By Anna Hammond
September 14, 2021
“I can use the creativity of thousands of ethical hackers’ minds through Intigriti — and that is far stronger than using automation or general algorithms to discover difficult to find vulnerabilities.” – Thomas Colyn, CISO of DPG Media
DPG Media’s experience with bug bounty.
DPG Media is an international digital media network. It has more than 90 unique brands within its portfolio across The Netherlands, Belgium and Denmark. The media production conglomerate provides its 15 million viewers, listeners, visitors and mobile phone users with premium content and technologies that cover the full spectrum of interests of the modern consumer. In addition, DPG Media offers advertising opportunities to strategic business partners.
DPG Media has more than 14,000 customer-facing domains and applications. Despite having a highly-skilled cybersecurity department, defending the network’s enormous attack surface alone was a challenge.
Thomas Colyn, an award-nominated security specialist and CISO of DPG Media, is responsible for the IT security and information management of all assets of the DGP Media group (The Netherlands, Belgium and Denmark). He created a process whereby each product, domain or application within the network undergoes a series of security testing steps, including penetration testing.
Our current IT strategy and information security strategy lies in the fact that we are trying to build a secure and agile ecosystem.
Thomas Colyn, CISO of DPG Media
To finalise this process, Colyn needed a solution that would apply continuous security testing thereafter.
To meet DPG Media’s business goals, Colyn chose to lean on Intigriti’s bug bounty platform for support. The platform meant he could tap into a network of security researchers (ethical hackers). At the same time, he could leverage Intigriti’s customer support and triage teams.
The role of a triage team is to review and screen incoming vulnerability reports. This important step means the client only receives relevant, valid and in-scope vulnerability reports. A triage team also replicates the reported findings to evaluate their impact and severity.
When a project launches within DPG Media, the first layer of cybersecurity checks includes testing within a quality and assurance environment, followed by a penetration test. These steps bring the project to a level of maturity whereby Colyn’s team are satisfied to launch it as a bug bounty program.
The bug bounty programs provide me with more assurance that even the most difficult to find vulnerabilities are discoverable. We can then mitigate them quickly. In return, we provide more assurance to our customers, our readers, and our listeners.
Thomas Colyn, CISO, DPG MEdiA
DPG Media has already launched public bug bounty programs for 14 of its brands, including VTM Go, HLN, De Volkskrant and Algemeen Dagblad. The network chose to launch the programs publicly to leverage the support of the entire ethical hacking community. Next to the public programs, DPG Media also chose to run a responsible disclosure program through Intigriti for any related domain that they own.
“You will get immediate results the moment that you place your assets and domains on Intigriti” Colyn explained. Within one year of launching bug bounty programs on the Intigriti platform, DPG Media received more than 1,900 vulnerability submissions across 14 brands. The severity of vulnerabilities reported ranged from low to exceptional.
Colyn highlights how the bug bounty programs offer a significantly different benefit from the penetration tests:
“At each moment, someone is trying to find a vulnerability. This is one of the biggest differences between penetration testing and bug bounty.”
Pentests focus on one moment in time, whereas bug bounty programs are continuous. Whilst a business may receive a certificate to say it is secure at the end of a penetration test, that may not still be the case after it makes an update. This is where bug bounty programs work well as a follow-up.
Duplicates, out-of-scope and invalid vulnerability reports were rejected from the vulnerability management process by Intigriti’s triage team. This meant the network’s cybersecurity team only paid attention to genuine security risks in need of a patch.
The most impact we have experienced from working with Intigriti is the extra time that my security team gets back from not triaging reports. What I also appreciate about Intigriti is the feeling that the customer comes first — it is an open and collaborative relationship where we share a common goal to mitigate found vulnerabilities.
Thomas Colyn, CISO, DPG MEdiA
Intrigued by what you have read? Want to know more about bug bounty programs? Get in touch to request a demo with a member of our team today.