5 Bug Bounty Insights From SIX Group

Alex Hagenah of SIX Group

“We have Code Review, Pentest, and on top of that, we have VDP and Bug Bounty running 24/7/365. I will say it's 100% worth it.”

That’s the gusto with which HackerOne customer SIX Group expresses the power of bug bounty and vulnerability disclosure programs (VDPs) with HackerOne Response. Alex Hagenah, Head of Cyber Controls at SIX Group, joined us at Security@ EMEA to discuss aspects of community-driven security, from time and budget to leadership buy-in.

1. Why VDP and Bug Bounty?

At SIX Group, Alex Hagenah emphasized the year-round success of going beyond the regulatory requirements of the financial services industry.

“We’re a highly regulated market, so we have to run pentests. But the more we onboarded onto our bug bounty program, the more we see there are issues we haven’t found before — and they’re introduced all the time. When applications are updated, we can say we did our due diligence, but we also have hackers looking at it around the clock. It’s incredible, and we find bugs all year round now.”
— Alex Hagenah, Head of Cyber Controls, SIX Group

2. Unmatched Creativity

Focused on making the Swiss financial market secure, SIX Group relies heavily on the creativity of bug bounty security researchers.

“Whatever team I build up, they cannot replicate the creativity and man-hours being put in by ethical hackers on a bug bounty platform. We run pentests, then put it into a private program, then after putting it into the bug bounty, we still find critical vulnerabilities that weren’t found previously. You cannot replicate that creativity — they're specialists in all kinds of areas, and it’s super important for us to apply to them.”
— Alex Hagenah, Head of Cyber Controls, SIX Group

3. Time Spent

A common question our panelists received was, “How much time do you spend on bug bounty, and do you have dedicated team members who work on it?” While every organization and security team is different, the amount of time teams need to dedicate to managing the bug bounty program was resoundingly reasonable.

“Thank god we have the triagers at HackerOne. We don't spend too much time, and when the triagers confirm the bug, it comes to us only and the effort is not a lot. We have a person dedicated to bug bounty in my team, but it's not a full-time job for her.”
— Alex Hagenah, Head of Cyber Controls, SIX Group

4. Leadership Buy-in

Perhaps the top concern from our event audience was the effort of receiving leadership buy-in and what methods our customers have used to champion the value of bug bounty and VDP in their organizations. To Alex, the ROI of bug bounty is clear.

“Traditionally, you have your return on investment, which can be harder to express with bug bounty. How I sell it internally is you have the return of mitigation or return of prevention. If you just tell them ‘Give me that amount of money for our bug bounty program,’ they think, ‘But what do we get in return?’ Well, if we have a breach, it's going to cost you millions. Then, it's actually not a lot of money, right?”
— Alex Hagenah, Head of Cyber Controls, SIX Group

5. Budget

Leadership buy-in and budget allocation go hand-in-hand. At SIX Group, Hagenah proved that bug bounty budget is crucial to achieving goals.

“For me, it was essential that we incorporated bug bounty into our comprehensive information security strategy. Otherwise, we wouldn't be able to achieve what we want to achieve. This approach has been crucial in securing and spreading the budget for it over a few years.”
—  Alex Hagenah, Head of Cyber Controls, SIX Group

Thank you so much to our customer SIX Group for joining us! To discuss the benefits of bug bounty and VDP with HackerOne, contact us today.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook