Today’s spotlight is on a researcher who clearly enjoys giving back and helping the community. Mazin Ahmed has been active in the bug bounty scene for the last two years and can often be found collaborating and joining discussions on Twitter, IRC, forums and other communities. Mazin’s recent project is the Firefox Security Toolkit, which you can read more about on the Bugcrowd Forum.
How did you get started in security research? How long have you been doing bug bounty work?
I always have been attached to computers, and love how it can be used to make person’s life easier. I have a quote that I always remember, saying : “If someone can do it, I can do it”. Getting into information security was a challenge that I made to myself initially. I watched infosec news and saw new discoveries, then I said to myself that I can do the same, and even better. Then I started learning from scratch. This was a long time ago, and I’m glad to be part of the information security community.
I have been participating in bug bounty programs since December 2013. My first hall of fame entry was in the same month as far as I remember.
Do you have a specific focus or specialty that you tend to spend your time on?
Web-application security is my current focus. I also research on mobile application security. On my spare time, I like to participate on security challenges and test vulnerable virtual machines to enhance my skills.
What motivates you to do what you do? What keeps you going?
Being motivated is a vital part on all specialties, especially in computer science environments. Security research was initially my hobby, so I am always %100 self-motivated on everything related to information security.
Since Information Security is my profession, what keeps me always motivated that I would like to be more successful, I like to become better everyday. Knowing that if I worked more, I would be more successful makes me always motivated.
Any tips or suggestions that you would give to other bounty hunters?
Always keep learning: No matter what level you reach, do not stop learning.
When writing a report, do it professionally: I have noticed that there is a large number of bug bounty programs participants that do not follow professional steps in writing a report. This would be a pain for both the vendor and the researcher. The vendor would mostly not be able to understand or reproduce the issue, and would ignore the report. The researcher’s reputation would decrease by time because of not writing professional or detailed reports. It does not have be long, just a good amount of information that would help vendors understand and be able to reproduce the report.
Do not rely on automated scanners: Mostly in bug bounty programs, vendors would have used dozens of automated vulnerability scanners, and patched the findings. Using automated vulnerability scanners would be a waste of time in most cases. I don’t mean that automated vulnerability scanners are not helpful, but in the bug bounty world, it’s rare to find a valid bug using vulnerability scanners.
What do you think of the future of bug bounties? Where do you see them going, where would you like to see them go?
I believe the future of bug bounty programs is would be great. Five years ago, only a selected companies had bug bounty programs, such as Facebook and Google. Tech giants and small-size companies have bug bounty programs.
Currently, almost 80% of companies that have bug bounty programs are U.S based companies. This means that the concept of bug bounty programs is more popular in the United Stated than any other country. I expect that after three years from now, companies over the world would start launching bug bounty programs. The bug bounty programs industry is rapidly expanding everyday.