Is it boring to be an ethical hacker?

Swiss companies pay hackers to track down gaps in their IT systems

Anyone who finds a weak point receives a bonus. Companies like Swisscom and Swiss Post rely on so-called bug bounty programs - with success. Now the federal government is also considering inviting hackers to attack.

Business is going well for the hacker Edgar Boda-Majer. He specializes in attacking an Adobe webshop solution. In addition, he regularly looks for weak points at Swiss Post or Swisscom. But not illegal. Boda-Majer is an ethical hacker and hunts for vulnerabilities. For this he receives a reward. Boda-Majer is a bug hunter.

Boda-Majer's activity is experiencing an upswing in Switzerland. It is called bug bounty when companies or authorities advertise a bonus for found vulnerabilities. Last year, for example, the Post or the TX Group started their own bug bounty program. And the federal government can also imagine starting a program for ethical hackers for the administration's IT systems.

The idea of ​​bug bounty is simple: companies invite hackers to attack their systems. Anyone who finds a weak point - a bug - receives a reward - the bounty. This varies depending on the severity of the gap. If the ethical attackers remain unsuccessful, there is no money.

There are restrictions depending on the bug bounty program: Open programs are open to all hackers; closed programs require an invitation. Companies also often restrict which systems can be attacked and with which means. In return, those who abide by the rules of the game receive an assurance that the company will refrain from taking legal action.

Swisscom pays half a million a year

The idea of ​​inviting hackers to attack may seem unusual at first glance. But the experiences are positive. Swisscom is the Swiss pioneer. She started her bug bounty program a good five years ago, in mid-2015, when the concept was still practically unknown in this country.

Accordingly, the plan also met with criticism internally. “We had to work hard for the new idea,” says Florian Badertscher, who is responsible for the program at Swisscom. For example, the developers not only received it positively that the company wanted to publicly offer money for discovered errors in the system.

The management was primarily concerned with finances. Because it was completely unclear how much response the bug bounty program would trigger, the expenses could also be poorly calculated. Badertscher says: "That's why we reserved the right to stop the program at any time with immediate effect."

At the same time, Swisscom opened the program completely: everyone could take part and all services could be tested. "We just wanted to find out in which areas we have weaknesses that we did not expect." There was no collaboration with a bug bounty platform that brings companies and hackers together, as Badertscher says. "We wanted to design the whole process ourselves."

Today, Swisscom pays out around 500,000 francs in premiums every year. These go back to around 1000 reports, a good half of which is accepted as a weak point. "For us it is an efficient method of finding gaps in the system," says Badertscher. After all, Swisscom only has to pay when the hackers find something. In the case of critical weak points, this is up to CHF 10,000.

Hackers have canceled the update date

For the hackers, the focus is usually not on the financial gain - but on the challenge. It used to be the same with Edgar Boda-Majer. Like many ethical hackers, he took part in bug bounty programs in his spare time, in the evenings or on weekends.

Boda-Majer's main job was still a penetration tester at the time: as an employee of a security company, he was looking for a way into the customer's computer networks. But at some point this job became too boring for him. Boda-Majer turned bug hunting into a profession.

The 30-year-old founded his own company a good year ago with three work colleagues. "We wanted to do what interests us." Carrying out the same network scans over and over again until a hole is found is not one of them. Instead, Boda-Majer can now take the time to look at new systems and read up on technologies.

One of Boda-Majer's specialty is the analysis of source code. Something that not all bug hunters can do. Among other things, he has specialized in Adobe's Magento web shop system. This product is “open source”, which means that the source code of the application is public.

"In the beginning we read in for over a month," says Boda-Majer. That was the basis for today's expertise. Boda-Majer and his work colleagues have marked the days on which Adobe publishes an update to the system. Because a bug hunter has to be quick. Only those who find a weak point first will receive the bonus. The others go away empty-handed.

Self-employment pays off for Boda-Majer and his business partners. "We earn better than before," he says. However, the income fluctuated greatly - and coincidence also played a part. "Maybe we were just lucky last year."

But that is an understatement by Boda-Majer. He and his business partners are specialized and focus on lucrative bug bounty programs. In addition, he says, it could be an advantage that your company is based in Switzerland. Many companies would have reservations if information was leaked abroad, especially in the sensitive security area.

