April 2018 Hall of Fame & Researcher Highlight


  •  
  •  
  •  
  •  

Bugcrowd is pleased to announce our April 2018 Hall of Fame winners.

todayisnew rocked first place! mongo came in a solid in second place, and making a big appearance in third place is VINOTHKUMAR. Congratulations to our winners and we appreciate all your hard work! To show our appreciation we award bonuses to our top performers!

  1. todayisnew – 1885 points – $2,500 bonus
  2. mongo – 642 points – $1,500 bonus
  3. VINOTHKUMAR – 613 points – $1,000 bonus

Think you have what it takes to come out on top?

High severity bugs that result in critical security impact such as remote code execution or elevation of privilege earn the most kudos points – check out our blog for a breakdown of points and priority, as well as some other great resources such as bug bounty tips and hacker advice from our top researchers. Submitting high severity bugs not only gets you bigger rewards, it can also help you get invited to private bounty programs faster.

Thanks again to all of the Bugcrowd researchers for all of their hard work and we look forward to our May Hall of Fame results!

New – Researcher Highlight:

This month we would also like to highlight one of our up-and-coming researchers who is doing amazing work – th3g3nt3lman. Between January 2018 and April 2018, th3g3nt3lman went from being ranked 176 to 57! Plus, th3g3nt3lman has a 100% bug acceptance rate and an average priority rating of 2.91 over 92 bugs. Now let’s hear directly from the th3g3nt3lman:

How did you get started in security research?

I started in security research about four years ago. I was a network and VOIP specialist. During my work at the bank I was forced to handle a project related to PCI/DSS, which is an information security standard for organizations that handle branded credit cards from the major card schemes.

This was new for me and I felt I didn’t have the security background for this project and was unable to challenge the assessor who ran the assessments at the bank. With the support of management, I started taking the necessary training, spent many hours reading, and practicing until I built up a solid security knowledge base and background, which eventually lead me to switch my career path and going into security.

 How long have you been doing bug bounty work?

I’ve been doing bug bounties for two years and I plan to keep doing them as long as I can.

 

Do you have a specific security focus or specialty that you tend to spend your time on?

I tend to give a lot of time to recon. I might spend days only gathering information, subdomains, endpoints, etc. before touching the application itself which helps me find unique and special bugs. After that I try my best to find XXE and SSRF, since those are not easy to find and you have a bigger chance of finding stuff no one else found before you.

 What motivates you to do what you do? What keeps you going?

I do this mainly for my little kid and wife’s future. Normal jobs won’t help you financially cover your expenses and build a good future for your family. Bug Bounty really helped us and opened a big door for us. On the technical side, this is giving me more experience to advance my career and get the chance to assess very large and popular organizations that I don’t interact with in my normal job.

Any tips or suggestions that you would give to other bounty hunters?

There is a lot of ups and downs in bug bounty. Don’t feel sad if you don’t find bugs right away. Remember to just keep trying harder and always consider yourself as a junior passionate to learn, keep reading, practicing, and asking questions. There are daily changes in technologies and hacking techniques to follow up on.

Also, I recommend spend a good amount of time on recon. It’s the main phase that helps you finding bugs easily before others do. I consider GitHub as a goldmine, when you spend time searching for a company in GitHub you will end up finding a lot subdomains, endpoints, along with passwords/keys that gives you easy P1 submissions. 

If you could have superpower, what would it be and why?

Triaging @mongobug and @jstnkndy submissions 🙂

Both are great hackers and a goldmine of knowledge. Personally, I learned a lot and advanced my career in penetration testing & bug bounty by taking simple notes from Justin’s YouTube interview and slack conversations.