Bug Bounty Q&A #1: What is ethical hacking and bug bounty?

By Intigriti

April 10, 2020

Bug Bounty for Business

Intigriti ceo Stijn Jans answers your questions about ethical hacking and bug bounty

At Intigriti, we love a good conversation. You can find us on Twitter, LinkedIn and Facebook. If the situation permits, we attend events and conferences.  When the conversation turns to ethical hacking and bug bounty, some questions are commonly asked.

In this series of blog posts, we discuss these Frequently Asked Questions with our ceo Stijn Jans. Starting off, we’ll discuss “What is ethical hacking and bug bounty?” Coming up next is “Isn’t bug bounty only for large companies with large budgets?”

If you have any questions you’d like to ask Stijn or anyone in the team, feel free to do so via hello@intigriti.com. We’ll make sure every question gets answered, and if popular, we’ll publish it here.


Question of The Week

What is ethical hacking and bug bounty? 

 

What is ethical hacking?

Working at intigriti, this is the question we get asked most often. All of us have favourite ways to answer it, depending on the situation.

At dinner parties, we tend to keep it short and sweet.
“You know how hacking is often associated with criminal activities? Well, we have the film industry to blame for that. In fact, the majority of hackers are ethical by default. ‘Hacker’ is simply a name given to security researchers who are interested in finding potential problems in websites and applications. At intigriti, we build a community for these security experts and get them in touch with companies that want to improve on cybersecurity.”

When ethical hackers find a potential problem, they simply report it so the issue can be fixed. As a reward for finding the vulnerability, ethical hackers receive a bug bounty.

Discussing the question with our ceo Stijn Jans, he explains how he describes the concept to CIOs and CISOs and people in IT security in general.

What is bug bounty?

Stijn Jans: “I always start by saying that offering bug bounty is a method to test the security of public assets by working with a community of ethical hackers. When I notice people want to know more, I explain the concept by comparing ethical hacking to a security testing method that everybody in IT security is familiar with: pentesting.

Pentesting, or penetration testing, is a process where before going live with a new website, app or portal, a company hires an expert to try and penetrate the system. While certainly useful, this test is limited in time and depends on the expertise of one expert.

Through the intigriti platform, the expertise and creativity of thousands of ethical hackers is sourced. Advantages are that security tests are conducted around the clock, using the same, ever-evolving methods and hacks used by bad actors.

Unlike pentesting experts that you have to pay for their time whether issues are found or not, ethical hackers only get paid when they find something: a so-called bug bounty. Think of a bug bounty as a finder’s fee.”

This 1-minute video explains ethical hacking compared to pentesting:

In a hallway conversation or on the phone, showing a video is not practical. Stijn Jans lists how he answers the follow-up questions he gets asked in those situations.

What is intigriti?

intigriti is the platform we built to enable crowd security testing and facilitate the communication between ethical hackers and internal IT security teams

Why do people become ethical hackers?

Hacking is a passion to creatively overcome limitations. The majority of hackers is ethical, eager to learn and help organisations with their security. To become an ethical hacker, a passion for cybersecurity is needed, and a creative approach to finding vulnerabilities. Ethical hackers are security experts who want to protect companies and make the internet a safer place. With intigriti, we are building a community of security experts, based on mutual trust.

Are ethical hackers only in it for the money?

Money is not the only driving factor for ethical hackers, information sharing and recognition are important too. However, the remuneration they receive for their work allows them to spend more time and research into helping companies become safer. That is where ethical hackers have the most impact.

What do ethical hackers do differently than penetration testing experts?

Ethical hackers aren’t paid by the hour. They hack because they enjoy it. They don’t have standard checklists but take their time to get creative. The thrill of finding a vulnerability makes them research the latest, unexpected hacks that bad actors would also use.

What happens when a vulnerability is found by an ethical hacker, do you help fix it?

Much depends on the vulnerability found, but intigriti makes sure that any issue is reported in a standardized and comprehensive way. Your IT team is never just presented with the simple notification that a vulnerability has been found. You’ll get a clear report, explaining how the issue can be replicated. This providing guidance towards solving the problem.

 

Do you want to know more?

Our team is ready to answer all your questions about IT security testing, the intigriti platform, pricing or anything else. Click the button below and we’ll get in touch!

You may also like