My name is Ruby although most hackers know me as rubyroobs, or the one with the anime profile picture on HackerOne! I’ve been hacking for 5 years, doing bounties since last June or so and hack almost exclusively on HackerOne (excluding some private company programmes). Full disclosure - I also work for HackerOne! I got into bug bounties after an “incident” last year involving drying paint and a chain of IDORs and Marten Mickos (CEO of HackerOne) reached out to me on Facebook. I started off super slow but during my internship at Riot Games I picked up pace a bit, and after reporting some minor bugs in Twitter H1 invited me to their office. I’ve been a strict loyalist ever since. 💖
As a part of keeping myself from going insane, bug bounties are strictly a hobby for me and I see them as pure fun and entertainment. I focus on my personal life and work strictly first, but most bug bounty “sessions” end up starting by me playing around with something I’ve used.
Some months I report 1, some months I report 10. I spend time looking for bugs usually later on at night and as I mentioned before when I feel I’m onto something - excluding hackathons and fun with friends I don’t really dedicate time just to bounties.
My first high impact vulnerability was what attracted Marten’s attention although I wasn’t paid out for that. I got a $10k bug during the Zenefits night at h1-702 which is my first big payout. That was fun (and only about 2-3 months into serious hunting).
I pin this as my favorite/most interesting right now because it was such a weird way of finding the bug, but it was a bug I found in China on one of the big tech companies sites allowing a bypass that could have lead to a big breach of trust in the service if exploited maliciously by a hacker. Oh, and that content injection bug I found on a plane.
I had the advantage of building faster rapport with hackers as I interned at Riot Games (who may or may not have a bug bounty programme <.<… >.>…) and ended up talking to some of the researchers who reported to the programme there. Since then, I’ve kept contact with some of the people I’ve worked with and made some awesome friends; mostly I felt motivated by the people I know in the community. I guess the big shoutout here goes to Jobert for inviting me to h1-702 when I only had 140~ rep on H1, and I ended up taking in 20x what I’d earned in bounties until that point!
Read what other people are doing, and find stuff like that. It’s a bit of an oversimplification, but that’s really all there is to it.
I’ve only really directly worked with Smiegles and Ebrietas, but I’ve looked at stuff and given my input on stuff with many, many hackers. All the hackers even. Maybe not all, but you know - a good chunk?
I usually approach a target looking at something I’m using as an end user when I realise they have a bug bounty programme. Typically I’m looking at something because it’s either very new, very old or very obscure. I like to look around from there and build a mental map of the structure of the application I’m trying to hack and only then will I think “OK - maybe this is weak here and here, but what can I try to do?”
Never. I’m confident I’ve missed a lot of low hanging fruit in my time, but my approach has got me so far and I’m reluctant to change. I usually look for less complex but more policy based vulnerabilities. It might be hard to realise it as a hacker, but sometimes an org cares more about a hacker publishing something without approval than rooting a box on an isolated network with nothing on.
I have a few personal scripts to automate very me-specific stuff, but mostly I do stuff manually; for me at least, it’s more fun and authentic. To answer the last question specifically, I think one tool people need to use more is themselves. Scanners can find a lot, but scanners are dumb. They don’t know what they should and shouldn’t be able to do. Scanners are also not entirely private; if your scanner found it then someone else’s might have too.
Stuff like this is way easier to test when you’re not black box testing, but when trying against a server, this is mostly where recon can help you. Try to see if you can identify vulnerable code snippets or libraries that have been used based on parameter names/error messages and work backwards that way. For full on testing where you can’t see the source code, I’d say a lot of the time it’s just experience from hacking on knowing where to probe. James Kettle from Portswigger did a brilliant talk on probing completely black-box style with a simple but effective technique and released a Burp extension based on his research here.
Very often. The key here is looking where other researchers are not :)
I think having experience knowing how web applications work and how they are structured helps, and so does having a decent fundamental understanding of computing and networking. It’s kind of cringeworthy to see people reporting HTTP Header issues without understanding what a HTTP Header is and it really reflects in your research.
A really weird mix. I like a lot of K-Pop, J-Pop, Electronic, Hip-hop, Funk and Pop Punk. Here’s my current playlist I put on shuffle sometimes when I’m not listening to a full album.
I really love fashion and it’s role in culture, and I can spend a lot of time just reading or looking for inspiration. I also love anime and when I do manage to get a chance I’ll watch a series or plan a cosplay. Kimi no Na wa is worth a watch if you haven’t already.
Overall a positive effect, but I’d like to think the achievements and discoveries made from the research has impacted me more than the bounties themselves.
I started my career triaging instead of submitting reports. This really gave me some perspective on to what is a valid issue and what’s not. Sadly not every hacker is going to get this experience but I’d recommend you read your report before you submit it and try to imagine you’re the lucky security engineer on the other end assigned to the report. What do you really think of it?
I think there is a lot of missed opportunity in browser extensions and I’ve found a few bugs here already. I want to look beyond web applications but keeping things within my familiarity.
Knowing how web applications work on the server side is only going to be a benefit for you when it comes to breaking them in the real world.
I believe my work for HackerOne creates a conflict of interest answering questions about my toast preferences, and I’m afraid this is something I won’t be able to answer.
Upon reflection, I’m yet to have a truly negative experience. There are back and forths that I’m sure annoy us in the moment but I’ve never had a really bad encounter with a programme yet.
I love reading research that truly makes you go “holy fucking shit I see what you did there”. Orange Tsai and Jack Whitton (or fin1te if he doesn’t mind people still calling him that) come to mind.
Just like my position on toast, there’s a conflict of interest here and I’ll have to politely decline this.