This week’s Researcher Spotlight is actually on two researchers which make up a team. Internetwache is one of the most active groups in the bug bounty researcher scene, finding vulnerabilities in Facebook, eBay, Apple, Twilio and many others. The team consists of Sebastian Neef and Tim Schäfers, and they were both kind of enough to participate in this week’s spotlight interview.
How did you get started in security research? How long have you been
doing bug bounty work?
We slipped into the security topic around 4,5 years ago. After the media
published a lot of information about the hacks of “Anonymous” & co, we
were interested and wanted to know, how it works and if it’s really that
easy to pwn a website. So it kind of started as a hobby and it wasn’t
before 2012 that we discovered bug bounty and responsible disclosure
programs. The first one was Ebay followed by Paypal. It feels awesome
when companies acknowledge your work and effort. Being a student, it
also offered a nice way to earn some money, so after our first success
we dived deeper into the webhacking topic. Around that time, we read a
tweet about bugcrowd and started to participate in different programs.
Some years, platforms and programs later, we have been rewarded by a lot
of companies with HoF entries, T-Shirts and money.
Do you have a specific focus or specialty that you tend to spend your
Since the beginning our main focus has been web-application security, but
we’re always looking on other things, too. Sebastian is going to learn
about mobile application security soon and Tim wants to explore SCADA
and ICS. When there’s some spare time left and we’re not participating
in any bug bounty program, we tend to look into some details and make
some research. For example the scan of Alexa’s Top 1M websites for AXFR
or Git repositories. (See http://en.internetwache.org for the blog posts)
How do you keep your skills fresh?
Oh, we don’t think you need skills – Simply updating Acunetix to the
latest version is enough, isn’t it? 😉
Just kidding – The best way is reading security books, blogs and papers.
A lot of awesome people share their knowledge about new attack vectors
and their defense. Other than that, Capture The Flag (CTF) events are a
nice way to keep practicing and learning new stuff.
What motivates you to do what you do? What keeps you going?
The best thing is that you are allowed to test on a real-world targets.
It attracts people like us to legally use our knowledge, which is
finally honored by the vendor either through nice payouts or other cool
swag (products, t-shirts, etc.). Back in the past, vendors would have
sued people for responsibly testing their infrastructure, because they
were probably scared of “hackers”. Today every major company that is
running a bug bounty is respected by the whitehat scene as it offers you
a great challenge and probably a respectable entry in your CV. So all in
all: You’ll get a reward for doing what you love to do: Breaking things
and hunting bugs!
Any tips or suggestions that you would give to other bounty hunters?
The main suggestion is to have a plan on how to approach a target. For
example our methodology is like picking fruits from a tree. First of all
you see the tree and you have no clue what tree it is or what fruits are
going to mature. You’ll have to take a broad look at the target and get
a feeling for it. What functionality does it contain? How does the
target react to unintended usage? How do developers want you to use the
target and how is it not meant to be used? After these steps, you go for
low-hanging, easy to reach fruits like XSS, SQLi, CSRF, and so on. But
that’s not enough, because you want to get to the top where the juicy
fruits are. You need to think of more critical vulnerabilities or
complex explotation chains. In the end, you’ll hopefully have all the
What do you think of the future of bug bounties? Where do you see
them going, where would you like to see them go?
We believe, that open communication and transparency (not full, but
responsible discloure) is the best way of keeping something secure and
that’s why we like bug bounty programs. We hope that more companies will
start running bug bounty programs in the future, because you can’t
ignore the security aspect in the more-and-more connected world.
However, two things that have to improve or kept on a high standard are
the communication and the trust between the company and the researcher.
Also, the value of a security issue has to rise again. There was a huge
downfall during the last couple of months which ended in companies paying
as much as 25$ or even $1 for (severe) security issues. We respect that
some companies don’t have the money to run top-notch bug bounty
programs, but personally we’re more happy with a fancy T-Shirt or a nice
sticker than 25$ in the pocket. On the other side, the quality of
reports has to rise, too. We love to see initiatives like paying the
most detailed/helpful report (e.g. done by keybase.io) instead of just
the first-to-find. Both methods have their pros and cons, but maybe a
mix would be interesting: 50% for the first-to-find report and 50% for a
more qualitative report. That doesn’t eliminate the possibility that a
well written initial report earns you 100% of the reward. However, it
should eliminate poorly written one-liners and reward those who put
effort into explaining an issue. Another aspect is that not only web or
(mobile) applications need to undergo crowdsourced pentesting.
Especially IoT devices are used everywhere and not infrequently have a
high impact on the physical world. Recent disclosures in the car
industry are an example for this.