Ivan Grigorov: “For top-level baghunters $ 25K per month is not a problem”
Vulnerability programs always attract a lot of attention from hackers and security experts. After all, this is a legal way to make good money only by searching for bugs (provided that there is good experience and a head on his shoulders). The other day we had the opportunity to interview the baghunter Ivan reactors08 Grigorov. He is the leader of our Bug Bounty program and takes 11th place in the overall ranking of the HackerOne platform.
How to start looking for bugs? Could this be the only source of income? Which Bug Bounty to participate in? How much do baghunters earn? And why is vulnerability search especially beneficial in a crisis? Read the answers to these and other questions in our interview.
How did you start looking for bugs?
I learned about a phenomenon like Bug Bounty two or three years ago, but I did not encounter it personally before launching the Mail.Ru Group program. When it started, I decided it was worth a try. At that time I was very skeptical about this occupation and did not hope that someone would pay me at least a dollar.
I managed to find a couple of bugs and get the first rewards for it, and soon I took second place in the program. That's when I thought that it’s worth taking this matter seriously.
And in just a year and a half, you became the most successful researcher in our program, and at HackerOne you are in the top twenty. How it is?
Just study, and all things.
And how do you study?
Mostly I read articles or presentations that describe specific vulnerabilities. I study books and resources on this topic. I watch video reports, mitaps, conferences. I study other people's reports. I am looking for information in search engines. I have a university degree, but it is not related to IT.
What types of vulnerabilities do you deal with?
Mostly the web, the rest is just for fun. But all this is a matter of motivation. You can also break the browser if you set yourself such a goal.
Do you have any kind of regular job?
There is no permanent job, the search for vulnerabilities is my main source of income.
Do you work alone or as a team? Which scheme is more common: team or single?
I work alone. Most often, baghunters work alone, although teams also sometimes occur.
What does your typical day look like? How much time do you spend looking for bugs?
It all depends on whether there are invitations to new projects. If interesting invitations come one after another or a large project with a large scope comes across, then I can hang from morning to night in search of vulnerabilities and not notice how time flies. But this rarely happens, and usually I devote about 3-5 hours a day to this.
Can I live solely on income from Bug Bounty?
It is definitely possible, but it all depends on knowledge in this area, the amount of time spent searching, invitations to new and interesting projects, as well as the desire and desire to find a really cool bug. After all, you can make 10 thousand dollars on one vulnerability, or you can register, for example, clickjacking 100 times for 100 dollars. By the way, the relevance of bug hunting in the crisis is growing significantly, because most companies pay for bugs in dollars :).
How much do baghunters earn on average?
You need to understand that there is a very large variation in income. It depends on many factors, primarily on the experience of the researcher and on how much time he is willing to devote to hacking. Many participate in Bug Bounty programs from time to time and not so much for the sake of money, but out of interest or desire to strengthen their resume. It is clear that their income is likely to be small (especially if you take not a one-time gain, but earnings for some period, for example, for six months or a year).
On the other hand, there are baghunters who do this seriously and regularly. I have a friend who earns about ten thousand dollars a month. There are guys who earn fifty dollars each (for example, a story about the personal experience of such a baghunter: My $ 50k Personal Challenge - Results) Not every month, but periodically it is achievable. According to some top hunters, for them 25 thousand dollars a month is not a problem.
By the way, how do you get to the top?
For this you need to send a lot of serious bugs. The rating is built not on the level of earnings, but on the aggregate criticality of the vulnerabilities found. Although in part this also affects earnings: the worse the bug, the more they are usually willing to pay for it. Say, on HackerOne, dangerous vulnerabilities give a rating of about 50 points, average - 25, and the lowest - 15. In each researcher’s profile, you can see the arithmetic mean rating, this is the Impact value.
How automated are the tools you use?
I use the well-known Burp Suite and sqlmap. As well as hands and head :).
What Bug Bounty programs do you participate in?
I try to participate in all programs, both for a fee and for free. Of course, paid for me is a priority, but nevertheless I pay attention to free programs. For example, I sent vulnerability reports for those Mail.Ru Group projects for which there is no reward.
How do you choose the programs you participate in?
