A Bug Bounty Program for SIX: When Companies Invite In Hackers

“When I revealed to my parents that I wanted to become a hacker, they were hardly enthused,” Alexander Hagenah recounts, laughing. Ever since he was 12, the head of cyber controls at SIX has had nothing on his mind but “finding ways to evade security systems and infiltrate computers.” His hobby caused his school grades to suffer, and his parents barely managed to drag him through an apprenticeship as an application developer.

In his first toddling attempts at hacking, Hagenah’s targets weren’t always of a noble nature, but that quickly changed and he began to work for companies and governments by testing their defense systems. He became an ethical hacker.

Ethical hackers apply the “same techniques that their unscrupulous counterparts” use, but they “report discovered problems to their clients and do not exploit them to their own advantage,” according to the definition by ComputerWeekly. Ethical hackers are sometimes also called “White Hats” in an allusion to Hollywood westerns in which the good cowboys wear white Stetsons and the bad guys wear black ones.

The New York Times puts it in a nutshell: “A solution to hackers? More hackers!” According to one study, the market for ethical hacking is already worth 4 billion US dollars annually in the USA alone, and there are already courses that offer diplomas in ethical hacking.

Hagenah spent many years working for a German-British espionage software company, where his clients were intelligence agencies and governments from around the world. With his skills as an ethical hacker, he enabled them to take innovative measures in Offensive Cybersecurity.

In May 2021 Hagenah joined SIX, assigned to sniff out vulnerabilities in the company’s IT system with a new offensive cybersecurity team. “Or stated more simply, I was assigned to put together a gang of hackers – a super-exciting job,” Hagenah explains. Recounting his first impression, he says that “we started at a much higher level than I was accustomed to in working with governments.” Hagenah has brought some of the best cyberspecialists to SIX and conducts all kinds of offensive cybersecurity operations together with them. The arsenal employed by Hagenah’s team includes:

• The red/purple team: The team assumes the role of hackers, either in consultation with the defensive cybersecurity of SIX (purple) or without advance warning (red). Objective: To train and strengthen the defense.
• Penetration tests (“pen tests” for short): The team attacks its own systems. Objective: To detect security holes.
• Bug bounty program: External hackers search for vulnerabilities on the website of SIX. Objective: To detect security holes over a longer timescale.

Bug bounty programs have been around since 1983 (see box), the year Hagenah came into the world. SIX will launch its maiden bug bounty program in spring 2022. SIX will be conducting it in collaboration with HackerOne, the world’s largest platform for White Hats. HackerOne has paid out bounties totaling over 100 million US dollars since 2012. The portal of the industry leader currently lists almost 400 active bug bounty programs, many of them for illustrious clients like the US Defense Department, IBM, Twitter, and TikTok. “The goal of our bug bounty program is to find vulnerabilities on our website that we haven’t come across ourselves,” Hagenah explains.

He cites three reasons why that should work: “First, external hackers bring along their own ideas. Second, participants in the program vastly outnumber the members of my team. And third, a bug bounty program runs for years – a pen test is often over in a week.” Depending on the experiences gained by SIX with the bug bounty program, the principle can be extended, for example, to the cloud or to internal systems at SIX, Hagenah explains.

It is vital to Hagenah to keep an ear to the ground in the hacker scene because cybersecurity is incredibly dynamic, he says. In this context, a bug bounty program serves not just to gain knowledge about security vulnerabilities at SIX, but also helps to make a name for SIX among the world’s best ethical hackers as a client, he adds.

A couple of years ago, word traveled around the world that an ethical hacker had been rewarded a million US dollars for discovering a security hole in an iPhone operating system. However, everyday life for most ethical hackers looks a bit less glamorous: for the detection of zero-day vulnerabilities, as previously unknown security holes are called, companies generally pay “between 50 and 10,000 US dollars, depending on the severity of the bug,” Hagenah says. “If you detect around 100 security holes per year,” he continues, “you can live comfortably from bug bounty programs, especially considering that many ethical hackers live in exotic locations and get by with little money” – many, but not everyone. Other ethical hackers, like Hagenah himself, sign on with corporate cybersecurity departments. Many of them hunt for security flaws as a hobby.

Hagenah’s parents, by the way, have long since forgiven him for his choice of profession. “By now they are even proud of me, especially when I tell them about how I helped to thwart attacks, expose child pornography rings and terrorist networks, and shut down narcotic and human trafficking.” Hagenah also has big ambitions at SIX. He wants build one of the best offensive cybersecurity setups in Switzerland.