You could, of course, sell your skillz to the dark web. Or you could legitimately report what you find and get paid to do so. You might even travel the world.
In this episode of The Hacker Mind, I return to Episode 7 with Tim Becker, Episode 9 with Stok, and Episode 22 with Jack Cable to get their perspective on leaving 1337 skillz while getting paid by various bug bounty programs.
Vamosi: I’m going to start off a bit differently as I am considering different formats for this show. The general topic of how to get started in InfoSec, that's a given. It's a through line through all 56 episodes to the hacker mind thus far. I mean, it's not clear how you get a job, or even experience for that matter. Me. I sort of fell into this when I had my first day at ZDNet. And my editor turned to me and said, What do you know about computer viruses? And the rest, they say is this as a reporter, I was in a position to learn as I wrote about information security. But what if you're on your own? What if you live in a remote area? In the last episode I talked about capture the flag as a point of entry into the field. In this episode, I want to talk about another way to get experience in InfoSec bug bounties. This is where you get paid to find bugs in a given project. And, as you'll hear, in some cases, they'll even fly you around the world to learn how to hack. I hope you'll stick around
Vamosi: Welcome to the hacker mind that original podcast from for all secure. It's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi. And in this hacker mine episode, I'm going to be giving some practical insight around the world of bug bounties through the eyes of various hackers I have previously interviewed on the show. Bug bounties are way to learn vulnerability hunting and get paid while you do
Vamosi: Bug bounties. It's basically hacking for money, you find a vulnerability, and if the company validates it, they give you a bounty. And while there are some people out there, earning up to a million dollars doing this, there are advantages by just participating in the challenge. One of the best ways to build a resume before you get that opportunity to get hired is to participate in a bug bounty program. And if you want to be an application pen tester one day, your future employer might want to see some bug bounty work on your resume before they consider hiring you. In episode nine I talked with stoke who now works full time for TruSeq. But at the time of the interview, he was still contracting. He still runs a popular YouTube channel where he talks about the world and culture of bug bounty. Here's the crazy thing: prior to 2017 Prior to attending DEF CON 25 Stoke never tried his hand at bug bounty.
Stok: Yeah, no, I never heard about bounties before, but I didn't really understand it. Then you heard about this. Super cool hackers like Franz Rosen that hack Netflix or got flown into Vegas to poke at let's say Snapchat or something. I don't know what kind of target they poked. But that was useful for me. Wow, super cool hackers that get to break into stuff. I want to do that and it was all cloaks and daggers for me at that time. I had no idea. It just looks mysterious. Like these guys pocket websites, break them down and get paid a lot of money. I want to do that
Vamosi: something else happened to stoke at DEF CON that year. He began to make connections with some of the leaders in the bug bounty community that existed at the time. I went
Stok: DEF CON that that summer for hacker summer camp and got invited or more or less kind of social engineer myself into a hacker one live hacking event used to be at the bar. And I saw these amazing hackers there that that were sitting at their MacBooks and hacking away and he's breaking this kind of software at Target they were hacking, and I was so amazed that you allowed to do that without getting you know, getting legal issues with that, like, you can learn how to do this. Can you actually throw anything you want at it and there will be no reprimand there will be no consequences. Like yeah, and we get paid a massive amount of money for it. Like oh my god, this is too freakin amazing. How can I do this? And and then after that I invested almost all my waking hours into learning web application pen testing, because coming from the infrastructure side, I never really poked at web apps. I still still can't code for shit, to be honest. I I know. I know. PowerShell but you're not building any web apps with PowerShell are you so? So for me that was kind of the whole journey. And I've been doing it. I wouldn't say daily but almost since that day, poking at something and it's really, really fun. And also coming from those days where if you accidentally poked at something, it will be like straight go to jail card or you will be like there will be really problematic thing where people think that hackers equals criminals, which is not true at all. Hackers are you extremely curious people with a big skill set and you can decide to be good or bad. I used to love it and I've been doing it ever since.
Vamosi: Okay, so you don't have to go to hacker summer camp to get started in bug bounty. Hunting. Consider jack cable from Episode 22. at a very early age growing up in the north side of Chicago. All on his own Jack discovered a security flaw in a cryptocurrency app, a flaw that opened the door to the world of bug bounties.
