For the Belgian bug bounty platform intigriti, industry growth is built on quality over quantity
Bug bounties in the tiny European nation of Belgium were more or less unheard of until data protection became unavoidable following the implementation of GDPR, the EU’s General Data Protection Regulation, in 2018.
But as data breaches began to build up, not least last year’s foul up by Mastercard, companies operating in the country have started to turn to independent hackers to help ensure that their business is safe from corporate embarrassment – and potentially crippling fines.
There to foster the, sometimes shaky, relationship between organizations and security researchers is intigriti, a bug bounty platform based in Belgium that’s chalked up 10,000 hackers since its creation in 2017.
The Daily Swig recently sat down with Stijn Jans, intigriti founder and CEO, and Inti De Ceukelaire, the platform’s community team manager, to learn more about the company’s international ambitions, and their view on scaling crowdsourced security while maintaining the independent hacker spirit.
The intigriti platform was created almost three years ago, what sparked its creation?
Stijn Jans: Before intigriti, I was managing a security consultancy company, focused on penetration testing.
During this time, I felt the need of continuous security testing. Customers were asking, ‘How sure are you that you’ve gotten all the vulnerabilities during this pen test?’.
This was something I could never assure, since you are doing a snapshot in time with a pen test. It is performed by one person, with a certain skillset executed in a limited amount of time.
Moreover, budget was often the limiting factor in the continuity of the penetration testing and the amount of specialists that could participate. This problem pushed me to look for other solutions such as the continuous crowd testing model ‘bug bounty’.
In 2017, I decided to take the leap and established intigriti. Today, a bug bounty platform that’s providing agile and continuous crowdsourced security testing.
You’re based in Belgium, where bug bounties are still a relatively new concept. What’s it been like to grow your business in such an uncharted market?
SJ: I think evangelicalism is still a big thing in Europe. My personal opinion is that in Europe they are looking at security a bit differently than they are in the US, where the bug bounty market and crowdsource testing is more mature. We [in Europe] have some catching up to do.
In 2017 [when intigriti launched] it was a real challenge of convincing people to work with a crowd and work with people that you have not met and are not seeing.
But when you start to explain to people that you are doing a pen test once a year, two times a year, or even four times a year, and what are you doing all the other times, what are you doing with your releases, then they get that bug bounties may be the right solution.
What do you, as a company, build first – your customers or your network of researchers?
Inti De Ceukelaire: In order to establish quality in this industry, you need to build your community first. We will never tell a customer to get a bug bounty program if it’s not the right thing [for them] because it won’t bring benefit to their business, and it’s not bringing any benefit to our researchers either.
Researchers want decent payouts, they want appreciation for their work, they want to find bugs. Just doing it for the numbers and to get as many companies on board is not the right thing. We need to bring a certain level of quality for our customers but also for our researchers.
Live hacking events hosted by intigriti help foster the relationship between researchers and organizations
Hacking education seems to be a really big part of what the intigriti platform is about.
IC: We work with a lot of universities and schools in Belgium and we actually look at bug bounties and responsible disclosure as an alternative to learn.
We’ve done some hackathons where some students do some assessments and practice on real targets. The cool thing about this is that those students will get paid on the spot for their work. We really want to build a vocal and engaging community in Belgium with good cooperation with the schools.
For me, as a student, I had to do my security testing on targets that were nowhere near real life scenarios. These guys get to hack real life targets and earn money with it and that’s a strategy that we want to see build and roll out in other countries as well, building out those smaller communities.
SJ: It’s good job preparation. Your testing real life applications in a responsible, ethical, and legal way.
How do you advise companies on how much they should be paying out to researchers?
IC: The biggest bounty that we’ve ever offered on our platform was €50,000 ($54,000). We do communicate on [bug bounty] amounts, I think there’s no shame in doing that, but it’s more about what you [companies] should be awarding people for their work.
I still do bug bounties myself, and I’ll often spend weeks on one target. If you’re not paying for time, you should have to compensate on quality. But we also believe that every company is different and the important thing is balance.
We will never set any bounty amounts ourselves. They are always set by the customer with our guidance. Some companies are more mature in terms of security and therefore put their bounties higher than others, to motivate the hackers to dig deeper.
You’ll see bounties ranging from €1,000-€50,000 ($1,100-$54,200), and some companies pay absolutely no bounties just for people who enjoy doing it. We also advise companies to start off low and gradually go higher just to keep the interest of the researchers.
SJ: This is an industry, of course, where there’s a lot of talk about money, but I think there’s also the need to give some kudos to the community. We did a live hacking event not so long ago and we had some researchers coming in and donating part of their bounties earned to charity.
intigriti hosts a live hacking event at an undisclosed location in the heart of Brussels
You’ve also worked with providing a bug bounty platform for the EU’s Free and Open Source Software Audit (EU-FOSSA) project.
SJ: The EU-FOSSA project is a very nice example of something tangible that I’ve seen from the European Commission. I really respect them for that. It gave us the opportunity to work with some great open source initiatives, and that’s been a really good ride.
IC: We did a lot of study on how to implement open source bug bounty programs because there’s even more people involved. There’s a customer, the European Commission, then there’s the community of hackers, and then the open source community. Things get really complex.
One of the things that we learned is that when you work with several communities, while everyone wants to get appreciated for their work, you are also all working towards a common goal.
What’s next for the intigriti platform?
SJ: In terms of business, we’re looking at the healthy challenge of growth, and I think that’s our ambition, and a good thing. In terms of community, it’s all about quality – not quantity. I want to focus on education and information sharing, that’s very important.
IC: There is no point in making the biggest community of researchers if you cannot provide a consistent qualitative experience, so that is a priority for us, and then we look at how we can scale our services.
We are also actively looking at hybrid pen testing where people can still get compensated for their time so that they can make a living and still enjoy the advantages and motivations that bug bounty brings.
Check out the public bug bounty programs run by intigriti on the company’s website.