Q&A: The life of a bug bounty hunter
Posted on 7 Dec 2012 at 15:00
A professional security researcher and ethical hacker tells us what makes a bounty hunter tick
Avram Marius Gabriel (aka @securityshell on Twitter) is a professional security researcher and ethical hacker.
He has contributed to the discovery and remediation of many vulnerabilities on public web platforms, and is listed on the responsible disclosure programmes of Adobe, eBay, Facebook, Google, Microsoft and Twitter. We spoke to him to find out what makes a bounty hunter tick.
Q. Is researching, finding and disclosing security vulnerabilities a full-time job for you?
A. No, I have a full-time security job and I’m very proud of it. I’m a web security consultant at RandomStorm. I always do my research in my free time, usually after work or at the weekends. I’ve had a long-term interest in security research. I enjoy it because it provides a good mental challenge for me personally and we gain experience as a company, which is beneficial for RandomStorm too. I sometimes earn money from my research through bounty schemes, which is an added bonus.
Q. How volatile and competitive is this area?
A. It can be quite competitive – there is some rivalry and pride at stake between different researchers. There are many bug hunters for whom this is their sole occupation. I know many guys who earn a lot of money via the bounty programmes. However, security researchers need to be aware that we can’t live solely on the proceeds of bounty programmes. You need a day job too.
Q. What does discovering a zero-day exploit consist of?
A. Sometimes vulnerabilities are easy to find, sometimes it takes a lot more work. It always depends on what you’re looking for. Finding a vulnerability like Cross Site Scripting (XSS) on a website and exploits for it is extremely easy and doesn’t require automatic tools; you can do it manually.
Q. How do you get your information? Does it start with a tip-off, or is it all just a matter of dredging through code looking for holes?
A. Sometimes we just get an idea and test it out, but other times we read the hacker forums to find out what our peers are researching, and which new exploits are being developed and put into the wild. This is why responsible disclosure is so important. If I were to post on a hacker forum about a vulnerability I’ve discovered on a particular website, then a whole bunch of hackers will start looking into that site and finding other vulnerabilities. It’s like trophy hunting. It’s important to give the relevant company an opportunity to tighten up any security holes before disclosing your research.
Q. What circles do you move in? White hats, black hats or both?
A. Since I find vulnerabilities and then report them to the relevant companies, without any public disclosure of what I’ve found, I class myself as a white hat. I do watch the forums and see what’s going on in my industry on both sides of the fence, but I prefer to help companies to improve their security. Many people out there can code, but not everyone can code securely. It’s interesting and challenging to discover bugs, and rewarding to be able to help organisations to address these vulnerabilities before the black hats discover them.
Q. Do you see this as a route into or an escape from the mainstream IT security business?
A. I think security research is a passion rather than a job – this is why we do it in our spare time as well as nine to five. It’s intellectually challenging and rewarding when we’re able to help make sites safer. There’s a buzz from finding a way around a security system that no-one has discovered before you, but you then have a responsibility to help fix the flaw so that it can’t be exploited. If you have an interest in coding and security, and a talent for researching and discovering vulnerabilities, then it’s a good route into mainstream IT security.
Author: Davey Winder
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Kim Dotcom outraged after Megaupload data "massacre"
- Yahoo: recycling user IDs isn’t a security risk
- Microsoft offers bug bounty for Windows 8.1
- Apple TV adds HBO Go, Sky News and WatchESPN
- Surface RT tablets to feature Qualcomm processors
- Microsoft frees two million PCs from botnet
- Government wheedles more funding for online child protection from ISPs
- AMD’s "Seattle" ARM chips set for 2014 release
- Microsoft offloads cheap Surface RT tablets to schools
- Outlook.com to ditch linked accounts over security fears
- Adobe Dreamweaver CC review: first look
- Huawei Ascend P6 review: first look
- Adobe Illustrator CC review: first look
- Let MPs tell us what they really want ISPs to block
- Adobe Photoshop CC review: first look
- WWDC 2013 and iOS 7 launch: live blog
- Sony VAIO Pro review: first look
- Want child porn blocked? Meet the IWF
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?