Ivan Grigorov: “For top baghunters $ 25K per month is not a problem”

Vulnerability scan programs always attract a lot of attention from hackers and security experts. After all, this is a legal way to earn good money only by searching for bugs (provided that there is a good experience and a head on its shoulders). The other day we had the opportunity to interview Ivan Baganter’s reactors08 Grigorov. He is the leader of our Bug Bounty program and is ranked 11th in the overall rating of the HackerOne platform.

How to start looking for bugs? Could this be the only source of income? Which Bug Bounty to participate in? How much do baghunters earn? And why is it especially beneficial to deal with the search for vulnerabilities in a crisis? Read the answers to these and other questions in our interview.

How did you start looking for bugs?
')
I learned about a phenomenon like Bug Bounty two or three years ago, but I didn’t come across it personally before launching the Mail.Ru Group program. When she started, I decided it was worth a try. At that time I was very skeptical about this activity and did not hope that someone would pay me even a dollar.

I managed to find a couple of bugs and get the first rewards for it, and soon I took second place in the program. That's when I thought that it is worth taking this matter seriously.

And in just a year and a half, you became the most productive researcher in our program, and on HackerOne you are in the top twenty. How come?

Just learning, and all things.

And how do you learn?

Mostly I read articles or presentations that describe some specific vulnerabilities. I study books and resources on this topic. I watch video reports, meetings, conferences. I study other people's reports. I am looking for information in search engines. I have a higher education, but it is not related to IT.

What types of vulnerabilities do you do?

Mostly web, the rest is just for fun. But all this is a question of motivation. You can break the browser if you set yourself such a goal.

Do you have any permanent job?

There is no permanent job, searching for vulnerabilities is my main source of income.

Do you work alone or in a team? Which scheme is more common: team or single?

I work alone. Most often, the bug hunters work alone, although teams also sometimes occur.

What does your typical day look like? How much time do you spend looking for bugs?

It all depends on whether there are invitations to new projects. If interesting invitations come one after another, or if a large project comes across with a large scope, then I can hang out from morning to night in search of vulnerabilities and not notice how time flies. But this is rare, and I usually spend about 3-5 hours a day.

Is it possible to live solely on income from the Bug Bounty?

Definitely possible, but it all depends on the knowledge in this area, the amount of time spent searching, invitations to new and interesting projects, as well as the desire and desire to find a really cool bug. After all, it is possible to make 10 thousand dollars on one vulnerability, or you can report, for example, clickjack 100 times 100 dollars. By the way, the relevance of bug-hunting during a crisis is growing significantly, because most companies pay for bugs in dollars :).

How much do average baghunters earn?

You need to understand that there is a very large variation in income. It depends on many factors, primarily on the experience of the researcher and on how much time he is willing to devote to hacking. Many people participate in Bug Bounty programs from time to time and not so much for the money, as from the interest or desire to strengthen their resume. It is clear that their income is likely to be small (especially if you take not a one-time gain, but earnings for a certain period, for example, six months or a year).

On the other hand, there are baghunters who do it seriously and regularly. I have a friend who earns about ten thousand dollars a month. There are guys who earn and fifty (for example, a story about the personal experience of such a baghter: My $ 50k Personal Challenge - Results ). Not every month, but periodically it is achievable. According to reviews of some top hunters, for them 25 thousand dollars a month is not a problem.

By the way, how to get to the top?

For this you need to send a lot of serious bugs. The rating is based not on the level of earnings, but on the cumulative criticality of the found vulnerabilities. Although this partly affects earnings: the worse the bug, the more they are usually willing to pay for it. Say, on HackerOne, dangerous vulnerabilities give a rating of about 50 points, averages - 25, and the lowest - 15. In the profile for each researcher, you can see the average rating, this value is Impact.

How automated are the tools that you use?

I use the well-known Burp Suite and sqlmap . And also hands and head :).

What programs of Bug Bounty are you participating in?

I try to participate in all programs, both for a fee and for free. Of course, paid for me in priority, but nevertheless I pay attention to free programs. For example, I sent reports on vulnerabilities and for those Mail.Ru Group projects for which there is no award.

How do you choose the programs you participate in?

