Ethical Hacking & Bug Bounty Hunting – Jessica Howarth, PortSwigger

[00:00:00] Jessica Howarth: Educate yourself on how to find the vulnerabilities, how to reproduce them. Once you've started learning a bit more about that, I would just say dive in at the deep end, don't let the fact that maybe you are not experienced or highly knowledgeable hold you back from having a go.

[00:00:20] Cyril Noel-Tagoe: Hello everyone. And welcome to Cybersecurity Sessions, our regular podcast exploring all things cybersecurity. I'm your host, Cyril Noel-Tagoe, principle security researcher at Netacea, the world's first fully agentless bot management product. Today we're going to be investigating the growing practice of ethical hacking for bug bounties.

At times it feels like cybersecurity is a race between attackers and defenders to find vulnerabilities to either exploit or remediate. Cyber criminals are relentless in their efforts. And as the number of attacks grows, businesses are increasingly recruiting ethical hackers to find vulnerabilities and exploits before the attackers can.

I'm excited to introduce my special guest for today's episode, Jessica Haworth. She's a cybersecurity reporter for the Daily Swig and has her finger firmly on the pulse of the latest bug bounty programs and developments. Welcome to the show, Jessica, thank you so much for joining us today.

[00:01:14] Jessica Howarth: Hi, Cyril. Thanks so much for having me.

[00:01:16] Cyril Noel-Tagoe: Before we get started, Jessica, would you like to quickly introduce yourself to our listeners?

[00:01:20] Jessica Howarth: Sure. My name is Jessica Howarth. I am a cybersecurity reporter for the Daily Swig. I enjoy writing about technical research papers, bug bounty programs, and I write about anything to do with the web security space, including hacking, community stories too.

[00:01:42] Cyril Noel-Tagoe: Brilliant. Right. So let's get into it. I guess to start with . Set the scene. What are bug bounties? Would you say it's about finding these zero day exploits before attackers do?

[00:01:53] Jessica Howarth: Absolutely. So, bug bounty programs are designed really to enable the good guys, the good hackers to, like you said, find these zero day exploits before the bad guys do. It's all about finding the vulnerabilities and patching them before they can be used by nefarious actors to cause damage, whether that's financial or network damage.

And bug bounty programs themselves are a great way for the good hackers to give back to the community, to give back and hack for good.

[00:02:30] Cyril Noel-Tagoe: ANd what kind of vulnerabilities are the good guys, the ethical hackers, typically looking for?

[00:02:36] Jessica Howarth: Well, you have two sorts. Really? You have the people who are not just doing it for monetary gain, but are maybe more focused on the big financial wins. So they would be your critical exploits, which might be... remote code execution is a big one. Cross site scripting bugs, that kind of thing, the vulnerabilities that will really damage a company if they fall into the wrong hands.

And we also have the lower severity bugs. So some ethical hackers might choose to look for a number of lower severity bugs, which might be easier to find but would pay out less rather than spending a lot of time looking for the more critical bugs.

[00:03:21] Cyril Noel-Tagoe: Right, right. If you look at the typical bug bounty hunter is there kind of a profile that fits them? How do you get into this? Who can be a bug bounty hunter?

[00:03:30] Jessica Howarth: Well, the good thing is that anyone can be a bug bounty hunter, you or I could start ethical hacking. We could sign up to a program and start doing it, you do need to have a certain level of technical knowledge. So you do need to know what these security vulnerabilities are that you're looking for.

You need to know how to find them and how to reproduce them so that you can prove to the platform or the company itself that this security vulnerability is present. But again, the really good thing about this is that you can learn this for free really. There are a lot of YouTube channels, for example, run by some fantastic educators who offer great training and great experience and knowledge that they can pass on.

And there are also a number of different training materials, different labs available online. So in terms of technical knowledge you don't need to have a degree. You don't need to have a computer science degree. You don't need to know how to do it in a professional capacity to have a go in terms of the fit in the profile.

The kind of person who I would say would be a successful bug bounty hunter would be definitely somebody who is persistent. You can't expect to... Well, it would be great if you started bug bounty hunting and within the first hour you got a $10,000 reward for remote code execution vulnerability, that's the dream.

But in reality, that really doesn't happen very much. So you have to be persistent. You have to be self-motivated because the bug bounty programs are voluntary and they are based on your own drive. You definitely have to be self motivated and you have to be somebody who enjoys problem solving and enjoys just kind of tinkering around and looking outside the box to try and find solutions that might not be particularly evident, first glance, it might take you a while, but it would suit somebody who ticked off all of those. I would say that it's really important to remember that qualifications are not a barrier in bug bounty hunting, anybody with the right attitude and with a thirst for knowledge and a thirst for success can have a go and can be very successful at doing so.

[00:05:59] Cyril Noel-Tagoe: I think that's great that you don't need a degree for it. And if you're the kind of person who's got that curious mindset, with the wealth of knowledge that there is on the internet, you'll be able to self teach yourself for that. And , once you've got into this, is this something that can become more than a hobby or is it just generally gonna be a side hustle? Are there any people who can make this actually a full-time income?

