Interested in helping us secure GitHub products and services? Check out our open roles!
Cybersecurity spotlight on bug bounty researcher @imrerad
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@imrerad!
As we kick off Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to spotlight one of the top performing security researchers who participates in the GitHub Security Bug Bounty Program, @imrerad!
As home to over 100 million developers and 420 million repositories, GitHub maintains a strong dedication to ensuring the security and reliability of the code that powers daily development activities. The GitHub Bug Bounty Program continues to play a pivotal role in advancing the security of the software ecosystem, empowering developers to create and build confidently on our platform and with our products. We firmly believe that the foundation of a successful bug bounty program is built on collaboration with skilled security researchers.
As we celebrate 10 years of the GitHub Security Bug Bounty program, we are proud of what the program has become. Not only is the program a fundamental component of GitHub’s security strategy, but we have also become more involved with the hacker community. We have been able to pay over $5.5 million in total rewards via HackerOne since 2016; travel and meet in person many of our program participants at various conferences; and we have presented a number of talks on how we as a company work on security issues. We continuously listen to feedback from the community and are striving to make our program more exciting for the researchers to hack on. We have some exciting ideas that we are working on, so stay tuned for even more announcements in the future!
To celebrate Cybersecurity Awareness Month (this month), we’re interviewing one of the top contributing researchers to our bug bounty program and learning more about their methodology, techniques, and experiences hacking on GitHub. @imrerad specializes in command injections and logic implementation flaws and has found and reported some really interesting and complex issues.
How did you get involved with Bug Bounty? What has kept your interest?
I’ve been passionate about IT security since the end of my teenage years. I remember reporting vulnerabilities to companies even before bug bounty turned into a mainstream thing. I got my first reward in 2016 (by Android) and I was proud as it was not a common thing at that time.
I’m not a full-time bug bounty hacker, I do this as a hobby in my free time, next to a full-time job, and without sacrificing my personal life. As bug bounty programs turned into an industry standard, I realized that I’m a lucky guy with this hobby. It drives me to study more about various technologies that I encounter during the research and the recognition coming with it is good for career development.
What keeps you coming back to it?
Its addictive nature—you always want one more finding.
What do you enjoy doing when you aren’t hacking?
I love music and try to attend shows of bands that are important to me. I also enjoy building various automations around the house that make life easier and more comfortable. For example, I’ve been working on an irrigation system recently. The next challenge is to store more water, somehow.
How do you keep up with and learn about vulnerability trends?
Bug bounty write-ups by others are an invaluable source of information: you can learn about tricks you haven’t seen, about features you haven’t been aware of, and with some luck, they could even give you an idea about yet-unconsidered additional attack vectors.
Reviewing the changelog of your target can also hint at what to focus on next. For example, in the release notes of GitHub Enterprise Server (GHES), you could see the trend of privilege escalation issues in the management console.
Besides this, the experience gained in my current and past roles as a full-time security engineer also contributes to my process at some level.
What are your favorite classes of bugs to research and why?
I like logic bugs the most, ones that are unique. School book vulns (for example, a reflected XSS) that could be found by off-the-shelf tools also are not exciting to me. I love coding, so I also enjoy building tools to verify potential attack vectors or to find additional instances of a flaw that I just discovered. At race condition issues, I relish exploring the options that improve my chances to win.
You’ve found some complex and significant bugs in your work—can you talk a bit about your process?
I don’t have a super special methodology; it is something like the following:
- Choose a target you like or you are familiar with (I tend to be less motivated at products I don’t like, so I try to focus on others instead).
- Come up with a list of features that you suspect problematic (for example, because the impact of a flaw could be devastating or simply because it is just hard to implement securely).
- Build a list of attack vectors for each.
- Prioritize the list.
- Go through the list / execute the attacks.
- Update and expand the list as you’re making the conclusions.
- Repeat.
Do you have any advice or recommended resources for researchers looking to get involved with Bug Bounty?
Make verbose notes. This will save you a lot of time when you eventually need to reproduce something several months later or just want to help out someone with the conclusions you made.
Don’t let prejudice fool you. Even super-talented engineers make mistakes sometimes, so don’t skip verifying attacks that you think are trivial.
Find the right balance. Sometimes, you need to invest quite some time to research a promising attack surface, and the right conclusions would require even more. It is hard to make the decision whether to stop or to pursue it even further.
Give back. Publishing write-ups about your findings and tools helps the researcher community and makes the internet safer.
Do you have any social media platforms you’d like to share with our readers?
Connect with me on LinkedIn, read my posts on Medium, or check out my tools on GitHub.
Thank you, @imrerad, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.
Tags:
Written by
Related posts
How to secure your GitHub Actions workflows with CodeQL
In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours.
Announcing CodeQL Community Packs
We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…
Uncovering GStreamer secrets
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.