Chantal Stekelenburg is Head of Operations at Zerocopter, the company that provides the digital platform for Hâck the Hague (HTH) where hackers submit their vulnerabilities during the event. In this interview she explains how the platform is being used at HTH, what can be expected in the 2021 edition of the event and what - according to her - the similarities and differences are between male and female hackers.
In past editions of HTH, the Zerocopter platform was one of the pillars of the event. What does it do exactly?
“We use the Zerocopter platform on a day to day basis to facilitate the communication with hackers that find vulnerabilities for our customers. The platform contains for example a briefing that our hackers can consult when they do bug bounties. And it’s the platform via which we make so called Coordinated Vulnerability Disclosure (CVD) or Responsible Disclosures available to our customers.”
How is the platform being used @ HTH?
“During HTH, the platform is used to submit the vulnerabilities that hackers have found in the systems of the Municipality of The Hague. By using the responsible disclosure mechanism of the platform, we can generate an URL that we make available to all participating ethical hackers where they can submit their vulnerabilities as soon as they find them. On the ‘other side’ of the system, I am working with representatives of the municipality to review all the incoming hacks. While reviewing we ask ourselves a series of questions like: Is it really a vulnerability? Is it a duplicate? Do we need more information? We decide which vulnerabilities are eligible for prizes and what is striking about them. In the end, a jury decides who the real winners are. In fact, last year we were able work very efficiently thanks to the platform which marks each vulnerability that is being submitted with a time stamp; this was especially beneficial at the time, as we had two identical vulnerabilities that were submitted within seconds from each other. I can tell you that at that moment you’re happy to have an unbiased source that shows exactly which one came in first!”
No doubt developments on such a platform are ongoing. Can you disclose any new features that we can expect in the 2021 edition of HTH?
“There will definitely be new features in the platform by that time – one specifically beneficial for hackers and one that is aimed to facilitate the organizing team of HTH. The new feature that hackers will come across, is that we considerably broadened the range of vulnerability categories that they can choose from. This will hopefully make it even easier for hackers to find the right ‘label’ for the vulnerabilities they want to submit. The second, newest feature is the common vulnerability scoring system (CVSS) calculator that we are currently implementing. Based on a number of formulas, this calculator will assist us in determining the size of the impact of each vulnerability. Take for instance a vulnerability that requires a large number of steps before you can exploit it; that means that chances are small that anyone will ever get this far and the impact is therefore low. The same applies to vulnerabilities where interaction with a user is necessary in order to exploit it successfully – for example by having them click on a link. All these components will be taken into account by the calculator when it assesses the impact of a vulnerability.”
You are one of the founders of WICCA, a group of women in cybersecurity based in The Netherlands. In your opinion, are there any striking differences between male and female ethical hackers?
“To be honest, personally I hardly notice the fact that I’m a women in IT and I think that all hackers share a similar passion. But there are differences, no doubt. For example, as a hacker you tend to spend time in the social spotlight as people simply find you interesting. Generally speaking, most women are not particularly fond of being at the centre of attention. They prefer to work in their own little corner without anyone paying attention. Another thing is that female hackers might have a keen eye for the sensitivity of certain data, and patience to spend as long as it takes in order to find out some nitty gritty detail that others might not even consider to be interesting. Personally I’ve worked on more than one assignment where my gut feeling told me that I was onto something containing sensitive data and that I would get to it if only I tried long enough. Other male colleagues would have dropped out way sooner.”
What, in your opinion are reasons why ethical
hackers should attend HTH?
“HTH is an exciting event but the atmosphere is relaxed, people spend a day hacking away and often you see partnerships developing during the day. It’s a great occasion to meet like-minded people and to extend your network. But of all things, the fact that you have the possibility to hack live systems of a large municipality -like the one of The Hague and to see that in most cases they try to fix the vulnerability on the same day, should be compelling enough for any ethical hacker to register.”