When and how did you get started with ethical hacking?
The first computer, the Commodore 64, was given to me by my father when I was 8 or 9 years old. I took it apart immediately. When I was 10-12 years old, I started programming. And then I got interested in the topic of cybersecurity.
While studying at the university, I planned to leave there to do development. But one day we had a Career Day and someone said that ethical hacking can officially make a living. The thought then stunned me. I started participating in the Yahoo Vulnerability Finder program and became involved in ethical hacking. He has worked with companies such as Deloitte, Context Information Security and Yahoo. In them, I conducted pentests , worked as part of the Red team and did research in the field of cybersecurity.
Are there any specific technologies that interest you?
I'm not very good at web hacking. He doesn't interest me as much as source code analysis, reverse engineering, or systems analysis. Over the past two years, I have spent a lot of time learning about Continuous Development and Integration (CI / CD) platforms. I enjoy hacking when complex systems interact and at some point things can go wrong. Searching for vulnerabilities here is just as effective as using classical reverse engineering or finding bugs in native applications.
How do you decide which products to look for vulnerabilities?
I usually target products where other bug hunters have found something. Since this occupation takes up all my working time and has to pay the mortgage, I also look at projects that offer the highest rewards for vulnerabilities found. But if I started to feel that all this is turning into a routine, I would probably do something else. Learning interesting technologies is what drives me.
Have you ever encountered problems disclosing information about vulnerabilities?
The biggest problem is slow payments when payments take 6-9 months. Therefore, I try to participate in those ethical hacking programs that are known to pay within a reasonable time frame.
Once or twice I have been unable to prove that the bug I found is actually a bug. Perhaps I didn’t explain it well in the report, or I didn’t provide clear examples. I think there is a recurring problem here - we're not that good at explaining the error or the degree of risk it causes.
What vulnerability you found are you most proud of, and why?
Several years ago, at the H1-702 hackathon, I managed to find a bug that triggered code execution on GitHub. This was an area that I was going to focus on for a year or so, although the bug itself was not good enough to be proud of. I suspected for a long time that there would be a bug, and it was very pleasant to find it. For this work, I received the greatest money.
What are the interesting trends in hacking now, in terms of code and technology?
The most noticeable thing is the use of containers. I have researched many containerization and Kubernetes products lately. I found certain bugs in one product and then checked them against others using similar technologies. Several bugs overlapped each other. Each of them led me to new bugs, already in other products.
What advice would you give to a budding bug hunter?
Don't expect too much - finding bugs is a slow process. I have been working in this area for over 10 years, I am professionally engaged in penetration testing and still think that finding a vulnerability is difficult. The most valuable quality here is persistence. You shouldn't expect a lot of money on the first day.
Are there any other career plans for the next few years besides being completely dedicated to bug hunting?
I am making good money right now by searching for vulnerabilities. Therefore, there is simply no “next step”. But I have an idea about creating a team. I know several people who work as pentesters in companies. I would love to create a team with them, but convincing them to quit their permanent job is harder than it seemed.
Searching for vulnerabilities looks like an activity that people usually do alone. Do you think that teamwork can be effective here?
Of course, everyone would bring their own skills and experience to the benefit of the common cause. When I worked with other hackers at offline events, our real communication was the basis of everything. Even when you simply explain your ideas or begin to doubt your suggestions, it often leads you to new thoughts. You wouldn't have reached them on your own. As an introvert, I really enjoy working on my own. But not seeing people every day is hard. Therefore, I would really like to work in a team.
Do you want to tell us something else about information security?
I recently realized that the Bug Bounty industry has a small PR problem. Many people perceive it in a simplified way. They think that at some point in the protection of a popular product they find a critical error, and many people start sending reports about it at the same time. In fact, everything is more complicated.
I've seen this industry from all sides - from the platform, products and bugs. A small number of people have this experience. I hope that in the near future, Bug Bounty programs will pay more attention to traditional pentesting.
One thing I didn’t like while working was that I always had a goal. At some point, I wish the industry would get to the point where companies would encourage their full-time employees to participate in Bug Bounty programs. Everyone would benefit from this. After all, the skills that your specialists acquire in this way can be applied in the workplace.
Blog ITGLOBAL.COM - Managed IT, private clouds, IaaS, information security services for business:
- Fear of work automation and other trends in global and Russian cybersecurity
- How we found the vulnerability in the bank's mail server and how it threatened
- How to make friends with GOST R 57580 and container virtualization. Central Bank Response (and Our Considerations)
- The main trends of the IT industry in 2021 according to Gartner