Cable: This was then when I was in high school as a sophomore working on building an integration for a cryptocurrency website. I don't want to let people think it was a Chrome extension that will have to pay money to other people, like natively through Twitter. Obviously, it's working with their API and notice that first of all I could send $0 or zero Bitcoin to someone and that was weird, right? Because it's not really doing anything. And then I tried sending like a negative on dollar in Bitcoin. And to my surprise, what actually happened was instead of sending money to them, it would take money from their account, so I could effectively steal money from anyone's account. And what was really fortunate was that they had a bug bounty program. So I was able to actually work with them to get it fixed, had a really positive response for a get paid for it, which was nice. And that was my introduction to the world and security.
Vamosi: But then there's Tim Becker from Episode Seven he encountered bug bounties through professional bounty services online.
Becker: There's a website called hacker one which basically organizes bug bounties for a bunch of different software vendors. And they have a very wide selection of targets there. And so a lot of people I know myself included actually got started in bug bounties by looking for bugs in some hacker one related vendors. So even things like looking for bugs in like the Python interpreter or you know, some web servers of some sort. There's plenty of bounties to get started on.
Vamosi: Okay, so by now you're probably wondering, what's the difference between being hired as a pen tester and being hired as a bug bounty hunter. Both individuals are brought in by companies wanting to harden their systems, but there are some differences.
Stok: The big difference between bug bounties and pentesting particularly is that you always do a lot of pen testing before you do bug bounties. So pen testing is a methodology and rule set based testing which means that you check the boxes you make sure that he's like building a house right? If you want to build a new house, you want to make sure that power wiring is up to code. So somebody needs to do the work. The electrician has done the work but then the certification guy shakes that everything is cool, he's kind of the pentester he checks all the boxes, makes sure that everything's safe, nothing is leaking out. bounties on the other hand is when all these pen testing and hardening has been done. And then bounties begin because it's you don't you don't get the wiring report that shows how the wires are being pulled through the house. You used to have to guess like I wonder how they did the wiring on this house. And you need to start to map out things in a very different way. As a pen tester, you need to be an extremely good generalist. You need to know a little bit about a lot of stuff in bounties. You can be a super specialist in a very niche field and be like very researching a certain area. And because you don't need to write a coverage report, you need to focus on one thing. I would say that is kind of the biggest difference.
Vamosi: Stoke is quick to point out that bug bounty hunting is not for everyone. With pen testing. It's kind of a white box experience. You have visibility and some access to what you're testing. With pen testing, everything is scoped out and agreed to in advance so you have some idea where you're going with bug bounties. You have no idea how this relates to that. And for some people not having that visibility having to poke around in the abyss that's just not suitable for them.
Stok: The Black Box situation when it comes to bounties is almost ridiculous but it's also that that is for me extremely rewarding. I've got this hobby that I like to put down puzzles. So let's buy a box of puzzles. And if we compare this to bounties, that would be if I bought a box, but it didn't have any picture on the top of the box. It said that it might just contain a certain amount of pieces in it and all the pieces are blank. So you need to start to sort up the pieces in their shapes. You need to try to figure out what's going on here and do all that stuff you can't ask and one you can't find any reference. You need to do the research. So maybe you will start to look at Oh, this manufacturer of puzzles seems to do it almost the same every time because they have this framework that they use with tools tamped down and he looks the same. So you start to look at the patterns, how the puzzle is built up and try to figure things out. It's fully black and black. Everything is very blind. And you need to rely on a time based attack framework. You need to approach it as if you're you need to try to figure things out on the way and I really enjoy that it's a very challenging target usually.
Vamosi: So success with bug bounties depends a little bit on your own personal background.
Stok: And this is I had some a bit of a bit but it seems to have an infrastructure background, I realized that I knew how things communicated. So race conditions, which is a very logical bug, is something that I focused primarily on because I figured that it was a fairly untested area. It wasn't on the top 10 of the OWASP Top 10 And it makes it really, really hard to test for. But if you want to dedicate time to it and you're able to make it work in your way it can have dire consequences for the company because you can more or less form money or or fiddle around with transactions and and he's also like very time based and and yeah, so tight shoes that bug class like I was going to do one by class, and then I'm going to find a bug on that. And once I'm done with that, I'm just going to keep on to the next target and the next target until I feel comfortable enough with the technique that I have to change to another bug class. Learn as much as possible on that one and then move on again. I would say primarily two and a half years and I still don't do exercises that well because I never look for exercise.
Vamosi: So it seems like a lot of these early bug bounty vulnerabilities aren't on the level of Heartbleed. They're low hanging fruit. And often that fruit can be found right there on your web browser.
Becker: I wouldn't say browsers are my favorite necessarily, but they're the most high impact currently and they have the highest bounty rewards in minutes varies depending on you know how difficult things are at the given time basically. But at the current time browsers if an attacker was trying to actually write a full chain exploit so
Vamosi: An exploit chain is an attack that involves multiple exploits or attacks. Hackers will usually not just use one method, they'll use several, chaining them together.
Becker: And in particular, sandbox escape tends to be the bottleneck. And so the bounties kind of correspond to that relative difficulty and currently browsers are the bottleneck, in most cases,
Vamosi: Others approach to finding vulnerabilities differently by concentrating on standard vulnerabilities first,
Cable: when I started doing this, I of course knew very little to a lot of it but I was just looking at the standard vulnerabilities out there. cross site scripting, direct object references, all of that. One of the interesting ones that caught my eyes early on was when I read this post about someone who was at Starbucks. They found a way that they could exploit a race condition to redeem a gift card multiple times. And in doing so they could get I think it was kind of the infinite balance with Starbucks. So I saw that and that was really crazy to me because it was wasn't something that was immediately apparent. You'd have to do something kind of intricate to test for that.
Vamosi: But let's be clear. Pentesting can be conducted within two weeks, one week hands on and one week report writing bug bounties. They're much more open
Stok: It took me about from the day I started to I found my first bug. It took maybe like two months, but I had no prior experience in using tools like burp or actually no web stuff. So what I did is that I just turned burp on and then did my normal kind of browsing through any kind of website that I stumbled upon like the way that I always do it and I looked at her traffic almost like you're looking at the matrix for the first time you see that movie and and all these green characters are just falling down. You have no idea what's going on. But these guys sit there they're like, ah, yeah, no, I know what that is. That's like totally different parts of this. Planet or another dimension. And you're like, Whoa, those guys know what they're doing. But after a while, I got that sense, too. Because you see these posts and these get requests going back and forth and server responses and the way things just communicate with each other. So you train my mind in understanding how web traffic flowed. And how communication with third parties were and what kind of flows that were inside web applications.
Cable: Most of what I did was just looking at different bug bounty programs across the board seeing what I can find. Of course, I started from a position of like knowing some web development, I'd maybe like read about SQL injection, whatnot, but I've never actually seen that in practice. So a lot of it was just kind of figuring out the landscape, looking at different people's blogs tutorials about what they'd found and then going out and trying that out against different companies with online programs. So in that way, I think they weren't really effective way for me to like learn in the real world. Here's what companies actually care about. Here's what they'll actually pay for which was nice.
Vamosi: So you found a vulnerability, where should you report that vulnerability? There are many different types of bug bounty programs.
Cable: So that one in particular, I've seen a lot more race conditions state.
Vamosi: A race condition is when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in a particular sequence in order to be done correctly.
Cable: Because like with that, for instance, you can spend your balance twice and then kind of keep doing that back and forth to get into balance. I've seen less of the negative amount just because in some ways it is so trivial that you would think everyone would hopefully think about like you shouldn't be able to send negative one dollars to somewhere else. But of course software is complex, and these bugs do happen. So while I've seen it less I certainly wouldn't rule it out anywhere. So I think if you were to try it on PayPal right now, I thought of that. But I started looking that at that particularly for companies on cryptocurrency companies that had bug bounties because of course or the impact of a race condition for cryptocurrency is potentially being able to steal all the money held by say that exchange and I ended up finding a couple really severe vulnerabilities that how to exploit them. I think in one case, like the wallet had maybe $100,000 by could have just withdrawn right there. And then if I wanted to, they paid me a fraction of that in bug bounties. But the important part was just knowing that I could have done that and that now that's patched up, so no one can exploit that
Vamosi: Knowing about race conditions helped stoke with his bug bounties.
Stok: The first bug bounty I got was a race condition. And he was in something called a VDP program, vulnerable vulnerable disclosure program. So it means that they don't pay any awards. And it's also the only bounty that I ever submitted that I never got paid for because I just particularly know better I guess.
Vamosi: Jack also applied his bug bounty knowledge to his cryptocurrency research as well.
Cable: So the one I actually started on and this was the one that hosted this cryptocurrency company was a forum called cobalt.io. I think they've pivoted, they pivoted years ago more to kind of doing like crowdsource pen testing for some of the bug bounties. But at the time, they had these open bug bounty programs that anyone can participate in. Most of them happen to be cryptocurrency companies, which was a lot of where I started out. So I did that but kind of the app began to work more since the hacker one had more programs on there. I started doing that. And it's I think it's kind of interesting how each of the bug bounty platforms has this incentive structure in place to keep you hacking on their platform. Like I just as well started out doing some fun crowd level up there and start getting more invitations to private programs. But I think that there definitely are strong incentives to like once you're, you've done reasonably well on one platform to keep focusing on that because you get access to more private programs. I've done a bunch of field wide hacking events, at least pre COVID which are a really great experience. And you get backed by kind of in a way staying loyal to a platform.
