(topia), about how he approaches each drawing: 

“When drawing one of the hacker portraits, I start with two things: A few photographs and some titbit about the person, provided by Intigriti. That usually is enough for me as an artist to provide a creative spark in combining a trait of that person with an original personalised visual of them as ethical hackers/bug bounty hunters.

I get the biggest kick out of finding new ways to visualise the concept of a bug bounty hunter that is: 

  1. Easy to understand 
  1. Fun to look at 
  1. Captures the essence of the individual 
  1. Fits well among the other portraits (so they all belong in the same illustrated Intigriti universe.)  

It’s about combining a warmth and a playful aesthetic that doesn’t lose sight of the modern and tech-oriented world Intigriti inhabits. 

With an international organisation like Intigriti, it’s not always easy to meet up in a personal way or provide personal support, especially in a pandemic! Helping the community come together with these portraits is something I’m proud of. The positive reactions when the illustrations are published is a bonus!” 

Who are they?  

Meet four of Intigriti’s top ethical hackers: 

Pieter 

Location: Belgium 

All time leaderboard position: 

Occupation: Full-time bug bounty hunter 

What does life look like as an ethical hacker?  

Ever since I made the decision to be a full-time bug bounty hunter, my day looks very similar to an ordinary home-office worker. I wake up at normal hours, I try to stick to my 8-hour days, and I work Monday to Friday. The big difference is that I get to choose what I do and when I do it. I have the power to change my focus to keep myself motivated. For example, if I am struggling with a particular program, I can switch it up and try something new. I also have a better balance now of focusing on the programs that pay the bills and spending time on developing my skills and learning, or looking at ways to improve upon my workflows. 

What advice would you give to companies listing their first program?  

Make access effortless. If I get to a program and the credentials haven’t been given yet or they don’t work (e.g. the company has IP restrictions), I lose interest fast! If you want to have continuous attention over a longer period, decent pay-outs will help attract more people to the program. 

What’s your biggest advice to companies in general?  

“This looks vulnerable” is a reaction I have all the time to all sorts of websites! But I don’t ever target them. It can be quite painful when you find a vulnerability for a company that doesn’t have a VDP because I know how vulnerable they are but have no way of disclosing it to them. It taught me that companies need to do better in that respect. 

Read more

PentesterLand 

Location: Morocco 

What does life look like as an ethical hacker?  

To give you a short answer, I do bug bounty as a hobby. I write Intigriti’s Bug Bytes newsletter by day and I hunt for bugs whenever I find the time. 

What’s the coolest thing you’ve bought with your bug bounty earnings?  

For a long time, I put all my earnings from bug hunting and work in a savings account. Then, I wanted to treat myself for the first time. I bought a ticket to an onsite training day on advanced usage of Burp Suite and booked everything from plane tickets to hotel. 

Why did you choose Intigriti to participate in bug bounty programs?  

I’ve used several platforms and found Intigriti’s triagers to be the most effective and polite. There is always someone to answer any questions we have, or to discuss the outcome of a report. I also appreciate everything Intigriti has been doing for the community, like encouraging content creators and sharing bug bounty tips. It shows that the company really cares about its hackers. 

What’s your favourite aspect about hacking? 

I like focusing on bug classes that scare me the most, for the challenge. If I can get a handle on them, I can do and learn anything else. 

Read more

Kuromatae 

Location: France 

All time leaderboard position: 

What does life look like as a bug bounty hunter?  

I spend two days a week hunting for vulnerabilities on the Intigriti platform. This allows me to earn enough income to live off and do the things I want to do in life, like go travelling. 

What’s your favourite aspect about hacking? 

I like targeting medical companies because it helps a lot of people. I did some pen tests for a hospital recently that didn’t have any reward to give. However, I only needed fifteen minutes to look into their site to report many vulnerabilities. I helped them secure their digital assets for almost nothing of my time. 

What was your most memorable vulnerability find?  

I think my fastest critical vulnerability find was within 10 seconds – and that was for quite a well-known company that had already done a penetration test. 

Read more

Pudsec 

Location: Australia 

All time leaderboard position: 10 

What does life look like as a bug bounty hunter?  

I work full time as a Linux system administrator and Python/PHP software developer. With the family, sports and work, it’s hard finding spare time to hunt for bugs so it’s more of a hobby at the moment. I’ll usually hunt when I get home from work and the kids are occupied with homework. Then after their bedtime, I’ll try and fit in another hour or so. 

What’s your favourite aspect about hacking

My first ever bug was very interesting! I was browsing around on a target and discovered a private employee portal that was using Google single sign-on for authentication. I tried logging in with my Gmail account, but it failed, stating it was an invalid domain. Then I checked out the requests it had sent and could see it was sending my Gmail address in plain text. So, I decided to try logging in again, but this time I intercepted the request and changed it to ‘pudsec@’ + the company’s email domain. Like this: ‘pudsec@CompanyName.com’. I successfully logged into the company’s client portal, giving me access to all their client data.” 

What’s the coolest thing you’ve bought with your bug bounty earnings? 

Any bounty money goes directly to my kids’ education. I don’t have anything cooler to report there, unfortunately! 

Why did you choose Intigriti to participate in bug bounty programs?  

Intigriti triages very fast, and with such positive and encouraging comments. That really lifted me – especially when I was still quite new to the bug bounty world. 

Read more

For more hacker interviews, check out the Intigriti bug business series

%d bloggers like this:
-->