Q&A: The life of a bug bounty hunter
A professional security researcher and ethical hacker tells us what makes a bounty hunter tick
Avram Marius Gabriel (aka @securityshell on Twitter) is a professional security researcher and ethical hacker.
He has contributed to the discovery and remediation of many vulnerabilities on public web platforms, and is listed on the responsible disclosure programmes of Adobe, eBay, Facebook, Google, Microsoft and Twitter. We spoke to him to find out what makes a bounty hunter tick.
Q. Is researching, finding and disclosing security vulnerabilities a full-time job for you?
A. No, I have a full-time security job and I’m very proud of it. I’m a web security consultant at RandomStorm. I always do my research in my free time, usually after work or at the weekends. I’ve had a long-term interest in security research. I enjoy it because it provides a good mental challenge for me personally and we gain experience as a company, which is beneficial for RandomStorm too. I sometimes earn money from my research through bounty schemes, which is an added bonus.
Q. How volatile and competitive is this area?
A. It can be quite competitive – there is some rivalry and pride at stake between different researchers. There are many bug hunters for whom this is their sole occupation. I know many guys who earn a lot of money via the bounty programmes. However, security researchers need to be aware that we can’t live solely on the proceeds of bounty programmes. You need a day job too.
Q. What does discovering a zero-day exploit consist of?
A. Sometimes vulnerabilities are easy to find, sometimes it takes a lot more work. It always depends on what you’re looking for. Finding a vulnerability like Cross Site Scripting (XSS) on a website and exploits for it is extremely easy and doesn’t require automatic tools; you can do it manually.
Q. How do you get your information? Does it start with a tip-off, or is it all just a matter of dredging through code looking for holes?
A. Sometimes we just get an idea and test it out, but other times we read the hacker forums to find out what our peers are researching, and which new exploits are being developed and put into the wild. This is why responsible disclosure is so important. If I were to post on a hacker forum about a vulnerability I’ve discovered on a particular website, then a whole bunch of hackers will start looking into that site and finding other vulnerabilities. It’s like trophy hunting. It’s important to give the relevant company an opportunity to tighten up any security holes before disclosing your research.
Q. What circles do you move in? White hats, black hats or both?
A. Since I find vulnerabilities and then report them to the relevant companies, without any public disclosure of what I’ve found, I class myself as a white hat. I do watch the forums and see what’s going on in my industry on both sides of the fence, but I prefer to help companies to improve their security. Many people out there can code, but not everyone can code securely. It’s interesting and challenging to discover bugs, and rewarding to be able to help organisations to address these vulnerabilities before the black hats discover them.
Q. Do you see this as a route into or an escape from the mainstream IT security business?
A. I think security research is a passion rather than a job – this is why we do it in our spare time as well as nine to five. It’s intellectually challenging and rewarding when we’re able to help make sites safer. There’s a buzz from finding a way around a security system that no-one has discovered before you, but you then have a responsibility to help fix the flaw so that it can’t be exploited. If you have an interest in coding and security, and a talent for researching and discovering vulnerabilities, then it’s a good route into mainstream IT security.