To honour the complementary nature of ethical hackers and internal IT security teams, we spoke to members of both groups to talk about what it’s like to work with a bug bounty platform.
It takes two to tango. That saying goes for ethical hacking as well.
Ethical hackers are independent IT security researchers who strive to make companies more secure by finding vulnerabilities in systems before these become problematic. It takes relentless searching and a creative mindset to be a researcher. When their work results in finding an issue, researchers receive a reward, the so-called bug bounty.
Back to the tango. Preventing breaches through bug bounty is like an intricate choreography between a company’s IT team on the one hand, and the ethical hacker or researcher community on the other. In this dance, the ethical hacking platform acts as the choreographer. It manages the communication between internal and external IT security people and makes sure everybody is dancing to the same song.
Speaking for the researcher community, we have Arne Swinnen. Representing companies’ internal IT specialists, we spoke to Reinoud Reynders, IT-Manager at UZ Leuven and Eric de Smedt, Manager Cyber Security at Telenet Group.
What is bug bounty?
Arne Swinnen, ethical hacker: “Bug bounty is a concept that allows ethical hackers to investigate company systems via a platform like Intigriti. Vulnerabilities are reported so they can be fixed.”
Security in the age of continuous development
Reinoud Reynders, IT-Manager Infrastructure and Operations, UZ Leuven: “Security is very important for UZ Leuven. We do a lot of classical testing, such as penetration testing (pentesting) and vulnerability tests — but that wasn’t reliable enough on its own because our apps are continuously updated. It’s much more effective to secure fast-evolving apps through an ethical hacking platform. The researchers on the platform look for bugs and security leaks on a continuous basis.”
Ethical hackers: motivated by looking for problems
Arne Swinnen: “I see bug bounty hunting as a challenge to look for problems in company systems in a responsible way. You also get rewarded, which makes it interesting as well. The fact that I can find problems for certain companies is good for my résumé too.”
Bug bounty vs pentesting
Reinoud Reynders: “A hacking platform is interesting budget-wise. You only pay if an ethical hacker manages to find something. A company will commission a pentest for10 days, but you don’t know what the result will be.”
“A pentest is commissioned for 10 days, but you don’t know what the result will be.”
Eric de Smedt: “Intigriti also offers the possibility to put up public projects that can then be tested. You can also create specific projects for more focussed security tests, and even invite certain ethical hackers to work on a specific project.”
The community of ethical hackers
Arne Swinnen: “Every researcher has a speciality. That’s the strength of the concept: when more eyes are looking at a company system, more problems will be found.”
Bug bounty as an extra layer of security for many types of companies
Eric de Smedt: “Every company that offers online services can make use of a bug bounty platform. In particular, webshops and applications whose business model involves customers ordering products.”
Finding vulnerabilities: part of the security process
Reinoud Reynders: “The researchers already found a couple of things within our systems. For me, that proves working with an ethical hacking platform is an important part of our security process, and we’ll keep working with ethical hackers in the future.”
Discover bug bounty programs on Intigriti
Intrigued by what you’ve read and want to know more about ethical hacking and bug bounty programs? Get in touch to speak to a member of our team.
We look forward to talking to you!