Profiting from Others' Mistakes: 4 Success Stories of Bug Hunters

Contents:

• An Ethical Hacker's Case: "My Efforts Were Valued at Two Thousand Rubles"
• Moving to New Horizons: My Experience with Bug Bounty
• How I Earned $10,000 on GitHub and What It Learned Me

Ethical Hacker Case: "My Efforts Were Valued at Two Thousand Rubles"

Sergey Vakulin is an expert in the field of computer and information security, specializing in finding vulnerabilities in web applications. His interest in this field began to develop during his university studies, when he was striving for new knowledge and skills. Soon Sergey realized that his hobby could not only enrich his professional experience, but also become a source of income. Using his experience and knowledge, he successfully helps organizations protect their data and improve the security of their systems.

Sergey initially had no idea about specialized platforms like HackerOne. To find vulnerabilities, he relied on website ratings available on Rambler and Mail.ru. When reporting his findings to developers, Sergey received a variety of reactions—from accusations of extortion to offers of small rewards. This experience taught him the importance of the right approach to interacting with developers and the need to use specialized resources to ensure secure information security practices.

In 2018, Sergey identified two critical vulnerabilities in the VKontakte Bug Bounty program. The first vulnerability affected the phone number import function, which allowed access to the personal information of popular bloggers, including Nikolai Sobolev and Ksenia Plyusheva. The second vulnerability allowed the recovery of deleted user messages, creating a risk of confidential information leakage. These incidents highlight the importance of ensuring data security in online services and the need for constant monitoring for vulnerabilities.

Initially, VKontakte offered Sergey $100 for his findings, but he ended up receiving $500. This turned out to be a pleasant surprise for him.

Working with companies isn't always problem-free. A recent incident with a major online retailer was a real headache for Sergey. In February 2021, he discovered two XSS vulnerabilities that threatened user security by allowing attackers to access accounts and banking data. Such vulnerabilities highlight the importance of regular web application security audits and the need to promptly respond to identified issues to protect user interests and maintain the company's reputation.

The company's website advertised a bug bounty, ranging from 15,000 to 50,000 rubles. However, when Sergey attempted to report the bugs he found, he discovered the email address for the bug bounty program was inactive. After contacting technical support, he was told the company would only pay out two thousand rubles.

The developers then offered another unpleasant surprise, stating that the vulnerabilities posed no threat and that one of them had supposedly been fixed. As a result, Sergey was faced with a contract that obligated him to work for the company for two months for a nominal fee of two thousand rubles and included a permanent ban on disclosing information. Sergey refused to sign the contract and, ultimately, was left without any compensation.

Fedor Muzalevsky, Director of the Technical Department at RTM Group, recommends that ethical hackers carefully review the terms of contracts before beginning vulnerability research. He emphasizes that not all companies offering rewards fulfill their obligations. It is important to record all details, including reward amounts and descriptions of the vulnerabilities discovered. These measures will help avoid misunderstandings and ensure fair compensation for the work performed.

According to Muzalevsky, the hacker's actions can be classified under Article 273 of the Russian Criminal Code. However, a company's dishonest actions do not exempt it from liability. If a hacker has complied with all the program's terms, they have the right to seek a reward through the courts, as many bug bounty programs are considered a public offer. This highlights the importance of complying with the terms of vulnerability bounty programs and the need for companies to consider legal aspects in their operations.

Moving to New Horizons: My Experience with Bug Bounty

I started my career in vulnerability scanning two years ago, despite lacking a formal technical education. My programming skills are limited to a basic level of Python. However, thanks to my reputation and successful reports, I gained access to closed bug bounty programs. This gave me the opportunity to choose companies with high rewards and fast report processing. I strive to develop my skills and deepen my knowledge of cybersecurity so I can effectively identify vulnerabilities and contribute to the protection of information systems.

A few months ago, I encountered a conflict with a well-known vacuum cleaner manufacturer, which prompted me to consider new career directions. I became interested in their bug bounty program, which offers the opportunity to find vulnerabilities on both main domains and subdomains. Expanding the attack perimeter significantly increases the chances of success for a bug hunter. This approach allows you not only to improve your skills but also to contribute to the security of web applications, which is becoming increasingly important in today's digital world.

I recently received notification that my attack on the admin panel of a website providing digital self-service and voice assistant integration was successful. I identified a Blind-XSS vulnerability on the product returns page, which allowed me to access customer personal data. It was later discovered that the website was associated with a specific manufacturer.

To confirm the vulnerability, I needed to obtain cookies, but I didn't have access to them at the time. I only had the IP address of the computer where the attack occurred and the user agent information. I prepared a report and submitted it in hopes of receiving the $1,000 reward for identifying critical vulnerabilities.

My report was reviewed by HackerOne experts, who filter out non-critical submissions. Knowing that I didn't have absolute proof, I requested mediation in advance so that notification of the discovered vulnerability could be sent directly to the manufacturer. However, no response was received.

As a result, my report was rejected. I concluded that the vulnerability I discovered did not pose a serious threat. Therefore, I decided to publish information about the discovered bug on my Medium blog, having notified the company in advance of the upcoming publication. This will allow other information security specialists to be aware of this problem and, perhaps, help improve protection against similar vulnerabilities in the future.

I follow the principle: if a vulnerability is confirmed, a reward must be paid. Otherwise, I will publish the results of my research. This approach promotes responsibility in the security industry and encourages developers to improve the security of their products.

After this, I received a notification from HackerOne, who supported the manufacturer. I re-scanned the site for the Blind-XSS vulnerability and confirmed its existence. As a result, I was able to obtain cookies and HTML code from the admin panel containing personal customer data.

I published video evidence on my YouTube channel, which led to mass complaints from the company. Despite this, my YouTube channel remained operational, but my Medium blog was blocked.

If the reward for a vulnerability is significant, a hacker can hire a notary to certify the page's source code, which will help in further defending their rights. Lawyer Mikhail Bozhor of the law firm Afonin, Bozhor & Partners notes that the cost of such a service starts at 10,000 rubles. Having the source code notarized provides legal protection and confirms the discovery of a vulnerability, which can be useful for both the hacker and the company looking to fix the problem and avoid potential consequences.

If there is a properly executed contract with the client, they will not be able to dispute the existence of a vulnerability in the event of litigation, the expert noted. This emphasizes the importance of legally correct contractual relations to protect the interests of both parties. A well-drafted contract not only serves as the basis for cooperation but also guarantees that the parties will comply with the terms of the agreement, which is especially important in the field of information security.

How I Made $10,000 on GitHub and What It Learned Me

For the past three years, I have been identifying vulnerabilities in information systems. Although my primary specialization is information security, it is not enough to successfully work in the field of bug bounty. I know many people who are changing their career paths, including a physician friend who decided to try his hand at ethical hacking. This field requires not only theoretical knowledge but also practical skills, which makes it attractive to professionals from various fields.

I recently discovered a serious vulnerability on GitHub that resulted in a $10,000 bounty. This vulnerability allowed unauthorized access to any account and remote code execution. I realized that if I had managed to exploit this bug before it was fixed, the potential reward could have been up to $30,000, as access to GitHub servers opened up even broader opportunities for exploitation.

I recently discovered a vulnerability on the Dyson website and notified the company about it. However, upon receiving a response, I learned that my discovery had already been registered, and its resolution status was "closed." I re-examined the vulnerability and was able to reproduce it, which raises doubts about the company's actions: either the vulnerability was never fixed, or I was denied the reward. Situations like these highlight the importance of a responsible approach to web security and the need for effective collaboration between researchers and companies.

For four months, I sought to prove my case in the conflict with the company and contacted HackerOne support. Unfortunately, the platform sided with Dyson, and the outcome of the dispute was in their favor.