Q&A: The life of a bug bounty hunter
Posted on 7 Dec 2012 at 15:00
A professional security researcher and ethical hacker tells us what makes a bounty hunter tick
Avram Marius Gabriel (aka @securityshell on Twitter) is a professional security researcher and ethical hacker.
He has contributed to the discovery and remediation of many vulnerabilities on public web platforms, and is listed on the responsible disclosure programmes of Adobe, eBay, Facebook, Google, Microsoft and Twitter. We spoke to him to find out what makes a bounty hunter tick.
Q. Is researching, finding and disclosing security vulnerabilities a full-time job for you?
A. No, I have a full-time security job and I’m very proud of it. I’m a web security consultant at RandomStorm. I always do my research in my free time, usually after work or at the weekends. I’ve had a long-term interest in security research. I enjoy it because it provides a good mental challenge for me personally and we gain experience as a company, which is beneficial for RandomStorm too. I sometimes earn money from my research through bounty schemes, which is an added bonus.
Q. How volatile and competitive is this area?
A. It can be quite competitive – there is some rivalry and pride at stake between different researchers. There are many bug hunters for whom this is their sole occupation. I know many guys who earn a lot of money via the bounty programmes. However, security researchers need to be aware that we can’t live solely on the proceeds of bounty programmes. You need a day job too.
Q. What does discovering a zero-day exploit consist of?
A. Sometimes vulnerabilities are easy to find, sometimes it takes a lot more work. It always depends on what you’re looking for. Finding a vulnerability like Cross Site Scripting (XSS) on a website and exploits for it is extremely easy and doesn’t require automatic tools; you can do it manually.
Q. How do you get your information? Does it start with a tip-off, or is it all just a matter of dredging through code looking for holes?
A. Sometimes we just get an idea and test it out, but other times we read the hacker forums to find out what our peers are researching, and which new exploits are being developed and put into the wild. This is why responsible disclosure is so important. If I were to post on a hacker forum about a vulnerability I’ve discovered on a particular website, then a whole bunch of hackers will start looking into that site and finding other vulnerabilities. It’s like trophy hunting. It’s important to give the relevant company an opportunity to tighten up any security holes before disclosing your research.
Q. What circles do you move in? White hats, black hats or both?
A. Since I find vulnerabilities and then report them to the relevant companies, without any public disclosure of what I’ve found, I class myself as a white hat. I do watch the forums and see what’s going on in my industry on both sides of the fence, but I prefer to help companies to improve their security. Many people out there can code, but not everyone can code securely. It’s interesting and challenging to discover bugs, and rewarding to be able to help organisations to address these vulnerabilities before the black hats discover them.
Q. Do you see this as a route into or an escape from the mainstream IT security business?
A. I think security research is a passion rather than a job – this is why we do it in our spare time as well as nine to five. It’s intellectually challenging and rewarding when we’re able to help make sites safer. There’s a buzz from finding a way around a security system that no-one has discovered before you, but you then have a responsibility to help fix the flaw so that it can’t be exploited. If you have an interest in coding and security, and a talent for researching and discovering vulnerabilities, then it’s a good route into mainstream IT security.
Author: Davey Winder
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- More than 100 Britons hit by CryptoLocker
- BlackBerry says "we're still alive" as sales hit new low
- Apple buys Twitter search startup Topsy
- Next wave of Windows updates codenamed "Threshold"
- Surface 2 owners locked out due to BitLocker bug
- Bitcoin-mining software hidden in "sneaky" programs
- Surface 2 bug makes screen go dark during games
- Nokia Lumia 2520 tablet goes on sale Wednesday
- HTC One dual SIM coming to the UK
- Microsoft investigates zero-day attacks on Windows XP
- Tech City: Easy to score when you move the goalposts
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Google’s support policies shove users towards Chrome
- Lenovo Yoga Tablet review: first look