It all depends on the current situation. If I was invited to a new private program, then the choice is obvious: as a rule, there are many more “holes” in the security of such projects, they are discovered faster and easier.

And if there were no invitations for a long time, then I would prefer large projects in which there is a greater likelihood of bugs missed by other researchers. Or I can return to a well-known project to try to rediscover some things for myself.

Explain to our readers what private programs are?

Private Bug Bounty is a program that is not publicly announced and to which the company invites only a limited number of bug-hunters. This allows you to adjust the number of testers, choosing the most experienced and adequate. If the project has never conducted a search for vulnerabilities, it is advisable to start with a private version, inviting specific verified people to participate. And then, when the main bugs are caught, you can invite everyone to search for vulnerabilities.

How to get into private programs?

As far as I know, HackerOne is invited at random. Of course, you first need to type some rating on public programs, and then begin to invite. If you are completely new, you don’t have a chance to get an invitation to a private program.

What makes HackerOne attractive as a playground? Does he have any alternatives?

At the moment I am participating in programs from HackerOne and from Bugcrowd . If you compare these two sites, for me HackerOne is more attractive.

Firstly, the reporting system itself is much more convenient: you can beautifully draw up a report, then make it available to other researchers. You can attach different files to each comment in the report. And on Bugcrowd, the form for sending reports is confusing, there are no beautiful design options, you can attach files only in the report, but not in the comments.

Secondly, more large companies cooperate with HackerOne. But on the other hand, I often receive invitations to private programs from Bugcrowd, rather than from HackerOne. Also, Bugcrowd has a reward system for active researchers, which is very nice.

The support services at both sites are good, you will be happy to answer any questions. Payments are made by both sites without any problems. Both of these resources are good for researchers and worthy of attention.

Do you use public disclosure at HackerOne?

Yes, but quite rarely. Although, I will not hide, with pleasure I read others open reports.

Do you have any controversial moments?

Occasionally. For example, when several of the same type of bugs are counted as one and paid only for one, closing the other reports and arguing that one fix fixed several vulnerabilities. Although you can not verify it, and you have to believe in the word. There are cases when, after a long time after your report, the security team is trying to reproduce the bug, and it has already been fixed by the developers. In such cases, it is problematic to prove anything if there was no video attached to the report.

A few months ago I had a case where the buggy functionality simply disappeared. Naturally, the security team could not reproduce the bug and closed the report. And just a couple of days ago, I noticed that this functionality was back, so I'm waiting for confirmation from the security team again.

There have been cases when companies did not pay for the bugs you reported?

There have been several instances when I posted critical vulnerabilities, but they were related to projects not covered by the program. They were fixed and said "thank you". But there is no point in blaming someone, because it was clear beforehand that the bugs were out of scope.

How do you feel about non-reward programs?

It depends on which company launched the program. If this is some kind of startup or non-profit organization, then I will try to devote time to them and find something valuable.
If this is a company with a huge income, it seems to me at least strange that they do not offer rewards.

Although, like any other user, I would like my data to remain safe and not at risk of being intercepted by intruders. Therefore, I try to protect the users of those services that for some reason cannot pay the reward. Of course, I will not go deep into the product to a large extent in order to find as many vulnerabilities as possible. But some light bugs for me personally that do not require much time, I will find and send.

Many top researchers are not such altruists and are unlikely to deal with free software. In part, they are right. But I think that ultimately you need to think about users and make at least a small contribution to the protection of their interests.

Please tell us about the most interesting bugs in your practice.

I have quite a few interesting bugs, but perhaps I’ll tell you about the last one unveiled at HackerOne, which made about 30 thousand websites (mostly corporate) vulnerable : hackerone.com/reports/111440 .

I decided to look for bugs in Zendesk. The program started a long time ago, and I carefully reviewed the contents of the main page of www.zendesk.com , analyzing the details. I was interested in a video from an unknown source of fast.wistia.com.

Also on the page there was a third-party script with fast.wistia.com, which managed the video, manipulated the DOM, loaded data about the video. Having carefully studied the effect of this script, I noticed that I can additionally load and execute the JS file from fast.wistia.com. In this case, you can completely change the path, name and extension of the executable file. And if I manage to download and execute my malicious file, I’ll be able to execute an arbitrary script on the Zendesk side. And I began to look for this opportunity.

