Cybersecurity spotlight on bug bounty researcher @ahacker1

As home to more than 90 million developers, GitHub is heavily invested in ensuring that the code developers create and use every day is reliable and secure. Our bug bounties team is constantly focused on driving improvements to how GitHub develops secure software to enable developers on our platform to innovate with more confidence than ever before.

Since its launch in 2014, GitHub’s Bug Bounty program has expanded our ability to deliver secure products beyond what we could achieve without the help of our external security researchers. We’ve continued to grow and expand our bug bounty program, focusing on engaging with our researchers and the security community. This year we hosted a live hack event in June that was filled with awesome bugs, custom giveaways, and good times to connect with the research community. We also met with several of our researchers at DEF CON 30 to catch up, share insights on our program roadmap, and gather feedback. We’ve also started sharing our monthly program stats on @githubsecurity to give the security community insight into our program!

To wrap up Cyber ​​Security Awareness Month this October, we’re interviewing one of our researchers to learn more about their experience hacking GitHub. ahacker1 specializes in IDOR and other forms of improper access control and has found some very interesting and complex problems during his research!

How did you get involved in the bug bounty? What keeps you coming back to it?

I started by finding and reporting bugs (non-security issues) in an app I used frequently. Then I found out about the app bug bounty program and decided to try to get a reward.

It’s great to find vulnerability and I love the sense of accomplishment. I also love the creativity involved in finding vulnerabilities and am also motivated by the huge bounties.

How do you monitor and learn about vulnerability trends? Are there any particular accounts or blogs you would recommend?

I check Twitter often and read a lot of security blogs.

I recommend reading blogs from https://portswigger.net/research/james-kettle– they are very detailed.

What are your favorite bug classes to research and why?

My favorite class of vulnerabilities to research are improper access control vulnerabilities, because it often takes a certain amount of creativity and out-of-the-box thinking to find one on GitHub.

You have found some complex and significant errors in your work. Can you talk a little bit about your process?

I usually start by focusing on one or two GitHub products/features at a time and try to gain an overall understanding of the product. This allows me to think of multiple possible (clever) ways a bug could exist in the function I’m then testing.

You participated in our live hacking event (H1-512) earlier this year. Can you talk a little bit about your experience at the event?

Overall the experience was great. I loved the opportunity to collaborate and interact with other hackers. I also enjoyed the increased premiums and competition.

Do you have any tips or recommended resources for researchers looking to get involved in the bug bounty?

I would suggest reading a lot of bug bounty writing to learn more about each class of vulnerability. Additionally, it is also important to learn how the hunter approached the target when reading the record.

I also think that when you’re trying to find your first vulnerability, it’s important to be consistent on target.

Do you have any social media platforms you’d like to share with our readers?

My Discord is ahacker1#3814.

Thank you, ahacker1, for participating in the GitHub Spotlight for Bug Explorer Awards! Every submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and value collaboration with the security research community. So if this has inspired you to go bug hunting, feel free to report your findings HackerOne.