Listen in to hear Corben Leo, a Security Researcher from the Hack U.S. program, discuss some of the results. In addition, you'll learn some key differences between VDPs and bug bounty programs to better understand what each program can do for your agency. SUBSCRIBE to get the latest tech tips & tricks from industry leaders! https://www.youtube.com/user/carahtechtv FOLLOW US ON TWITTER: https://twitter.com/Carahsoft CONNECT WITH US ON LINKEDIN: https://www.linkedin.com/company/carahsoft/ LIKE US ON FACEBOOK: https://www.facebook.com/carahsoft LISTEN TO US ON OUR CARAHCAST CHANNEL: https://www.carahsoft.com/carahcast READ THE LATEST GOVERNMENT TECH COMMUNITY TRENDS: https://www.carahsoft.com/community
Corey Baumgartner
Welcome back to CarahCast, the podcast from Carahsoft, the Trusted Government IT Solutions Provider. Subscribe to get the latest technology updates in the public sector. I'm Corey Baumgartner, your host from the Carahsoft Production Team. On behalf of HackerOne, we would like to welcome you to today's podcast focused around the differences between a vulnerability disclosure policy and a bug bounty program. Alex Rice Chief Technology Officer at HackerOne and Corben Leo, an ethical hacker from the Hack US Program, we'll discuss how HackerOne's Hack US program is performed to better understand which bug bounty or VDP program is best fit for your agency.
Alex Rice
Corben, how did you get started? What motivated you started working? What walk us back to kind of the origin how you went down this path?
Corben Leo
Yeah, so I didn't even know what hacking was. So, it started when I was a freshman in high school. So, I went to a private school. And we were given laptops to do schoolwork on. And so, like there's a student account, and then there's like the admin account, we like couldn't go on the admin account, obviously. But there are these applications installed on these laptops that like wouldn't actually go on like YouTube or Twitch, or like all these like Flash game websites. So, like, we couldn't play video games during school. And obviously, you know, as a freshman in school, who like doesn't really enjoy learning about math and stuff, like, obviously want to go on all these sites. So, I figured out after a bit of googling that you can just restart the computer. And when like, you'd reboot it, you could just like hold two keys down, and it would boot you into what was called like single user mode. So basically, it would boot into like a terminal with root privileges. And obviously, I had like, I didn't even know what I was looking at. But I just followed these like steps online. And so, you could like delete a file, restart the computer, the computer would think it was a brand-new computer and then you could just like type in the username and password for like a new account. And so, I did it to like all of my friends computers, we were living the life or good day just like playing video games and whatnot. And little did I know that the like the school IT guy could see every single person's screen. So, he's like sitting in his office like looking at all the screens, almost like he sees like five kids just like playing video games in class. So, I wasn't I didn't really like play video games that much. But all my friends were doing it. So, they got like, pulled in his office and like into the principal's office. They held up for a little bit and eventually got snitched on. And I got in trouble for hacking. I'm like, I don't even know what hacking is like, I just wanted to play video games, or just like really, I just wanted to watch like YouTube videos and just kind of like, do whatever I wanted. So yeah, I got in trouble. I got a couple of detentions for hacking. And then it kind of just put me down this like rabbit hole of oh, what what's hacking? Like I had a ton of fun doing that, even though I got in trouble. And it was just this like curiosity that really, yeah, inspired me and motivated me to learn more about it. And I didn't even know that it was like a career field. Like, I was just like learning what hacking was like doing it to like, random websites. And then I stumbled across HackerOne. I'm like, wait, what, like people get paid to do this. Like legally. There's a whole career field. So yeah, the rest is the rest is history.
Alex Rice
That's awesome. I'm glad it was a local detention only. Can we you touched on this a little bit at the at the beginning. But I think it might be good to get a little bit more into some of the broader misconceptions that people have about that, because you've kind of touched on their intent and their ethics. Like where they get started. But what are some of the other misconceptions you might have about what goes into ethical hacking?
Corben Leo
There's a lot of different misconceptions. I think that what's been portrayed too is like, oh, there's these just like nerdy guys. But there's like a lot of just like, really great women security researchers, too, that are like actively doing bug bounties. So, there's like misconceptions about like, sex people that do them. Yeah, like I said, with like, just the very stereotypical, like motivations as well. Um, some people think that people just hack because of monetary rewards. Also, I think that a lot of people actually do hacking, because it's just a challenge. And it's fun to them. It's just like a big puzzle. And people really enjoy the curiosity and the whole process of creatively overcoming like certain obstacles.
Alex Rice
What type of tools do you use to assist you in in the process?
