For Sebastian Neef, Tim Philipp Schäfers and Julien Ahrens, they collected a five-figure reward for their finding a path traversal vulnerability on PayPal's main domain. In doing so, they were able to download any file from the server.
Neef and Philipp Schäfers founded Internetwach.org in 2012, with Ahrens joining them a year later. When asked if they juggled a family while going to college or holding down a job along with being a bug bounty hunter, they said they are not married "but sometimes a girlfriend makes life more time consuming and we all know family/ girlfriend is more important than bug hunting."
Neef (21) studies computer science at the technical university in Berlin, while Philip Schäfers (19) also studies economy and computer science at Bielefeld. Ahrens is the old man of the group at the age of 29 and works at Secunet Security Networks AG. They got into the bug bounty profession as a side job when they started hearing about the hacker group Anonymous.
"Naturally the media tried to defame all kind of hackers as criminals. It was clear that small mistakes can lead to big data leaks," they said.
The threesome advise anyone who wants to get into the business to be prepared to think outside of the box and be creative in your approach. They gave the following list of attributes a bug bounty hunter should have:
- Creative: Try to find new ways to bypass/combine/exploit specific situations, to think of new attack-vectors
- Thinking like a developer: The person has to empathize with the developer who wrote the application. Only that way you'll be able to think about edge-cases or understand the application's work/data-flow.
- Thinking like a bad boy: Try to push the limit. Don't stop before you're root on the target machine
- Polite/calm: It's not always easy to explain a complex security issue to a developer. A very important key to success is the possibility to communicate your thoughts properly, as you want the developer to fix your security findings.
- Realistic: Always consider the real impact and the resulting risk for the business.
- Responsible: Discovering a critical bug usually puts a huge burden on your shoulders. Act accordingly.
"Having a look at the security community, we can tell that there are a lot of top-notch bug hunters who fulfill nearly all of the above points. On the other hand, there are 'unskilled' or new bug hunters who try to make some quick bucks by using one-click-tools and sometimes go as far as threatening the business owners. We refuse to call these people 'bug hunters'," they said.
They enjoy bug bounty hunting because it gives them the freedom to break things whenever they want. "By submitting useful reports the chances are good that more and more companies will get the idea about responsible disclosure," they said in calling bug bounty hunting the ultimate in crowdsourcing.
Sign up for Computerworld eNewsletters.