Vamosi: Individual companies can sponsor their own such as Apple having an invite only bug bounty, in which you can offer up to a million dollars for a specific type of bug. Well, Google and Intel have more open bounty programs. Then there are the aggregators, the ones like bug crowd or hacker one. They work with different and sometimes smaller companies and independent hackers handling all the back end as necessary. They pay and they often pay very well. And they have two tiers. One that is open for everyone and one you have to be invited to like stoke.
Stok: I joined a hacker one. And usually what happens when you join this platform is that you got a amount of different customers that you have a possibility to to let's say hacker reach the research stuff. And the that's called like the open programs the ones that are available for anyone that signs up. That can be pretty daunting because they are well tested grounds they're very big and so I was lucky enough to get a after what I got a private invite to a program that that I started to test on I guess I was lucky enough to to find a couple of really cool bugs like bugs that really put me on the map as a researcher like whoa, this guy knows what he's doing. He doesn't have that high reputation but he has a very he's good at reproducing results. So I got invited to a live hacking event in Amsterdam, because we're in Europe. I was flown there. The target was Dropbox at the time and I was nervous but I got there and I met all these other amazing hackers and and I did terrible I did so bad that event that I didn't really know what to say I sent in a couple of really crappy bugs. But then again I got a network of cool people to talk to you and and created a lot of new friends and realize like this is finally the place where I totally belong. And I said to myself that they aren't going to do anything. I can't get invited to another one. So I used after that event and got home. i i every week our I had I kind of more or less focused on learning more techniques or practicing my skills. And eventually I was lucky enough to get invited to Vegas for H 172 which is hacker ones flagship event. And once I was there, I submitted a couple of really nice crits and I got some amazing awards during that, that state can't disclose the targets. But it was really it was a big, big time for me a big thing to be there were all these amazing hackers and see that I could prove myself to deliver results under high pressure. And I've been doing that ever since.
Vamosi: Ultimately, Jack also settled on Hacker one, again, not an endorsement, just these two researchers happened to land there. Hacker one has elevated bug bounties to live events spectacles, if you will. They actually fly people such as Jack and Stoke around the country and around the world to hacker one live events. They've even invited jack in this case to the Pentagon
Cable: yet so that's kind of a fun story in that something I again Never thought I would have gotten into. This was shortly after I'd started bug bounties. So I started that maybe when I was 15 and then maybe six months later, when I turned 16 I got an email from a hacker one. I think the subject was what if I told you the Pentagon wanted you to hack it. And this was the first tech Pentagon program. So I was invited to participate in that. Since I was just starting out. I didn't know much. I found maybe two things both that other people had already found. So I didn't get paid for those but still got acknowledged and got to see just how cool this was that like I was one of the first people being invited to actually hack into the Department of Defense's networks and people are getting paid for it.
Vamosi: So for Jack flying across the country. That was a special hack. The Pentagon was the first bug bounty in the history of the US federal government. It was spearheaded by the digital defense service DDS. A DoD team charged with bringing private sector talent and the best practices to transform the way the department approaches its own technology.
Cable: Someone from hacker one had posted that they were looking for people who had participated in the Pentagon program to fly out to their San Francisco office to meet with people from the DoD before the launch of hack the Air Force. So I took them up on that they flew me out to San Francisco when I was 16 years old. My parents just gave me the blessing to send me off. And there I met the defense to your service for the first time. And just really, I had until that point I'd never seen myself doing work for the government at same time, just this bureaucracy that you can't really improve. It's just always going to be mediocre. But I saw what they were doing. I saw that they were actually taking these practices that kicked off in industry, bug bounties, engaging hackers who can do a much better job of identifying where flaws were. So that really stuck with me. And after that I did the Hack the Air Force competition where I ended up placing first in finding around 30 bugs, which eventually led me to working for defense to build circuits out of high school.
Vamosi: So how then is a bug bounty event different from just another CTF?
