The GitHub bug bounty team is excited to close out Cybersecurity Awareness Month with another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program.
Security is core to GitHub’s mission, and our bug bounty team is focused on driving improvements as to how GitHub develops secure software. Since its launch in 2014, GitHub’s Bug Bounty Program and the external security researchers who participate have amplified our ability to ship secure products. The program has also consistently been named a top bug bounty program by researchers. In the past year, we have worked hard to expand the existing program, including identifying new ways to engage with our bounty community. To celebrate Cybersecurity Awareness Month this October, we’re interviewing a few of our researchers to learn more about their experiences hacking GitHub.
In our second interview, we’re excited to highlight another top contributing researcher to GitHub’s Bug Bounty Program, @yvvdwf, who has a talent for finding bugs through a fascinating lens as a software engineer by day, and bug hunter by night. We interviewed @yvvdwf to learn more about their methodologies, techniques, and areas of interest for participating in the GitHub Bug Bounty Program.
How did you discover your passion for security research?
It was when I accidentally received an error in the Git program. When I Googled the error message, I found a writeup of a researcher who talked about the way he discovered the bug. That was really impressive. I was even shocked when I saw the huge bounty amount he got. So I asked myself: why not try finding a bug!
What are your favorite classes of bugs and why?
The first bug I submitted was cross-site scripting (XSS). I was starting to research XSS because I have experience on web applications. So I thought that would be the easiest way to start the adventure—with something I already knew.
Time after time, I realize that server-side request forgery (SSRF) is also really interesting, especially the DNS rebind attack technique. When working with SSRF I can explore deeper what occurs in the underground of web applications in particular, as well as the distributed applications in general.
Why do you enjoy participating in the GitHub Bug Bounty Program?
I must say that the bounty in the GitHub program attracts me a lot. 😂 Again, another reason is because I’ve gained some experience when using Git in my job. In fact, I hunt for bugs in my free time, so I participate in very few programs which give ample scope to my ability.
What has researching GitHub products taught you?
As a software engineer, I usually focus on creating the functional features that will be used by a normal user. When hunting a bug in GitHub products (and others), I must change my mind to act as an abnormal user. Certainly most bugs occur in an anormal execution condition.
What do you enjoy doing when you aren’t hacking?
I code a lot even though people expect more “noble” tasks from me after getting my PhD. For me, coding is not only sitting in front of a computer and typing strange characters, it is a passion. There is something exciting and magical about the process of building something useful to others, or solving a problem by breaking it into smaller parts. It is not easy to describe such an experience. It has some logical aspects, but it is also an immensely creative activity.
How does collaboration with other researchers help you find bugs?
I haven’t had occasion to collaborate directly with other researchers. However, I’ve learned a lot from them via their writeups. I’m planning to do the same by blogging and sharing what I’ve learned during my adventure.
Do you have any advice for researchers looking to find their first bug?
People have different ways of looking at things. For me, I started looking for my first bug when I was experienced in its domain. I think that a strong background is the prerequisite condition; otherwise we cannot see the bugs even if they are there.
One way to experience the sensation of bugs is to read a writeup then try to reproduce the bug. Going further, you should see what the author was thinking when deciding to go in that direction but not the others? What would you have done in their place?
Do you have any social media platforms you’d like to share to our readers?
I will be reachable at https://yvvdwf.me, which is in the works.
Thank you, @yvvdwf, for participating in GitHub’s second bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.
Interested in helping us secure GitHub products and services? Check out our open roles at https://github.com/about/careers!