It all depends on the current situation. If I was invited to a new private program, the choice is obvious: as a rule, there are much more “holes” in the security of such projects, they are detected faster and easier.
And if there were no invitations for a long time, then I would prefer large projects, in which there is a higher probability of the presence of bugs missed by other researchers. Or I can return to a well-known project to try to rediscover some things.
Explain to our readers what private programs are?
Private Bug Bounty is a program that is not publicly announced and in which the company invites only a limited circle of baghunters. This allows you to adjust the number of testers, choosing the most experienced and adequate. If a project has never been searched for vulnerabilities, it is advisable to start with the private version, inviting specific trusted people to participate. And then, when the main bugs are caught, you can invite everyone to the vulnerability search.
How do they get into private programs?
As far as I know, HackerOne is invited at random. Of course, first you need to score some rating on public programs, and then they start inviting. If you are completely new, you have no chance of getting an invitation to a private program.
Why is HackerOne attractive as a site? Does he have any alternatives?
At the moment I am participating in programs from HackerOne and from Bugcrowd . If you compare these two sites, HackerOne is more attractive to me.
Firstly, the reporting system itself is much more convenient: you can beautifully draw up a report, then make it available to other researchers. You can attach different files to each comment in the report. But on Bugcrowd the form of sending reports is confusing, there are no pretty things to design, you can attach files only in the report, but not in the comments.
Secondly, more large companies collaborate with HackerOne. But on the other hand, I often receive invitations to private programs from Bugcrowd, rather than from HackerOne. Bugcrowd also has a reward system for active researchers, which is very nice.
Support services at both sites are good, you will be happy to answer any questions. Payments are made by both sites without any problems. Both of these resources are good for researchers and worthy of attention.
Do you use the public disclosure feature on HackerOne?
Yes, but quite rarely. Although, I will not hide, I read other people's open reports with pleasure.
Do you have any controversial issues?
Occasionally. For example, when several bugs of the same type are counted as one and paid only for one, closing the rest of the reports and arguing that one fix fixed several vulnerabilities. Although you can’t check it, you have to take your word for it. There are times when, after a long time after your report, the security team tries to reproduce the bug, and it has already been fixed by the developers. In such cases, proving something is problematic if there was no video attached to the report.
A few months ago, I had a case where a buggy functionality simply disappeared. Naturally, the security team was unable to reproduce the bug and closed the report. And just a couple of days ago, I noticed that this functionality was back, so I'm waiting for confirmation from the security team again.
There were times when companies did not pay for the bugs that you reported?
There were several cases when I sent critical vulnerabilities, but they related to projects not covered by the program. They were fixed and said "thank you". But there is no point in blaming someone, because in advance it was clear that the bugs were out of scope.
How do you feel about programs that do not pay remuneration?
Depends on which company launched the program. If this is some kind of startup or non-profit organization, then I will try to give them time and find something valuable.
If this is a company with a huge income, it seems to me, at least strange, that they do not offer remuneration.
Although, like any other user, I would like my data to remain safe and not be at risk of being intercepted by cybercriminals. Therefore, I try to protect users of those services that for some reason cannot pay a reward. Of course, I will not go much into the product to find as many vulnerabilities as possible. But some bugs that are easy for me personally, which do not require much time, I will find and send.
Many top researchers are not such altruists and are unlikely to deal with free software. Partly they are right. But I believe that ultimately you need to think about users and make at least a small contribution to protecting their interests.
Please tell us about the most interesting bugs in your practice.
I have quite a few interesting bugs, but perhaps I’ll tell you about the last one that was opened on HackerOne, which made vulnerable about 30 thousand websites (mainly corporate): hackerone.com/reports/111440 .
I decided to look for bugs in Zendesk. The program started for a long time, and I carefully looked through the contents of the main page www.zendesk.comanalyzing the details. I was interested in a video from a fast.wistia.com source unknown to me at that time.
Also on the page there was a third-party script with fast.wistia.com, which controlled the video, manipulated the DOM, loaded data about the video. Having carefully studied the effect of this script, I noticed that I can additionally load and execute the JS file from fast.wistia.com. In this case, you can completely change the path, name and extension of the executable file. And if I manage to download and execute my malicious file, then I can execute an arbitrary script on the side of Zendesk. And I began to look for such an opportunity.
