Nicodemo Gawronski, @Nijagaw has been hacking on Bugcrowd bounty programs since mid-2014 and is also a Penetration Tester at Sec-1 in the UK. He is ranked 8th on Bugcrowd’s all time leaderboard and was nominated in the 2015 Bugcrowd Buggy Awards for Most Valuable Hacker which awarded the researchers with overall high activity, low noise, and high impact. He has an acceptance rate of 99.11% and an average priority of 3.09.
How did you get started in cybersecurity?
In 2010 I moved from Italy to Glasgow (Scotland) to study at Glasgow Caledonian University. The 4 years course focused on Digital Forensics and Penetration Testing as well as Networking, Math and Programming amongst the others. I really enjoyed the precision required to do forensics analysis and the magic of hacking. Wanting to learn more than what my university offered, I started reading blogs and tweets about Forensics and PT and learning Python which I thought could be useful to write some quick code for “hacking.”
If you want to apply for a job in a lot of cases (especially in Italy), you are required to have some sort of working experience. That is why I decided to contact few companies to get the experience I needed. The Deft Linux team (Linux Digital Forensics distro) replied to my emails and assigned me my first supervised development project.
How long have you been doing bug bounty work?
In my third year of university, I had the opportunity to work for Sec-1 Ltd for a year placement. I really liked the job and the colleagues and in few months after starting I decided to focus all my attention to penetration testing. After the placement, during the last year at university, I wanted to keep learning and not forget what I’ve learned so far. That’s how I started looking into bug bounty programs, mainly on Bugcrowd.
Do you remember your first submission?
My first report was submitted (not long ago) on the 16th of May 2014 (an XSS, duplicate of course).
Do you have a speciality that you tend to spend your time on?
I focus on web applications and mobile apps which are pretty similar.
Do you have a specific strategy in bug hunting?
When I started I focused mainly on low hanging fruit. They are quite easy to find for a beginner and get you going forward. Nowadays I still look for low hanging fruit while my actual focus is for critical vulnerabilities that give me a challenge better than a reward. Don’t get me wrong, easy rewards are very welcome but finding critical vulnerabilities where you had to actually use your brain is more rewarding than appending a simple “><script>alert(1)</script> and getting an alert box. It’s amazing when you start, but then the game gets boring quickly. Critical vulnerabilities I look for are SQLi, XXE, privilege escalation, IDOR, insecure file upload, etc.
What motivates you to do what you do? What keeps you going?
Easy to say, there are 5 main reasons if I think about it:
1) The more I test, the more I learn. We should never stop learning.
2) It’s fun and challenging almost like an adult version of a video game.
3) I help companies make their business safer and we want that right?
4) I get to know other awesome testers.
5) I get some money, helpful during university years to pay the rent (thank you Bugcrowd!), helpful now to buy books and gadgets/hardware/software and of course a bit of charity because why not?
Any tips or suggestions that you would give to beginners?
1) Read a lot. Tweets and Blog posts of other bug hunters and companies; Read the news, read documentation, read code, read exploits from exploit-db.com. Read books (The Web Application Hacker’s Handbook is a great start).
2) Apply what you are reading. Download vulnerable VMs and create your own. This is important. Create your own. Hint: Go to https://cve.mitre.org/, find a vulnerability you would love to exploit and don’t know how. Let’s say XXE. Find a free/open source web app which is vulnerable to XXE, download it, install it and hack it. You can start with apps for which exploit code is already available.
3) Participate in bug bounty programs. Follow the rules, report vulnerabilities, don’t be shy (even if they can be duplicates).
4) Ask questions. There are cool people out there that could help you. Ask and you shall receive.
You’ve really come up in the ranks quickly. What would you say to other top bug hunters?
1) There are better things to do than sitting at the computer all day. Leave the bounties to me. 🙂
2) I love some of your blog posts. Share more!
Do you have any concerns with the bug bounty model?
1) Trust: Giving the OK to a lot of people to hack your site can be dangerous. How do you trust that all the bug hunters will report all the vulnerabilities they found and/or stop exploiting a SQL Injection before dumping arbitrary content from a database? Some bug bounty programs don’t give access to the authenticated area of in-house built web applications for standard and/or admin users. The vulnerabilities are there but no one(?) can find them. I see in this a bit of motivated/unmotivated lack of trust towards testers that live all over the world.
2) Costs. Some bug bounties pay way too much for a single vulnerability (read reflected XSS). There are web applications that have vulnerabilities for every single GET and POST request you submit like shooting apples in a barrel. A single penetration tester will find all/most of them in a day or two of work and will be paid the same for the 60 instances of reflected XSS, 13 of stored XSS, 6 of SQLi, 1 XXE and all the others (based on a true story). If the affected code is different and the vulnerability is the same and easy to find, a bug bounty program could/would offer a reward for each instance of the same bug, therefore possibly increasing the costs for the client.
What do you think of the future of bug bounties? Why do you think they’re important?
I can see there is an increasing interest in bug bounties and I am very happy about it. Companies are starting to take security more seriously. In most cases having more testers testing a single web app means that more vulnerabilities will be reported and fixed. This is great. The same thing happens if you change the code to your site. New vulnerabilities can be found and bug bounty programs without a deadline can take advantage of this.
I think the importance of bug bounty programs will increase each year and this is great. They work well with an expanding security community. Not all bug hunters are working in the security industry and it is great they have the opportunity to find and report vulnerabilities. Everybody is happy in this case.
At the same time I see the same trend for private companies. Both methods of testing offer pros and cons and I think in some cases they could work well together.
Thanks Nijagaw! Keep up the great work!