Stok: It's usually structured this way so one is either hacker one so it's either hacker one or these bug crowd that or integrative that have these life hacking events usually those players but hacker one particularly works like this normally. So there's a vetting process where you get selected to be a part of the hackers that's going to be able to hack on that live event and it's everything from, I don't know 20 to 100 people depending on how big the event is, like the flagship events in Vegas. A lot of people get invited to some of the smaller groups. So if you make the cut and get invited, there's a two week presentation from the day that the scope is getting released. Normally, that's how it works. In the beginning, you would get the scope on the same day, but hey, that doesn't work. Like you can take 30 people in and expect they found magic stuff in eight hours. So everybody needs at least two weeks to prepare. So what they do is that they have a call and they release the scope and they explain what they're interested in finding. You can ask questions and talk to the program. And then it just kicks off. All hands in and usually what I do is just eat, sleep and function that target for two weeks until it's time to travel to the location. We add the location that then you have a tiny, small window for two or three hours where you get to send all your reports in. Once the reports are in. What is defined is the dupe window closest. So if you find the same vulnerability as somebody else after that period, you won't get paid anything because they don't have to pay on time. To fix it. Like it's just bugs coming in. And then you hack for about eight hours and after that there's a break and there's an open bar and then he says show Intel where the best bugs get reported or some of the bugs that are creative and fun. are getting shared with that group that are there and that misuse the party and it's all over.
Vamosi: For others finding and reporting bugs happens the right way.
Becker: Typically with bug bounties, they prefer that you report right away if you can. So if the bug is currently affecting users, it's probably best to report right away and typically the bounty vendors I know that's true for Google in particular, will give you some time to finish writing an exploit for it. If they want to offer you extra for proving that as a politician. So if you're reporting a bug like this, to at least Google Chrome, but probably other vendors, if you report the bug immediately and then take some time to write the exploit you can still get the full reward for the exploits.
Vamosi: So there are strategies for successful bug bounties. For example, you're given some scope. Slack, for example, doesn't just let you comb over all of their code. You have a section of that code to review. So to be successful, you come in focusing, say on race conditions. And if so, is that then a sustainable model for you? The hacker to continue? I mean, there are million dollar bug bounty people out there. But what's it like for the rest of us?
Becker: certainly heard of examples of people that find basically a nice methodology for finding similar types of bugs in all kinds of different products. And like for instance on Hacker one there are public scoreboards of how much money certain users have made. And there are certainly people who have made in the millions of dollars from bug bounties. But I would also say that, in my personal opinion, bug bounties aren't compensating well enough to make bounty hunting like a stable career for a lot of people which I think it should be able to do. I think the security of software would benefit greatly. If bounties were a little higher and more people could pursue this as a full time career.
Vamosi: Of course, there are legitimate ways to report your vulnerabilities which we just discussed. But they're also illegitimate ways as well. The alternative to a bug bounty program. It's the dark markets, the dark web where exploits have prices as well.
Becker: I would say that there are sort of like private market prices to these different vulnerabilities where if you aren't responsibly disclosing them, and rather you're selling them for profit to some sort of exploit broker or something. There are publicly known prices for the different types of vulnerabilities and in the target software that they're in. So you can kind of get a sense of how difficult or important different classes are based on those private market prices. And typically, Google Chrome and Android bugs are the highest value currently. And I would say that that indicates that those are kind of the hardest targets at the moment. But it varies with time. Sometimes iOS, full chains are higher value.
Vamosi: So fortunately Tim works at a company that builds in time for him to do the legitimate type of hacking.
Becker: It's technically part of my job in theory. Basically when we have time in between contracts where you're doing vulnerability research on major software and collecting bug bounties and stuff. Probably my most interesting targets would be like operating system kernels. And I definitely have fun doing it. So I would likely be doing it either way. But so yeah, I would say the bounties are just a nice addition.
Vamosi: That said, not everything is perfect. At least not yet.
Becker: I think having a bounty program at all is great and certainly a step in the right direction. Because, I mean it is just that it has a proven track record of improving the security of the software. But I would argue that it could be improved much more if the incentives were a little higher for people to devote the time to acquire the general bug hunting skills but also the domain specific skills for that. That specific software which takes a lot of time on its own. And if it was rewarded a little better. You could have more experts on that specific software that are finding vulnerabilities and reporting them.Vamosi: Okay, I want to thank Stoke, Tim Becker, and of course Jack Cable for sharing their experiences on the world of bug bounties. Hey, I'm thinking of shaking things up a bit at the hacker mine DM me on Twitter at Robert Vamosi and tell me what you like and what you don't like for the hacker mine. I will always be Robert Vamosi
Thank you for subscribing!