Having spent a lot of time, I realized that I could not upload the file to fast.wistia.com. Then I focused on requests to fast.wistia.com and noticed a JSONP request that allowed me to manipulate the response from the server. By combining this bug with the first one, it was possible to present the JSONP response as a malicious JS script. And when I did it, I began to realize that the problem affected not only Zendesk, but also a huge number of stores hosted on Shopify, a huge number of WordPress and Tumblr blogs, a lot of corporate websites, about ten other companies that had their own programs Bug Bounty, as well as Wistia. Almost everyone who posted videos from Wistia on their website added this vulnerable script.

First I reported this in support of Wistia. After waiting a day, I wrote another letter, and after about an hour they assured me that the information was sent to the developers. Two more days passed, and the bug has not yet been fixed. Of course, two days is a short time, but not for similar bugs, because the reputation of other companies is also under attack.

It became clear to me that no one would deal with the bug (later it turned out that I was right), and I began reporting this to other companies in the hope that they would contact Wistia. I sent the report to Zendesk, but they told me that they can’t help with anything and will just wait for Wistia to solve this question ... Shock, and only ... Then I sent reports to Shopify, Trello and Automattic (WordPress). The teams of these companies did not wait for Wistia and began to solve the problem on their own, including contacting Wistia through their own channels. And, oh, a miracle, exactly one hour after the contact with Wistia, the bug was fixed.

Are the most interesting vulnerabilities the most expensive?

Not. Perhaps every researcher has such bugs for which he received less than he expected, or nothing at all, but they were appreciated by other researchers. Here is one such example, owned by BlackFan : hackerone.com/reports/14883 .

It is believed that the vulnerability scanner does not help to find really cool bugs. Do you agree with him?

I think this opinion was formed because of the large number of people who want to receive free money by sending inadequate reports. This is especially famous for the Indians (although there are very competent guys among them). And against the background of a large number of such junk reports, the teams start thinking about the effectiveness of the Bug Bounty. Often, programs are closed, without waiting for really valuable data or simply drowning in a huge number of reports.

What for you in the first place - the interest of the bug or money? Will you mess around with a knowingly boring bug that will definitely bring you some income?

I do not focus only on interesting bugs. But at the same time, I would not report anything in pursuit of any profit. I almost never clash with clickjacking and everything below that in degree of severity. Firstly, because I’m sure I’ll come across a duplicate and only waste my time, and secondly, not all companies accept such reports.

What advice would you give to budding beginners?

First of all, you need to understand that the probability of quickly finding a vulnerability is inversely proportional to the time during which the program operates. The best strategy is not to hang out for too long in one program, to participate in different ones.

However, when I participate in Bug Bounty, which have been taking reports for quite a long time and the probability of finding vulnerabilities is extremely small, I try to get to know the product as well as possible, to find the functionality that others most likely spent less time on. Or I’m looking for something difficult to understand, which is also likely to be missed by other researchers. I try not to lose sight of any little things. All this takes time, patience and perseverance.

You can start learning bughunting as follows: review each typical security error separately, starting with simple vulnerabilities, like CSRF, XSS, SQLi. Collect material separately for each of them. It is enough to drive in a search on YouTube, and a bunch of useful things will fall out.

Many good articles are published on Habré, and in the same place it is possible to find references of interesting books. For example:

• Must-read books for 2014 on information security and programming
• Books on information security. Get acquainted closer with IB
• Cybersecurity books: 5+ recommendations from our experts

It is also helpful to read someone else's disclosed reports . But do not forget that learning should not stop. Technology is changing, something is becoming obsolete, a new one arrives at the place of the old one, and you need to keep an eye on it.

In general, what do you think, what trends are there in the area of ​​Bug Bounty? What awaits us in 2016?

A few years ago, Bug Bounty was rare, and now opening such programs is a trend, and we can expect that more and more companies will come to such sites as HackerOne. Private programs will become more and more popular. Bugcrowd has a new format of private programs - Flex-programs with a limited budget and prize money. I think they liked the companies and will gradually gain popularity.