Cybersecurity spotlight on bug bounty researcher @imrerad

To kick off Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to introduce one of the top performing security researchers participating in the GitHub Security Bug Bounty program: @imrerad!

Home to over 100 million developers and 420 million repositories, GitHub is committed to ensuring the security and reliability of the code that powers day-to-day development activities. The GitHub Bug Bounty Program continues to play a critical role in improving the security of the software ecosystem and enabling developers to create and build securely on our platform and with our products. We firmly believe that the foundation of a successful bug bounty program lies in collaboration with experienced security researchers.

While we celebrate 10 years We are proud of what the GitHub Security Bug Bounty program has become. Not only is the program a fundamental part of GitHub’s security strategy, but we are also becoming more involved in the hacker community. Since 2016, we have paid out over $5.5 million in total rewards through HackerOne; Travel and meet many of our program participants in person at various conferences; and we gave a series of talks about how we work on security issues as a company. We continually listen to community feedback and strive to make our program more exciting for researchers. We have some exciting ideas we are working on. So stay tuned for more announcements in the future!

To celebrate Cybersecurity Awareness Month (this month), we interview one of the top researchers about our bug bounty program and learn more about his methodology, techniques, and experiences hacking on GitHub. @imrerad specializes in instruction injection and logic implementation errors and has found and reported some really interesting and complex problems.

How did you get involved in Bug Bounty? What piqued your interest?

I have been passionate about IT security since I was a teenager. I remember reporting vulnerabilities to companies even before bug bounty became a mainstream thing. I got my first reward in 2016 (from Android) and I was proud because it wasn’t commonplace back then.

I’m not a full-time bug bounty hacker, I do this as a hobby in my free time, alongside my full-time job and without sacrificing my personal life. When bug bounty programs became the industry standard, I realized that I was a lucky guy with this hobby. It pushes me to become more involved with the different technologies I encounter during research, and the recognition that comes with it is good for professional development.

What keeps you coming back to it?

It has an addictive nature – you always want to make another discovery.

What do you like to do when you’re not hacking?

I love music and try to go to concerts by bands that are important to me. I also enjoy building various automations around the house that make life easier and more comfortable. For example, I recently worked on an irrigation system. The next challenge is to somehow store more water.

How do you stay up to date and learn about vulnerability trends?

Other people’s bug bounty reports are an invaluable source of information: you can learn about tricks you haven’t seen before, features you didn’t know about, and if you’re lucky, they might even give you an idea of ​​what you’re looking for didn’t know anything yet. unconsidered additional attack vectors.

Reviewing your target’s changelog can also provide insight into what you should focus on next. For example, in the GitHub Enterprise Server (GHES) release notes, you saw a trend of escalation issues in the management console.

Additionally, the experiences I have gained in my current and previous jobs as a full-time safety engineer also contribute to my process in some way.

What types of errors do you most enjoy researching and why?

What I like best are logic errors, ones that are unique. Even textbook vulnerabilities (e.g. a reflected XSS) that could be found with commercially available tools are not exciting to me. I love coding, so I also enjoy building tools to check potential attack vectors or find additional instances of a bug I just discovered. When I have issues with race conditions, I enjoy exploring options that will improve my chances of winning.

You have found some complex and serious errors in your work. Can you tell us about your process?

I don’t have a very particular methodology; it’s something like this:

1. Choose a goal that you like or are familiar with (I tend to be less motivated with products I don’t like, so I try to focus on others instead).
2. Make a list of features that you think are problematic (e.g. because the impact of a bug could be devastating or because they are simply difficult to implement safely).
3. Create a list for each attack vector.
4. Prioritize the list.
5. Go through the list or carry out the attacks.
6. Update and expand the list as you draw your conclusions.
7. Repeat.

Do you have any advice or recommended resources for researchers looking to get involved in bug bounty?

Take detailed notes. This will save you a lot of time if you need to reproduce something a few months later or simply want to help someone with the conclusions you reached.

Don’t let prejudices fool you. Even highly talented engineers sometimes make mistakes. So don’t neglect to verify attacks that you think are trivial.

Find the right balance. Sometimes you have to invest a lot of time to research a promising attack surface, and even more time would be required to draw the right conclusions. It’s hard to decide whether to stop or pursue it further.

Return. Publishing articles about your findings and tools helps the research community and makes the Internet safer.

Do you have any social media platforms you would like to share with our readers?

Connect with me LinkedInread my posts on mediumor check out my tools GitHub.

Thank you, @imrerad, for participating in GitHub’s Bug Bounty Researcher Spotlight! Every submission to our bug bounty program is an opportunity to make GitHub, our products, and our customers more secure, and we continue to welcome and value collaboration with the security research community. So if this has inspired you to start looking for bugs, feel free to report your findings here HackerOne.