Having spent a lot of time, I realized that I could not upload the file specifically to fast.wistia.com. Then I focused on requests to fast.wistia.com and noticed a JSONP request that allowed me to manipulate the response from the server. By combining this bug with the first one, it was possible to present the JSONP response as a malicious JS script. And when I did it, I began to realize that the problem affected not only Zendesk, but also the huge number of stores hosted on Shopify, the huge number of WordPress and Tumblr blogs, many corporate websites, about ten other companies that had their own Bug Bounty programs, as well as Wistia itself. Almost everyone who posted videos from Wistia on their website added this vulnerable script.
The first thing I said was in support of Wistia. After waiting a day, I wrote another letter, and after about an hour I was assured that the information was sent to the developers. Another two days passed, and the bug has not yet been fixed. Of course, two days is a short time, but not for such bugs, because the reputation of other companies is also under attack.
It became clear to me that no one would deal with the bug (later it turned out that I was right), and I began to report this to other companies in the hope that they would contact Wistia. I sent a report to Zendesk, but they answered that they could not help and would just wait until Wistia resolves this issue ... Shock, and only ... Then I sent reports to Shopify, Trello and Automattic (WordPress). The teams of these companies did not wait for Wistia and began to independently solve the problem, including contacting Wistia through their channels. And, lo and behold, exactly one hour after they contacted Wistia, the bug was fixed.
Are the most interesting vulnerabilities necessarily the most expensive?
Not. Perhaps each researcher has such bugs for which he received less than expected, or nothing at all, but other researchers appreciated them. Here is one such example owned by BlackFan : hackerone.com/reports/14883 .
There is an opinion that vulnerability search programs do not help to find really cool bugs. Do you agree with him?
I think this opinion was formed due to the large number of people who want to get free money by sending inadequate reports. The Indians are especially famous for this (although among them there are very competent guys). And against the background of a large number of such junk reports, teams begin to think about the effectiveness of Bug Bounty. Often, programs are closed, without waiting for really valuable data or simply drowning in a huge number of reports.
What comes first to you - the interest of a bug or money? Will you be busy with a deliberately boring bug that will definitely bring you some kind of income?
I do not focus only on interesting bugs. But at the same time, I would not report anything in the pursuit of any profit. I almost never speak about clickjacking and anything below this in terms of criticality. Firstly, because I will surely run into a duplicate and just wasting my time, and secondly, not all companies accept such reports.
What advice would you give to novice baghunters?
First of all, you need to understand that the probability of quickly finding a vulnerability is inversely proportional to the time during which the program operates. The best strategy is not to hang too long in one program, to participate in different ones.
Nevertheless, when I participate in Bug Bounty, which have been taking reports for quite some time and the probability of detecting a vulnerability is extremely low, I try to get to know the product as best as possible, find the functionality that others most likely took less time. Or I’m looking for something difficult to understand, which is also most likely to be missed by other researchers. I try not to lose sight of any little things. All this takes time, patience and perseverance.
You can start learning how to handle bug hunting: review each typical security error separately, starting with simple vulnerabilities like CSRF, XSS, SQLi. Collect material separately for each of them. It’s enough to drive into a search on YouTube, and a bunch of useful things will fall out.
Many good articles are published on Habré, and there you can find references to interesting books. For instance:
- Must-read books for 2014 on information security and programming
- Books on information security. Get closer to IB
- Books about cybersecurity: 5+ recommendations from our experts
It is also useful to read other people's disclosed reports . But do not forget that training should not stop. Technologies are changing, something is becoming obsolete, a new one is replacing the old, and you need to follow this.
In general, what do you think, what are the trends in the Bug Bounty area now? What awaits us in 2016?
A few years ago, Bug Bounty was a rarity, and now opening such programs is a trend, and we can expect that more companies will come to sites such as HackerOne. Private programs will become more and more in demand. Bugcrowd has a new format for private programs - Flex-programs with a limited budget and prize money. It seems to me that companies liked them and will gradually gain popularity.