Corben Leo
I think this is pretty standard for everyone. But I usually I mostly just use Burp suite. So that's just like an HTTP proxy. So, you can see all of your basically network traffic that your browser is generating when you're visiting websites. I use tools like I don't know how do you pronounce it like FF basically can do directory brute forcing and like guess files, use my tool that I wrote called Gao or get all URLs to see what, what's on a website? I think those are basically the only three tools I really use.
Alex Rice
Leaning on your creativity there.
Corben Leo
Yes, my creativity. Yes.
Alex Rice
Cool. Want to give us one more example of a interesting or impactful bug you've found? it might be hard to top hacking a train cable?
Corben Leo
Uh, yeah. There's two I can think of in particular that was submitted to the same company. And it was before and after. Actually, HackerOne event in Las Vegas, I think is in 2019. So, one of them was, it was a really big company, we found this application that was online that should have been online. If you entered the person's email, you could look at like exactly where they were, when they were using the application, you could get all of their like authorized authorization tokens, it was like godmode of like something, I don't know, some sort of internal application that they used to look at all their customers stuff. And it was like, I could just do anything I wanted to tell anyone and like to see exactly where they were logged in, I could like basically use that to get access to their email inboxes. I can't talk too much about that. And then the one was, I was looking at something the night of that event, the event ended and the next day I was in the airport, waiting to fly back home. And I found another vulnerability that let me change news headlines. Basically, I could publish anything to this news website and modify any news article that this news site had ever published. So that was also very, very impactful and interesting vulnerability.
Alex Rice
I'd love to hear a little bit about you kind of told us what are you working on a few DoD programs? Can you tell us a bit more about that, like, how did you get started, walk us through your relationship with the DoD programs.
Corben Leo
One of the first programs that I learned to actually hack on was the Department of Defense's vulnerability disclosure program. Basically, if you found a vulnerability and or if you found or do find any vulnerability in any military website, you can report it to this program, and it will get fixed eventually. So, I started learning to hack by hacking the military, basically, that was very, like instrumental in me becoming like the hacker I am today. And eventually, that turned into the hack for us programs. So these are just programs that they ran for, whether it'd be months or weeks, but basically, the Department of Defense partnered with HackerOne to run all sorts of programs out there, it was like hack the Air Force hack the army like 2.0 3.0, they have like hacked Pentagon's and hack the proxy challenge. So, I Yeah, one XDR Murray 2.0, I want to over 3.0, and I want to hack the proxy challenge. Oh, and those ones were like bug bounty programs. So, they did pay you for vulnerabilities you've you find. So that's different than the traditional just vulnerability disclosure program where you see something you say something, basically, it's just a way for you to submit a vulnerability to help them fix it. Whereas the, the bug bounty programs are inviting a select amount of researchers to find vulnerabilities and get paid for them on sometimes a smaller scope.
Alex Rice
Yeah, I thought I'd share a few quick stats on the DoD vulnerability disclosure program because it's hard to appreciate the scale that program is operating at and compensated Mitiga. Like it really is any site owned by it's a huge school. Any IP address in the DoD has IP ranges any.mil, any of their military.gov sites on the civilian side, a huge scope out there. They've been running this program without any type of economic rewards for I think Coming up on eight years now it'd be there might be off and maybe incrementing a few their classic off by one or two. But it's had incredible impact on DoD. Since then, there's been over 40,000 vulnerabilities in that period of time identified by independent third parties like Corben, a little over 3000 independent researchers have participated in that process from all over the world for a ton of different reasons. And the program is expanding quite a bit last summer, they kicked off a pilot on expanding scope to the defense industrial base, which is affected effectively all the ODS it supply chain, which had similar results across a much wider scope of companies that supportive and so it is really goes to show you that without any type of monetary incentive, just by offering a submission process and most critically, a safe harbor statement, which is gives folks like Corbin confidence that they're not going to end up on the receiving end of any type of law enforcement action. You can get some incredible results. And then we can talk a little bit about it differently. But there's these parallel programs that the DoD runs that are all bounty programs where corporate is actually getting paid. And those are like really focused towards specific objectives. Corben, I was hoping rather than talking about just the differences between VPs and bug bounty programs, I was hoping you could talk a little bit about the way you interact with those programs like, what do you look for in a VDP? What do you look for in a bounty program? What do you decide to participate in one program versus another, you talk a little bit about the sink motivations you have between those two types of programs.
