Unless you’ve been living under a rock, Bugcrowd expanded our Collaboration feature this year. To complement this extraordinarily convenient feature we also announced our first-ever #TeamHunt2021 challenge! 15 teams, 5 weeks, one grand prize!
Before the competition, we caught up with a couple of team Monstars talented players, Todayisnew and Hx01. As a couple of gifted hackers who have been experimenting with collaboration for some time, we wanted to hear from them just how they do it. How did you start? What are the difficult parts? How do you celebrate your victories?
Read on to learn more about the inspiring collaboration experience of your peers!
How did you two meet?
Todayisnew (T): Bugcrowd Live Hacking Event, a friend of a friend introduced us and has been great working together since then 🙂
Hx01 (H): We met through Bugbash working under the same team and have been working together since then & so far has been fruitful.
What made you decide to work with each other?
T: Skillset that seemed to compliment each other, kind, hard-working person 🙂
H: I like to go deeper whereas Eric (Todayisnew) goes wide. This helps us to utilize each other’s skills and produces more value than going alone.
Do you have a team name?
T: Lots of different names of time, I think this round we went for “Monstars” from the new SpaceJam movie 🙂
H: ^^^ what Eric (Todayisnew) said.
How do you decide what to hack?
T: For me, I like to hack everything at the same time, build a system to scan the internet for any issue for any programs that have bug bounty programs.
H: I usually like to spend time on newer technologies and then work out new attack vectors on them.
How do you split the bounties?
T: What has worked well is an even split of 50/50 we both put our full effort in and equally share the results back 🙂
H: I believe splitting evenly is only fair since we both put a lot of effort into making sure
the identification & reporting process goes smoothly.
Can you walk us through how you hack together?
T: Hmm I can see it as an evolving practice of trust, and improving on both the security issue and the report and proof of concept.
It’s often been Hx sharing a full-formed POC trying to explain the impact to me 🙂
Then ask a lot of questions to understand the risk.
I’ve found this helps to have that person to ask the questions that either triage or programs might need explained and having another person ask those questions seems to help.
Then it’s the action to get the reports out.
1) identifying programs that are vulnerable
2) creating a clear report to share
3) sending the reports and tracking who has been sent to
4) Respond to all the questions that come through from the reports.
5) tracking what has been rewarded and making sure we get an equal share of the bounties.
6) ordering Pizza from all the bounties to celebrate 🙂
H: ^^^^^
Does each of you specialize in certain areas of hacking? How does that play out when splitting workload?
T: I’ve had good luck specializing with recon, being able to find more hosts that are vulnerable to multiplying a bug to many bugs 🙂
If it’s a bug that can be automated or part of the process automated I enjoy bringing that in.
H: I specialize in going deeper in technologies and then coming up with attack vectors, it’s mostly me going deeper and then Eric (Todayisnew) working on automating the vulnerability identification for us.
Who is responsible for the communications on reports?
T: I think we both put the effort in to respond to reports, and if we’re unsure how to respond have a little Slack chat to try to sort out what the question is being asked and how we can best answer it to the team on the other side.
H: We both respond to the report communication whenever we can, as this lessens the burden on one. as well as helps us to be available for the teams working in different time zones.
Who owns any unique finds that are found during the collaboration?
T: I think we keep any unique finds between us, an equal split to carry it forward if we were going to share with another to touch base with each other first.
H: The Unique findings are split between us as well :).
How do you handle issues on a partnered report, for better or worse?
T: I think that something that will help for more collaboration, a system where teams might have to approve comments made by each other before they are sent into the programs.
Everyone can have a rough day or have different personalities. It would be great to have the option to agree with what your teammate is saying / or doing, or the option to un-collab as well on a report, back away slowly so to speak if the relationship doesn’t work out as planned 🙂
H: I think it’s important for platforms to implement a feature where the researchers can disassociate /remove them from a collaboration if there’s a conflict between partners on how they want to move forward.
What are the main advantages of working with a fellow researcher?
T: Support 🙂 For the challenges and success, it can be long hours alone, the company is great, and many minds together can mix their ideas and strengths to find solutions with everyone’s combined contributions 🙂
H: Shared responsibilities; helps in splitting the workload, brainstorming on possible impact escalation/fixes.
How do you suggest people find a partner to collab with?
T: LHE or Virtual LHE have been great, where you get to put in the time together against a common target. Different Slacks, and Discords have been a great option to connect as well for me. I think sharing something that you’re working on and stuck, an “ALMOST BUG” is a way that has worked for me. Something if I share and lose, nothing is
lost, and at the same time usually many kind smart people jump in to offer solutions and can see the collaboration process in action, the company is more secure, some bounties are possibly rewarded, and everyone gets a little dopamine from the success 🙂
H: I would suggest collabing with people you trust or have known for a while & are professional in their communications. Also, a good platform rank doesn’t mean they’re also good in collaborations 🙂 .
What is the best thing about working with Hx01? What is the best thing about working with Todayisnew?
T: Good conversations 🙂 Empathy, Kindness, a bit of an age gap, feel I can pass on some wisdom that might have a happier life or avoid some mistakes I made for Hx 🙂
H: I admire Eric’s (Todayisnew) professionalism and enjoy our conversations about life.
What has each of you learned from the other?
T: Authentication is not very strong when you have amazing creativity and skills 🙂
H: Besides the amazing things automation & a clever brain could do, I’ve learned how to find positivity in difficult situations.
Is your relationship strictly bounty business or do you do things outside of hacking together?
T: We enjoy great conversations about life 🙂
H: ^^^^
For anyone hesitant to work with others, what’s one thing you wish they knew?
T: The only way to have success is to try, there might be some challenging collabs, and you will learn and be better for them for the next time 🙂
H: ^^^^^^^
There’s nothing better than receiving fun advice from fellow hacker friends. Give these two a follow, and while you’re at it, check out the Bugcrowd Twitter for up-to-date announcements on everything from challenges to webinars. Keep our Discord close by for community news and chats. Happy hunting!