(Caption, from left to right: Christoph Klossner from Valiant with hacker Edgar Boda-Majer and Sandro Nafzger from Bug Bounty Switzerland.)
If he were a criminal hacker, he would prefer to remain anonymous. But for Edgar Boda-Majer, transparency is part of the business model: the 31-year-old, who lives in Lausanne (VD), is an ethical hacker. At the end of 2019, he set up his own business with three colleagues.
On behalf of companies, Boda-Majer and his comrades-in-arms search for vulnerabilities in their IT systems before they can be found and exploited by cybercriminals. At first glance, a partnership between professional hackers and companies with their own IT departments and many security precautions may seem unusual. And yet it is obvious: «We have the same opponent», explains Boda-Majer. And because the IT landscape is constantly changing and becoming increasingly complex, and criminal hackers are also developing new attack techniques, there is only one effective means of successful cyber defense: joining forces.
A partnership between companies and hackers may seem surprising only at first glance.
Companies that enter into partnerships with hackers increase their protection against data thieves and extortionists through an additional security measure. In turn, ethical hackers – or bug hunters – receive a reward (bounty), the amount of which depends on the success of the search. Resourceful computer cracks can make a good living from their work: The discovery of a vulnerability that could have serious consequences is worth several thousand Swiss francs.
Patience brings roses
Basically, his work is not very spectacular, says Boda-Majer. First, he observes. For example, he spends hours using analysis software to look at how the website of the partner to be hacked communicates with the domestic server, how data flows back and forth. Once he has identified a possible point of attack, he changes the data and observes what happens. Whether the server recognizes the manipulation. How it reacts. If the attack is successful, he does not penetrate further into the system. Instead, he reports the vulnerability to the client so that he can close it. And starts searching for the next bug.
It’s not the race with criminals that gives him the kick. Nor the idea of holding developers accountable for their mistakes. «What challenges me is the competition with other hunters», says Boda-Majer. That’s because the bounty is only ever awarded to the first person to discover a bug. «Since the IT world is a fast-moving one, with new updates replacing old features, there is almost always something falling for each bug hunter», he says.
«Ethical hackers are among the best in the IT business. They need to be at the cutting edge of technical development, IT nerds in the best sense. With a positive ideology that drives them to use their skills for the benefit of their customers instead of harming them.» So says Sandro Nafzger. It is he who – as co-founder and CEO of Bug Bounty Switzerland – brings the two sides together: the companies that want to be tested and the hackers with the right know-how.
«In addition to their expertise, the hunters must also have trust in this partnership», says Nafzger. After all, their work would take them to the edge of legality. The clients, in turn, must be willing to learn from the ethical hackers and consciously leave their own comfort zone. «This also takes courage», says Nafzger. And a positive error culture: an attitude that recognizes the opportunity to improve in bugs that are uncovered.