Corben Leo
Yeah, for sure. So, the motivations, obviously, differ a bit. So, I think that the larger department of defense vulnerability disclosure program is really good to hone in on your skills and try new things. So, because the scope is so big, there's so many different technologies running on all their different websites. So, it's a really good place to learn and just work on your methodology. At the same time, obviously, you're helping the perimeter fence become more secure, which is great. It's also really good for working on any tooling or automation. So, I have lots of friends that also do bug bounties and a lot, lots of them have some tooling or automation they use and they like that program to test their automation to see how well it works and like how effective it is at finding vulnerabilities. And so, it gives them the opportunity to build tools to help them hack and become more effective, while at the same time, you know, like protecting the Department of Defense. So, the vulnerability disclosure programs are really good for learning, trying new things and like working on like tooling. And then these focused bug bounty challenges are very fun, because you can do similar things, and really, actually test your skills and see how well you can perform. And them on a more structured scope, it's more of a competition than the vulnerability disclosure ones. Because you submit a vulnerability to a vulnerability disclosure program, you know, you're not going to get rewarded. So, if you submit a vulnerability that someone has already submitted, you get a duplicate, it's not really a big deal, because you're not like you aren't gonna get paid anyways. Whereas in a bug bounty program, if you submit a vulnerability, and someone else had already submitted it, you don't get rewarded for it. So, it adds more of a competition aspect. Because if you want to be the first to find this vulnerability, in the first report it so it's really fun and a lot more challenging and makes you work a lot harder on the program. So, I'm far more incentivized to spend my time doing a bug bounty program, because you know, like, there's, there's a reward for me there. So, these programs are a lot more effective than vulnerabilities because your programs on getting attention towards like specific assets, or whatever they have in scope, and whatever is priority to them.
Alex Rice
I'd love your opinion on how experienced you need to be before starting to think about bounty programs.
Corben Leo
That's a great question. I think that you need some experience and just understanding kind of how like websites work, or just how the web works. So gosh, like there's HackerOne, one course is ports for your web Academy. As long as you can go through those, I think you're good to go. I think that learning by doing is one of the best ways to learn. Because as you're going through, and like trying to do a bounty, you'll understand where the holes are, in your knowledge, you'd be like, okay, I'm really confused, right now I need to go back and learn this thing. And I need to review this. So, I would say you don't need a ton of experience. But you just need some basic fundamentals, like the building blocks that are unnecessary in order to do them. But I think that you need to try before you think you're ready to try, because you'll learn far more than you would have just by going through a little roadmap or, you know, taking a ton of courses. Yeah, absolutely.
Alex Rice
Thanks for the plug that there's a free tool Hacker101.com that we put out for not just bug bounty programs, any type of offensive security research that kind of your if you're interested, I think that's a great place to start. If you fare well through the Hacker101 courses, you're, you'll probably be well set up for finding things in bounty programs. Also, one other tip that I would add on there, for folks getting started there other than just experience and skill set for your first bounty programs that are getting started. There's so many of them out there. That could target you're interested in like either a company that you care about, or a tech stack that you're interested in, or a branch of the armed services that you resonate with, try to find the ones that have a little bit more motivation for it, because it really the corporate touched on it earlier. If you have some inherent curiosity about the thing you're trying to hack, it'd be a lot more effective than just experience and skill set. So, I would try to mix the two together. Start from kind of the baseline experience, but then really ask yourself Is there any anything out there that you're kind of curious about how it works? Want to learn more about what you want? If you want to partner a little bit more with the organization, I think you'll have a much better time getting into your first bounty program.
Corben Leo
Yeah, that's a really great thing to add to because it can be pretty discouraging. I think like it took me 10 months to get my first bounty which is like a normal way long compared to like what some of the other hackers were, but it just kind of showed like, I wasn't extremely, extremely experienced going into it, but just having the motivation and the curiosity, just like, Okay, well, how does this work? And like, how can I break this specific thing, it's just takes a lot of time just going through things and wanting to do bounties for the sake of doing bounties, rather than, like, whatever financial reward might be at the end of the tunnel. So, I think that's also a very important aspect to it is, I guess, why are you wanting to do it, and then just, you know, just enjoy the process of, of learning rather than what might happen from, you know, like getting rewards and whatnot. So, I think that's really, really important.
Alex Rice
Cool. Let's talk a little bit about the civilian branches of the government, the DoD, kind of stands alone in the maturity of their relationships with security researchers, they've got a pretty advanced VDP there, there's a few others that are leading the way there like GSAs programs are pretty advanced. CISA has a pretty mature program, you're seeing more and more every agency start to set these programs up, especially as some regulations start to start to require it. I'd love to hear any advice you have for folks that might be at one of these agencies, what would you encourage them to keep in mind, what's important for them to be thinking about if they're going to be setting these type of programs outside of the DoD, the civilian branches of the government?
