Bug bounty programs have been around since 1983 (see box), the year Hagenah came into the world. SIX will launch its maiden bug bounty program in spring 2022. SIX will be conducting it in collaboration with HackerOne, the world’s largest platform for White Hats. HackerOne has paid out bounties totaling over 100 million US dollars since 2012. The portal of the industry leader currently lists almost 400 active bug bounty programs, many of them for illustrious clients like the US Defense Department, IBM, Twitter, and TikTok. “The goal of our bug bounty program is to find vulnerabilities on our website that we haven’t come across ourselves,” Hagenah explains.
He cites three reasons why that should work: “First, external hackers bring along their own ideas. Second, participants in the program vastly outnumber the members of my team. And third, a bug bounty program runs for years – a pen test is often over in a week.” Depending on the experiences gained by SIX with the bug bounty program, the principle can be extended, for example, to the cloud or to internal systems at SIX, Hagenah explains.
It is vital to Hagenah to keep an ear to the ground in the hacker scene because cybersecurity is incredibly dynamic, he says. In this context, a bug bounty program serves not just to gain knowledge about security vulnerabilities at SIX, but also helps to make a name for SIX among the world’s best ethical hackers as a client, he adds.