Search Go hack yourself with Detectify

An EASM blog from Detectify

Meet the team: Kristian Bremberg - Community-minded ethical hacker who loves to help out

February 13, 2018

“My whole life is circling around IT security,” Kristian Bremberg says, half-jokingly. The Community Manager of Detectify’s ethical hacking platform Detectify Crowdsource is passionate about defensive security, building communities, and helping people learn.

Meet the team: Kristian Bremberg, Detectify Crowdsource

Got his first computer at 16

Hacking hasn’t always been part of Kristian’s life. As a child, he dreamed of becoming a cargo ship captain and crossing the Atlantic ocean. His plans for the future changed when he got his first computer at the age of 16 and an internet connection two years later. The potential of the web instantly sparked Kristian’s interest. “The concept of search engines just amazed me. You can search for anything and find the answer, so in the beginning, I would just try to challenge Google day in and day out,” he explains.

It all started with games

Kristian eventually found his way to the online gaming community and started hacking games. “Funnily enough, it all started with cheating in games,” Kristian laughs. He soon moved on and started learning about security and making the internet more secure. “Maybe it’s my conscience after cheating in games, but I’ve always been on the defensive side of security, aiming to do good,” he adds.

From malware and IT forensics to web hacking

After discovering security, Kristian began to explore different areas in order to learn as much as possible. Over the last couple of years, he has worked with Tor, malware detection and IT forensics. Forensics fascinated him so much that he wrote a book on the topic for his friends: “It’s not published and it wasn’t serious or well-formatted, I did it for fun. I was really into IT forensics, it was the only thing I could think about!” However, his interest in security did not stop there and Kristian eventually found his way to web hacking and bug bounties.

The community spirit

Being part of a community and helping others learn has always been crucial in Kristian’s security journey: “I’ve done a lot of community stuff, hosting CTFs and writing guides, for example. I love being part of a community and helping people.” His active presence in the web security community was what brought him to Detectify as he met two of the company’s founders at Sec-T, a Swedish security conference.

Kristian liked Detectify’s vision of a safer internet and started out by writing guest blogs on a range of topics such as HPKP and Tor. Considering his knack for helping others learn, it is no surprise that his articles aim to show readers how to configure security features! “I try to focus on things that help people. I’m not a big fan of just finding vulnerabilities, I’m a fan of finding solutions,“ Kristian explains.

Building Detectify Crowdsource

Since joining Detectify in 2016, Kristian has been working as Community Manager at Crowdsource, Detectify’s crowdsourced security platform. He was part of the Crowdsource initiative from the very beginning and was there to welcome the first members to the community. “People are so curious about Crowdsource and love the innovative idea,” Kristian says. Crowdsource allows ethical hackers to submit their findings that are then built into the Detectify scanner. The community now has over 100 members and has become an important source of Detectify security tests.

A new kind of bug bounty workflow

Kristian explains that Crowdsource complements researchers’ participation in traditional bug bounty programs. Researchers can report findings on platforms like HackerOne or Bugcrowd and then submit the same vulnerability to Crowdsource, where their submission can help secure thousands of websites.

“As soon as a researcher finds something that affects an entire platform, framework, or technology, they can come to us. It fits perfectly into their workflow, challenges them, and gives their research a broader scope,” Kristian says and explains that hackers have different approaches to Crowdsource. “Some like to submit low severity vulnerabilities that generate a lot of hits, while others prefer to submit critical findings. 1000 hits at $1 per hit or 10 hits at $100 per hit will get you a $1000 payout either way, so it’s a matter of looking for what  you find most interesting.”

The freedom of working remotely

Kristian lives in Skåne in the south of Sweden and works remotely, visiting Detectify HQ in Stockholm for team events and meetings. He says the freedom of working remotely suits him, although it can be challenging to get used to it: “I like remote work because Detectify is really about knowledge sharing and doing things together. I love working with my colleagues and across different teams!”

Kristian’s daily tasks involve much more than just community management: “I develop modules, that is, the submissions that Crowdsource members send in. I also do research, testing vulnerabilities to figure out how to implement them and improve existing modules.” Alongside his work with the backend team that develops the core service, he often joins sales and marketing meetings to share Crowdsource news and learn about customers’ feedback and requests.

The growing Crowdsource community

Kristian’s plans for Crowdsource are ambitious, but his passion for the community leaves no doubt that Crowdsource will continue to grow. One of his key goals is to encourage developers without extensive hacking experience to join the platform. “Developers have great insights into how their technologies and frameworks work,” Kristian explains, adding that submitting a finding to Crowdsource does not require a background in security research.

His advice to aspiring Crowdsource members is simple: “Focus on what you think websites are vulnerable to. Today, many vulnerabilities are specific to websites rather than technologies, but what we’re looking for are findings with a wide scope.”

Q&A with Kristian

iPhone or Android? iPhone! I used to hate iPhone and only used Android, I rooted them and I was such an Android geek. Now I’ve grown up and I just use my phone, I don’t play with it anymore.

Mac or PC? I have both, and a Linux! I use Windows, I use MacOS, I use Linux! On a daily basis, I actually use them all.

#1 security advice? That’s a really hard question! Many people won’t agree with me, but I actually love CSP. If you get it to work, you can protect against CSRF, XSS, HTML injection and stealing CSRF tokens. There’s so much you can do with modern web browser security features. Some people prefer to focus on protecting the website, but I think that protecting the client is really important!

Favourite security issue? I would say server-side request forgery, I think that vulnerability is so interesting. When you first find it, it’s kind of serious already, but if you try to get internal data, you can pivot and get it to an RCE and you can even try an SQL injection and so on. I like that because I like vulnerabilities where you can pivot.

Favourite security resources? The netsec subreddit is the best source for IT security news in general. I also like public HackerOne reports, they’re fun to read and you always learn a lot by reading them. The WordPress vulnerability database is interesting too. Other than that, Twitter is absolutely great and it’s the best way to get news quickly!

Think Detectify Crowdsource sounds interesting? Read Kristian’s article on how to become a Crowdsource hacker, then head over to the official Crowdsource website to join the community.