Corben Leo
I think it's good to kind of start small and test how things will go because I think it is, it can be dangerous to go all in if it's your it's your very, very first experience doing like a bug bounty program. So, I think that, for instance, like HackerOne has a lot of private programs that are running, there's been a lot of cities and other branches of government that have started out with private bug bounties. So, they can invite pi quality researchers to find vulnerabilities in applications. And I think it's also very important to determine which applications you want to start within scope and facings. in figuring out like, what has the biggest business risk, like your marketing websites probably aren't as important as like maybe a payroll application that has social security numbers in it. So, you have to figure out like, what's really important to your organization? What is the worst-case scenario, like what data would be the worst case to be leaked? And then like, where does it live, and kind of trace that back to your attack surface and say, Okay, we want this application A, application B, application C to start out with, and we're gonna invite, like, maybe 20, to 60 researchers to come try to find vulnerabilities in this, it doesn't even need to be that doesn't really matter, but running just like a smaller bug bounty program and kind of refining and getting used to the process. And then it roughly launched towards something bigger, where you can have more stuff in scope. But at the same time, I think it's very important to have some sort of channel to submit vulnerabilities through, because there's a lot of other people who aren't bug bounty hunters that might stumble across vulnerabilities, and they need a place to report them still. Because if they don't have that safe harbor, they're gonna be worried about like, okay, well, is it even legal that I might have like, accidentally stumbled across this vulnerability, but I still need to channel to report it. And they're worried about like real legal repercussions of that. So, I think that's also very important. Like, it is important to have the VDP. But for more, so the bug bounties side is like maybe start small, but you also need to have a channel to report vulnerabilities. So, it's like kind of two sides of the spectrum. Yeah, I'm sure Alex, you can add more to that.
Alex Rice
He's wonderful. I think I mentioned a resource there. Because one of the things the government does really well compared to private companies is the amount of transparency that they have through these programs, and reporting. In particular, if you're thinking about setting up one of these disclosure programs are having a formal process to receive reports from folks like corporate, and really check out all of the data and the annual reports that the DoD has published on their programs. So, we search for the DoD VDP program, they do both an annual report, which goes into a ton of detail on how the programs work for them, and lessons learn up they also do monthly bug bites, which are a bit more kind of a heartbeat on what they're seeing month over month. And it's a level of transparency you will find in other areas and can really give you a sense of how the how the programs are working or what type of activity you might expect in a program like that. So, I think I'd plug that resource be thinking about it. We've talked about HackerOne, one earlier. Are there any other specific courses that helped you build your foundation? Anything else you'd recommend?
Corben Leo
That's a good question. I think that when I was starting out, there still wasn't a lot of courses like there are today. I watched a lot of YouTube videos just like weird electronic music, just figuring things out. But now there's tons of courses nowadays, something that I guess would have been nice to have years ago, but I think yeah, like I said, ports of your web Academy is free, open source and that's really, really good to get hands on experience and they're just like really good labs, material to go through. I think there's like Pentester lab. There's all sorts of courses that are out there nowadays. I think web security one, but forest vigor and Penteseter lab are two really, really solid courses.
Alex Rice
I think one of the great things about getting into this in 2023 is the diversity of different types and formats that you have out here that really, everyone's learning materials. I'd also plus one of the ones that Corben just mentioned, for folks who are a little bit more personal and storytelling, I follow a bunch of researchers on the various social networks. And also, if your type of format, the there's quite a few researchers that do Twitch live streams of their actual hacking are quite a few people find as more representative of what they really go through, because they're kind of talking out loud and walking you through the mentality, not just showing you the tools, which can be a little bit descriptive on it. So, I plugged those like Nahum saccade, and security-oriented Twitch streams. And then the other last note I'd make on this is really respect the foundational stuff here. Some of the best knowledge you can gain has nothing to do with security at all. Oh, development, scripting, getting it, oh, frameworks, understanding open source, like the things you learn in how to build software, and how software is built is often just as important, if not more important than that the knowledge on how to on how to break software.
Corben Leo
I think maybe one misconception as well as, obviously, you don't need to have technical know how to like find vulnerabilities. But I really agree with you there that you really do want to have a really strong base layer of knowledge, right? In order to like break something, you first need to understand how it works. And you'll do that you like you can understand or gain that understanding by doing development. That's one thing that really helped me become a better hacker than I was, was learning how web applications work, how all these like little pieces work together, how applications are deployed with different microservices. So, I think it's really important. It might be dry at first, but it's really about just like loving the process and just having curiosity but keep going back to is just understand how things are made. And once you understand that you can like Oh, well that is made like this, but like you can circumvent that and there. There's something wrong with that. And I guess that's really what hacking is just seeing how things work, and then finding ways to get around it. You can break those things. So yeah, I think that's a very, very important piece.
Corey Baumgartner
Thanks for listening. And thank you to our guests, Alex Rice and Corben Leo. Don't forget to like comment, and subscribe to CarahCast, and be sure to listen to our other discussions. If you'd like more information on how HackerOne can assist your organization, please visit www.carahsoft.com/hackerone or email us at HackerOne@carahsoft.comThanks again for listening and have a great day.