An Interview with Stijn Jans, CEO of Intigriti

Tell us a little about yourself and your previous experiences

“Before Intigriti, I was the Founder and Managing Partner of a certified penetration testing business. The company deploys ethical hacking consultants on request for small or large assignments to test an application chosen by the customer.

Whilst the business was successful, there was a recurring question customers kept asking me: ‘Can you guarantee that you have found all possible vulnerabilities during the test?’ The only answer I could give was ‘no’. Companies are so agile nowadays, meaning running annual security checks alone is no longer enough. The other aspect of penetration tests is that they lack the ability to tap into multiple skill sets and creativity. Penetration tests are performed by a single consultant or a small team – and so companies are limited to the skills and experiences of these people. Pentests are also timeboxed and the consultants are hired to test specific applications or features. This means the scope is also very specific. Bug bounty programs tap into the expertise of thousands of ethical hackers, and although hackers must still follow basic rules and guidelines, the process is less restricted than penetration tests. This better reflects the way cybercriminals operate and so you’re more likely to detect unknown vulnerabilities that could be exploited.

What is the purpose of a bug bounty platform?

“To answer this question, it’s worth me quickly explaining some of the basic concepts around bug bounty first. A bug bounty program allows independent security researchers to report bugs to an organisation. The term ‘bug’ is another way to describe unknown yet potentially harmful security vulnerabilities that can be found within a company’s digital assets and systems. If a bug is deemed relevant (which depends on the scope provided with the program) the researcher usually is paid a reward or compensation, which is better known as a ‘bounty.’

A bug bounty platform is the software used to deploy bug bounty programs. Researchers choose to hunt for bugs via an official platform because they offer a clear and managed way to submit reports and get rewarded. In other words, it provides the best infrastructure and legal framework for them to be successful”.

“Interestingly, success looks different to our community depending on who you ask. We found that 70% of our community use Intigriti to develop their skills, whilst 63% use it to earn extra income. For 21% of the community, they’re most interested in the recognition they receive through aspects like our platform leaderboard – and 40% are here for the challenge!

Koen Heyns, Inti DeCeukelaire, Stijn Jans

Like our hacker community, companies find bug bounty platforms to be one of the most reliable and stable ways to set up programs. When you sign up to Intigriti as a client, for example, a customer success manager will help you define a clear scope for your program and advise on aspects like what you’ll compensate researchers and how you’ll manage budget flow.

Another benefit to running a program through a platform is that when security researchers participate in a program and find a bug, they submit a report via the platform. This allows the report to go through a process of quality control, known as triage. The triage team will first check if the report is valid, unique, and in scope and they’ll also act as the middleman between companies and security researchers. The additional steps ensure your internal team only receives actionable, valid reports so they can stay focused on business-as-usual activities”.

How does it improve customer security?

“Inviting ethical hackers in is a simple yet proven method to protecting against cyber threats. Bug bounty programs follow this concept at scale by applying a crowdsourced mentality to testing.

Security researchers are incentivised to find weaknesses and report them to a company via the bug bounty program. This provides continuous coverage of the company’s digital assets without them needing to increase headcount or put pressure on their internal team. It’s also an extremely cost-effective way to perform continuous testing because, unlike penetration tests, bug bounty programs operate by a pay-only-for-results model. Therefore, it’s affordable for companies of all sizes and maturity levels. It also allows businesses to be seen to be proactive. Unfortunately, malicious hackers are always seeking out exploitable opportunities and they’re constantly evolving their methods for doing so. A successful hack will not only cost you money, but it can also cause long-lasting damage to your reputation and relationship with customers. It is essential to keep your security systems safe to protect them. There is only one response businesses can give to these threats: Continuous security testing. After all, a vulnerability reported and fixed is one less opportunity for a cybercriminal to exploit”.

What role do ethical hackers still play today?

“As we know, cybercriminal activity gets more sophisticated by the minute, which leaves companies needing to keep up with the relevant skills to defend themselves. With the assistance of ethical hackers, companies do not have to fight this battle alone. Worldwide, tens of thousands of ethical hackers are using their skills for good. They’re helping to build a safer digital environment by researching, identifying, and alerting companies to weak links in their security systems before they’re taken advantage of. Due to the widely reported reputation of cybercriminals, ethical hackers still have some work to do to convince businesses that they’re here for the right reasons. It’s not unusual for companies to feel nervous about inviting a person who identifies themselves as a hacker into their business. However, perceptions are shifting, and today, ethical hackers are seen by many to be the backbone of IT security testing”.