Experts want to make bug bounty popular in Switzerland

There is still no Swiss bug bounty platform on which companies can advertise their programs. But that can change. In August, five experts founded Bug Bounty Switzerland. Their goal is to bring the idea of ​​controlled hacking to Switzerland.

One of the founders is Florian Badertscher, who brought bug bounty to Swisscom. "We are firmly convinced that there is a need for bug bounty programs in Switzerland," says Badertscher. Because IT systems always have gaps - and bug bounty would help to close them.

Co-founder and CEO of the new company is Sandro Nafzger, who introduced the bug bounty program at Swiss Post. With their joint expertise, they want to make it easier for interested companies to get started, as Badertscher says: "We want to make bug bounty possible for companies without them having to make the same mistakes that we have already made." Companies could, for example, start an experiment in which they only set the budget - Bug Bounty Switzerland organizes the rest.

The Swiss company works with YesWeHack on the technical implementation. This French company was founded in 2013 and operates a bug bounty platform - as a European competitor to American providers such as HackerOne. On such platforms, companies can write out their programs, invite hackers and sort the reports about vulnerabilities.

It is often important for companies to know the identity of the hackers, says Badertscher. Security concerns are almost always raised by interested parties - such as the fear that an attacker who discovers a vulnerability will use it for their own purposes instead of reporting it. Badertscher does not know of such a case from Swisscom - even though the company monitors the illegal marketplaces for such offers on the Darknet relatively intensively.

Hackers expect an exchange with the developers

The Swiss Post and the Zurich-based media company TX Group, for example, rely on closed programs in which only selected hackers can participate. The TX Group started a year ago to release certain services for bug hunters. These include the websites of “20 Minuten”, the “Tages-Anzeiger” and the real estate platform Immogate. The person responsible for IT security, Andreas Schneider, describes the bug bounty programs as very successful.

The TX Group works with the American platform BugCrowd and is gradually opening its programs. At the beginning, a limited number of 25 hackers is allowed. The number will be increased continuously until the program is completely public within the BugCrowd community. This is already the case for 20min.ch, for example.

Swiss Post has also chosen a cautious approach. At the end of 2019, the federally owned company carried out a first attempt with 40 selected ethical hackers. “We have found that the program works and that it enables us to identify critical weaknesses and close them quickly,” says Marcel Zumbühl, Swiss Post's Chief Information Security Officer.

Last but not least, the impetus at Post was also the experience with the e-voting software. This was subjected to a public test at the beginning of 2019 in accordance with the requirements of the federal government - with the result that several serious weaknesses were found in the source code. “Then we considered whether we could apply this model to other services,” says Zumbühl.

A successful bug bounty program also requires the right internal processes. Zumbühl says: "We first had to find out what our processes for processing the reports should look like and how many people we would need to do this."

The dialogue between the hackers and the IT developers is very important. "The hackers rightly expect us to provide feedback," says Zumbühl. This could, for example, result in a new approach to solving a problem. "The hackers are at work with great creativity, which is entirely in our favor." Because Swiss Post wants to find and close every possible weak point.

Federal administration is interested

The hackers' creativity could soon also be used by the federal administration. Florian Schütz, who as the delegate for cybersecurity is responsible for cyber risk in the federal government, finds the idea interesting: "I see the possibility of a bug bounty program for the entire federal administration." He believes federal IT service providers would benefit.

Talks have already taken place in this regard with the new company Bug Bounty Switzerland, as Schütz says. "But we have the condition that we only work with one Swiss provider who operates the bug bounty platform on servers in Switzerland." Because the descriptions of the IT security gaps in the federal administration should not be located abroad.

Green-liberal National Councilor Judith Bellaïche is also calling for the federal government to introduce or at least examine a bug bounty program. The potential of ethical hacking in Switzerland has been "not exploited enough so far", so she justified her move in December. Bellaïche, who is also the managing director of the IT industry association Swico, sees the federal government and state-affiliated companies in a role model role for the economy.

Hacker Boda-Majer benefits from the fact that the bug bounty idea is spreading in Switzerland. Together with his business partners, he was able to employ the first employee at the beginning of February. The most important qualification besides technical skills? "We were looking for someone who enjoys bug bounty."