A Bug Bounty Hunter Tells All
09.19.2018

When companies started offering hackers “bug bounties,” or cash rewards for finding vulnerabilities, Frans Rosén, a security advisor at Detectify, saw an opportunity. Not only could he earn some money for the security automation software company, but the experience would offer a chance to do some research and development as well, since Detectify’s software would look for any issues he found that could be automated.

Today, high-profile blockchain projects like Ethereum, Augur, and EOS regularly set up their own bug bounty programs—some of which pay out hundreds of thousands of dollars—to catch security gaps before they can be exploited. Rosén sees bug bounty hunting as a hobby, but it can be a lucrative one: he earns around $300,000 for his company finding potentially dangerous cracks in code. That said, finding bugs for cash rewards is certainly not a get rich quick scheme. It takes a lot of time: Rosén typically spends 20-40 hours a week on it for about three months at a time, and then he takes a month and a half break until something pulls him back in again. He has attended invite-only events with specific companies to collaborate with other hackers and find bugs for them, and those take additional preparation time.

Bug bounty hunters are often developers or penetration testers, and Rosén credits his work coding in bug-infested software like Flash and PHP as helping him develop the ability to find security vulnerabilities. BREAKER spoke with Rosén to learn more about what successful bug bounty hunters do. This interview has been edited for brevity and clarity.

What are typical bug bounty payouts?
I make an average of around $1,000 a bug, but that that doesn’t mean I get thousand dollars every time. I could get $12,000 for one bug and fifty bucks for another.

What was the most you’ve ever made on a single bug?
My maximum reward was $30,000 for one bug, which was amazing.

What was it?
I was able to gather a bunch of login information to a company’s Salesforce. Salesforce is like a CRM on crack; you connect your whole business to Salesforce. They had software connecting to Salesforce, and I was able to get the credentials for that software. I sent the report to them saying, “I am now as an administrator of your whole Salesforce account, and I can see everything.”

That sounds like a pretty big bug.
They’re an IT company. They are on the stock market. If it had gotten out, that would have been a major disaster for their company. The impact was so big that they paid the maximum amount they’ve ever paid. For a long time, it was the highest bounty on
HackerOne, I think it was for at least three years, but now the highest bounty paid out is $100,000.

Have you done any cryptocurrency-specific bug bounties?
I did some when bitcoin really started to bloom about three years ago, when it was around $100 or $150 (per bitcoin). My worst memory of a cryptocurrency bounty was basically getting remote code execution on a bitcoin exchange, which is the worst thing you could ever get, and they paid me I think it was 0.0002 bitcoins, which was twenty bucks back then, or even less. If you would look at it today, there would probably be a huge difference, but back then bug bounties were a new thing, so people didn’t understand what was expected. I don’t hold any grudges, but I think they actually got banned from the platform they were on because they were not paying out as they promised.

What was the most dangerous or craziest bug you ever found?
The worst one I looked at was a password manager that had a hard-coded password in the application, which was weird. It turned out that they had an external team for quality assurance. They hired a company that was supposed to test the application and make sure that no bugs were in it. To make it easier for them to create accounts, they had a hard-coded password you could use to get in if you used a specific email format. They had two-factor authentication, but they also had a link that would show all the two-factor authentication codes for these emails.

I started looking at the test site, and I saw that they had a bunch of QA people signing in every day, and I saw the email addresses. I tried one of the email addresses for their QA team, and I got in, and that person had tested the password manager toward the company’s own internal systems. So basically, I could bypass two-factor authentication inside someone’s account to a password manager’s own internal systems. I could access their ticketing system. When I told them, they told me they would never allow me to mention the name of the company in any way, because that’s the core business of the company and they were being exposed so badly.

Any others come to mind?
Another one was when I was looking for vulnerabilities related to Python. I found a framework that had a debugger, and the documentation said it should never be used on production machines. I found out that if you had the debugger enabled, you could go to a URL on the website and write Python code yourself, and the Python code would run, which is really bad. Someone could write Python code to extract whatever they wanted on that website. I started looking at sites that had this debugger running, and I found thousands and thousands and thousands of companies. One of them was Patreon, and they [allowed] responsible disclosure, so I sent them an email. It took them five days to respond to me, and when they did, they said, “Yeah, we know, we should probably fix that, we’re thinking about moving that.” That’s not the way you react when someone sends you a remote code execution, but I couldn’t do anything else, so I just hoped they’d fix it.

Five days later, I look at Hacker News, and the number one post was a security announcement from Patreon saying they were hacked due to a developer environment. When I saw that, I knew exactly how they got hacked. It must have been someone who was looking for the same thing I was, but instead of telling the company, they leaked all the data to everybody. There were 2.2 million users exposed.

The good thing with us disclosing this vulnerability was that the debugger software itself actually patched the vulnerability forever, so it’s not there anymore. You wouldn’t imagine how many companies had this exposed, so there was no way we could ever contact all of them responsibly.

Recommended reading for aspiring bug bounty hunters: