Jean-François Simons has been Brussels Airlines CISO for over 9 years. Bug bounty and ethical hacking caught his attention a few years ago. Introducing the concept at Brussels Airlines, however, needed some persuasion.
For the management, the prospect of letting crowdsourced security experts find undetected issues was at first sight not an easy decision to take.
Mr Simons’ reaction to the initial pushback? “We need the support of ethical hackers to reinforce our IT-Security before non-ethical hackers find a possible vulnerability that they will of course not report to us!”
A clear definition of the scope of the project with intigriti helped get the project on the rails. So did setting a limit to the potential reward that would go to the researchers who found vulnerabilities.
With a clear scope and a predefined budget, the bug bounty program got off to a good start.
Jean-François Simons’ team was prepared for the testing. “I see pentesting as a security test that you take before going to a bug bounty program. It’s like a cleanup. If you start with bug bounty straight away, you might be in for an unpleasant surprise. We had done multiple pentests in the past. So, we were pretty sure we would be well prepared for the bug bounty program…”
Pretty quickly a critical finding surfaced that needed mitigation.
“The pentests were good, but ethical hackers are specialists in their specific domain. Some do cross-site scripting, SQL injection and so on. The vulnerability they found could only be discovered by very specialized and highly skilled people. Pentesting does SQL injection too, on a high level, but those tests simply couldn’t have found those vulnerabilities. I consider pentesting a sequential review to improve the general security of your systems. Afterwards, you give it to specialists.”
It is not just finding the bugs and vulnerabilities that makes intigriti valuable for Brussels Airlines.
Mr Simons points out the PR value. “The fact that we are using a bug bounty program, shows that we really try to go one step further. Should we face a major issue, we will be able to use this. Working with ethical hackers shows that we are really trying, not just sitting around waiting for something to happen.”
Furthermore, bug bounty provides the devops and digital teams at Brussels Airlines with a new collaboration opportunity. People learn from what has been discovered. “Intigriti is not a ‘sanctioning tool’. There is great added value in the close collaboration on the platform. Any question you have, there’s always somebody who answers it or escalates it if necessary. When an issue is found, both the internal and the external teams work together to solve the problem”
As a result of working with ethical hackers, more IT people at Brussels Airlines are aware of what is ongoing, and actively contribute to improve the information security.
Do you want to save this case study for later reference?Download this customer story as pdf. Download PDF