Q&A: The life of a bug bounty hunter
Posted on 7 Dec 2012 at 15:00
A professional security researcher and ethical hacker tells us what makes a bounty hunter tick
Avram Marius Gabriel (aka @securityshell on Twitter) is a professional security researcher and ethical hacker.
He has contributed to the discovery and remediation of many vulnerabilities on public web platforms, and is listed on the responsible disclosure programmes of Adobe, eBay, Facebook, Google, Microsoft and Twitter. We spoke to him to find out what makes a bounty hunter tick.
Q. Is researching, finding and disclosing security vulnerabilities a full-time job for you?
A. No, I have a full-time security job and I’m very proud of it. I’m a web security consultant at RandomStorm. I always do my research in my free time, usually after work or at the weekends. I’ve had a long-term interest in security research. I enjoy it because it provides a good mental challenge for me personally and we gain experience as a company, which is beneficial for RandomStorm too. I sometimes earn money from my research through bounty schemes, which is an added bonus.
Q. How volatile and competitive is this area?
A. It can be quite competitive – there is some rivalry and pride at stake between different researchers. There are many bug hunters for whom this is their sole occupation. I know many guys who earn a lot of money via the bounty programmes. However, security researchers need to be aware that we can’t live solely on the proceeds of bounty programmes. You need a day job too.
Q. What does discovering a zero-day exploit consist of?
A. Sometimes vulnerabilities are easy to find, sometimes it takes a lot more work. It always depends on what you’re looking for. Finding a vulnerability like Cross Site Scripting (XSS) on a website and exploits for it is extremely easy and doesn’t require automatic tools; you can do it manually.
Q. How do you get your information? Does it start with a tip-off, or is it all just a matter of dredging through code looking for holes?
A. Sometimes we just get an idea and test it out, but other times we read the hacker forums to find out what our peers are researching, and which new exploits are being developed and put into the wild. This is why responsible disclosure is so important. If I were to post on a hacker forum about a vulnerability I’ve discovered on a particular website, then a whole bunch of hackers will start looking into that site and finding other vulnerabilities. It’s like trophy hunting. It’s important to give the relevant company an opportunity to tighten up any security holes before disclosing your research.
Q. What circles do you move in? White hats, black hats or both?
A. Since I find vulnerabilities and then report them to the relevant companies, without any public disclosure of what I’ve found, I class myself as a white hat. I do watch the forums and see what’s going on in my industry on both sides of the fence, but I prefer to help companies to improve their security. Many people out there can code, but not everyone can code securely. It’s interesting and challenging to discover bugs, and rewarding to be able to help organisations to address these vulnerabilities before the black hats discover them.
Q. Do you see this as a route into or an escape from the mainstream IT security business?
A. I think security research is a passion rather than a job – this is why we do it in our spare time as well as nine to five. It’s intellectually challenging and rewarding when we’re able to help make sites safer. There’s a buzz from finding a way around a security system that no-one has discovered before you, but you then have a responsibility to help fix the flaw so that it can’t be exploited. If you have an interest in coding and security, and a talent for researching and discovering vulnerabilities, then it’s a good route into mainstream IT security.
Author: Davey Winder
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- What is Google Inbox?
- How to get the Windows 10 Technical Preview, plus release date, features and latest news
- Nexus 6 release date, specs and price: when will the Nexus 6 go on sale in the UK?
- Lenovo and Ashton Kutcher launch Yoga Tablet 2 Pro, Yoga Tablet 2 and Yoga 3 Pro
- Lenovo Yoga event live stream: watch Ashton Kutcher's tablet launch live
- HTC shows off Desire Eye selfie phone and periscope-like camera
- Xim: the slideshow app to get excited about
- Adobe has more apps for iOS, but none for Android
- How to download and install Windows 10 Technical Preview
- iPhone 6 Plus "less likely to bend than HTC One"
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold