Bug Business is a series of interviews in which experts from the bug bounty industry shine their light on bug types and trends. For this blog post, we spoke to a member of the Intigriti triage team about his experience of working as the middleman and the glue between clients and researchers.
During my network and security engineer bachelor, we had a course called “Security”. This course was about the basic security fundamentals of web applications and network infrastructures. I quickly got interested and expanded my knowledge by reading books, for example, the Web Application Hacker’s Handbook.
After I graduated, I was still learning about security and became passionate about hacking. I definitely wanted to work in the security field. From here, I started at a security firm in Belgium as a penetration tester.
Days passed by and I learned a lot about how to find certain vulnerabilities and how to escalate them. At a certain point, I reached a point where I wanted to deep dive into specific functionalities of a web application but as a penetration tester, you are limited to a specific timeframe. This is how I got into bug bounty hunting. I was amazed that platforms like Intigriti, Hackerone and Bugcrowd gave ethical hackers like me the opportunity to hack organisations without the pressure of management. You can start and stop whenever you like.
I participated as a hacker in one of Intigriti’s live hacking events and got in touch with the Intigriti team, which later made me an offer to join them as a full-time employee.
Be communicative and transparent. It’s important that researchers feel like they are talking to a person and not some sort of robot. For every decision we make, a detailed explanation must be given to the researcher.
Be helpful as a triager. For example, if someone is struggling to assess the impact of a certain behaviour, we’ll be happy to help them understand, so they can grow their skills and knowledge. Being a triager is more than pointing out whether something is valid or not, it is also helping aspiring ethical hackers grow their career and pointing them in the right direction. As long as someone wants to learn, we’ll be more than happy to invest time in their growth!
Knowledge is key. Triagers should have at least a basic understanding of every vulnerability type. Otherwise, it will be very hard to determine the correct severity of the report. If a new vulnerability type is released or found, it’s the responsibility of the triager to understand this new vulnerability type. That’s why Intigriti continuously provides learning courses for its triagers and developers.
During the week, I wake up, drink a coffee and start working for Intigriti. It’s hard to be specific about what a ‘normal’ day looks like because being a triager is more than just validating and forwarding reports. There is a lot of variety in this work, but from a top-level perspective, a triager has three main tasks:
Validating and forwarding the researcher’s report.
Helping customers: If the customer needs assistance to fully understand the impact of a vulnerability, we schedule a call to make sure they fully understand it.
Helping researchers: If a triager or company made a decision and the researcher does not agree, it’s our job to give a proper explanation about the decision and mediate if needed. It’s also important to be transparent and keep the researchers in the loop. Even if there’s no update, the researcher has a right to request an update at reasonable intervals. At the end of the day, we want to provide an enjoyable and fair platform experience, both for researchers and customers.
On the weekends, I mostly hunt on other bug bounty platforms or deep dive in certain types of vulnerabilities.
Mental health is an important thing to consider doing triage, especially when you’re fully remote. The best advice that I can give is: make sure to have a certain hobby which does not involve the use of a computer. For example, I make sure to go to the gym every day for a maximum of two hours. Another example: every Friday, I go to the pub with some friends.
A fresh opinion from a colleague can sometimes help to better understand a researcher’s or company’s view on things. Besides that, take enough time to rest.
As a triager, I cannot hunt on the programs of Intigriti. We have inside information and it wouldn’t be fair towards our researchers to use this knowledge to be able to find vulnerabilities. In terms of tricks and tips, we also have a clear policy for that: if the information is not available online, we cannot use it for our own research, but there’s still a lot of publicly available information or knowledge to gather while doing the job!
The best reports to triage are the ones containing the exploit code to easily reproduce the vulnerability. For example, if a researcher found a CSRF on one of our programs. We really like it when the researcher already provides the needed HTML code to reproduce the CSRF. The quicker we are able to reproduce a vulnerability, the quicker we can pass it to the customer, issue a bounty and work on other submissions in the queue.
There are plenty of resources about how to write a good and efficient bug bounty report. If you’re unsure about where to start, I recommend reading our post regarding this topic.
One of the biggest misconceptions about triage is that we only validate or forward reports. We are here to help both the researchers and customers in providing a smooth platform experience.
Another thing I would like to address is scope. Nobody likes to reject a report because it’s out of scope, but to avoid unauthorised testing on third-party systems or to keep it fair to other users, we are very strict on that. We all must respect the guidelines.
To all of our researchers, if you do have questions regarding the decision-making of any company or triager, please do not hesitate to comment on your report. We try to monitor each and every report. We, as triagers of Intigriti, want to be there for you. Our main focus is to give you guys the best experience on Europe’s #1 bug bounty platform, for everyone.
Keep on hunting and hacking.