There is still a lot of confusion between hackers and crackers, isn’t there?

“Many people associate hackers with criminals, imagining a person who can take out whatever he or she desires through their computing skills. Indeed, hackers and crackers both have extensive knowledge of systems, codes, programming, and more. However, the easiest way to remember the difference between them is that hackers are do-gooders while crackers are the actors operating with malicious intent. In 2021, becoming a hacker (also referred to as a white hat or ethical hacker) is a popular ambition amongst security professionals around the world. Like crackers, they’re driven by an overriding goal: to break through a target’s system defences. However, as the name suggests, an ethical hacker operates within the law and will disclose vulnerabilities to the companies they work with. At Intigriti, we often refer to ethical hackers as ‘security researchers’ because we find that this term does more justice to the long hours of research, study and perseverance it takes to find vulnerabilities while avoiding any of the negative connotations that are sometimes associated with the term hacker”.

Is the automation of software speeding up threat scouting operations?

“The only realistic application of artificial intelligence (AI) and machine learning (ML) is currently centred around fuzzing or time-based attacks — but those are more statistical calculations.

Where ML shines is within signal detection, such as endpoint detection and response (EDR) or security information and event management (SIEM). You train your model to recognise a “normal” image of what your company ecosystem looks like, and it learns to recognise any anomaly alert which enriches it with the necessary traditional metadata such as signatures, hashes, or other threat intelligence. Working with a crowd gives you the unpreceded advantage of having human creativity looking at the challenges which we call security. That creativity is unmatched by any AI”.

What is your work with the European Commission on the Matrix?

“We recently partnered with the European Commission to launch a new vulnerability rewards program on our platform to keep Matrix (the open-source secure communication tool) as secure as possible. The scheme was funded under the open-source part of the ISA² program.

Courtesy of Intigriti

The Foundation is using our platform to invite ethical hackers to find vulnerabilities in its messaging tools and projects. Researchers are being offered rewards up to €5,000 ($6,000) for discovering unknown yet potentially damaging flaws in its software. More than this, they can also earn an extra 20% bonus from the European Commission if a viable patch is provided with the vulnerability report. Our researchers love a challenge and so this has been a great motivator!

In a Europe still waiting for recover after Covid, the work of ethical hackers is even more important to reduce the risk of new threats and not create more problems for an already ailing economy

“Last year, COVID-19 led to the ‘new normal’ way of working. When the initial work-from-home orders were given, many companies were not prepared with a business continuity plan. Instead, IT departments were instructed to think fast and act faster to ensure their employer’s business could continue operating remotely. The priorities were to ensure employees had what they needed to work from home and security became even more important. Today, we know that the traditional perimeter architecture (which was set up to ensure every device, network and endpoint inside corporate walls were secure) evaporated overnight. With a newly distributed workforce and multiple network connections, cybercriminals suddenly have a much larger attack surface to play with which put a great deal of pressure on cybersecurity teams. That is where we were able to step up and help because heightened security testing was available through our platform. During a time where there was a lot of uncertainty for businesses, having a crowd to lean on was a real lifeline for many. Bug bounty programs give companies a way to tap into a wider network of security experts (without adding to their headcount), test continuously, and stay on top of ever-evolving cybersecurity threats. More and more businesses are buying into bug bounty programs because they’re seeking out a solution that fits better with today’s work environment.

Similarly, we’ve noticed more ethical hackers signing up to Intigriti since the pandemic because it allows them to stay connected. There is a real community feel on the platform and this served as an important morale boost for hackers who were suddenly having to work alone. In the last 12 months, there have also been more collaborations happening. Our latest report into our community found 91% of our researchers chose to collaborate with other researchers or said they are planning to do so soon. 2020 may have seen security teams having to be extremely reactive — but 2021 is about proactivity. Compared to alternative security testing, crowd security can offer all this without becoming expensive. This is vital for an already ailing economy because it makes cybersecurity affordable whilst mitigating the risks of potentially costly hacks”.

What’s in Intigriti’s future?

“The growing interest in bug bounty helped contribute to us securing €4.1 million in funding last year. We’re currently using the extra resources to grow our team, develop our platform, support current and new customers, and empower our community. We’re also moving forward with a geographical expansion and developing additional security services to allow our crowd to help organisations in several more valuable ways”.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.