[00:06:19] Jessica Howarth: Absolutely. And there are people who do this as a full time job. There are definitely barriers for some people in turning this into a full-time job, the same barriers that would be for anybody who maybe struggles to give up a day job to pursue something that isn't stable by being a bug bounty hunter, you are self-employed.

So that can be a barrier for people. And there are some people who do it as a hobby who just enjoy it, who might use bug bounty hunting to learn more about ethical hacking, to learn more about security research, and they might choose to do it just for their own education. And of course there are people for the side hustle.

Like you might do it at weekends, evenings, earn a little bit of extra cash, but might not necessarily feel the need to take it on as a full-time income, but there are people who are very successful at it. Whose full-time job is a bug bounty hunter.

[00:07:18] Cyril Noel-Tagoe: That's really interesting. And especially what you said about people might be on the weekend, but like, if you get good enough, you can maybe move to full time. But I guess it's risky because you only get paid when you find the bounty, right? So you could go long periods of times without finding it, which is, I guess, why people would do it more of side hustle.

And then you mentioned, kind of, ethical hacker and... what would you say is the primary difference in motivation between someone being an ethical hacker and an unethical hacker?

[00:07:45] Jessica Howarth: I would say possibly the primary motivation from what I've seen tends to be around either... Money or, I mean, the clues in the name of it, ethics, I would say that in terms of an ethical hacker, they're not always focused on money. Obviously it's great to get a good bug bounty payout, and there are definitely people who it because it is lucrative, but a lot of the ethical hackers that I speak to, it's not always about the money.

A lot of the time it's... about Giving back to the community, about contributing towards making the internet a safer place for everybody and about having fun and being part of something bigger. Whereas unethical hacking, it's the people who have a nefarious motivation. So, like I said, monetary. An unethical hacker could hack into an organization's network, steal their data, sell it on the dark web.

They could hack into their networks for a means to place ransomware there, and potentially get a great big ransomware payout from that. And they could also use security research to find zero-day vulnerabilities, not to report back to the company, but to sell on to brokers. And there are companies who deal in brokerage with zero day exploits.

And I guess the motivation between whether an ethical hacker and an unethical hacker would go down that route would in my mind be monetary. You can make a lot of money off finding these exploits that will be taken and used in a negative light rather than a positive. You obviously have unethical hackers as well, who it might not be monetary.

It might be revenge. We see this kind of stuff with, kind of more lower level, distributed denial of service attacks against big companies, or, we sometimes see former employees gaining access to the networks of their employers for revenge reasons.

But if I was to hazard a guess the main primary motivation I think money is an easy way to differentiate the two.

[00:10:02] Cyril Noel-Tagoe: Yeah, and money can be a great motivator, in terms of kind of some of the bug bounties. I've seen advertised. I've seen some very large bounties, like some, even in the seven figure range. How often are these large ones paid out compared to the lower level ones?

[00:10:17] Jessica Howarth: It's definitely more rare for these bigger ones to be paid out. And I think that's evident in the fact that it often makes headlines when they are paid out. It would be really interesting actually to see if there was some sort of research data between how often these companies advertise these seven figure payouts and how often they're actually paid out.

Because like you said, you often see them offering this, but in reality, I would probably say in my four or five years of reporting within the web security beat I've probably seen these seven figure payouts actually being paid out, four or five times. Yeah. I can count on one hand how many times that I've seen it, but that doesn't necessarily mean it isn't happening, I guess it just depends on... also, whether this is disclosed. A lot of the time on bug bounty programs , there is an agreement that it can be disclosed responsibly of course, and that the figure can be disclosed. But, I'm not 100% sure that there are cases where it's not.

[00:11:23] Cyril Noel-Tagoe: Yeah. Yeah. I guess sometimes if the motivation is really just to help out, you might not want the attention being drawn to you of your name and the headline of that figure being paid out to you. So that kind of makes sense. And also kind of putting those large bounties out if you, you know, that only the very top tier bug is gonna qualify for that bounty, you can get a nice headline and know that you might not have to pay that amount out, hopefully.

[00:12:04] Cyril Noel-Tagoe: So, one of the biggest benefits that I see for businesses with bug bounties over kind of your traditional penetration testing is that it offers you kind of continual assessment of your environment rather than the old once a year model. Do you think this is a reason that bug bounty hunting is growing?

[00:12:19] Jessica Howarth: Yeah. I definitely think that it contributes to it. For businesses, like you said, instead of a once a year, kind of, box tick exercise of, we'll get some penetration testers in, we'll pay them for this specific work, we'll pay them for these specific hours, whatever they find, we will then take forward.

It's a whole different... it kind of flips it on its head where these businesses aren't having to pay security researchers for their time. Instead, they're paying them for their outcomes. So there's not a rigid set... You have five days a year to, to scan all of our networks and find everything that you can.

So there's that part of it that they are paying out for success rates rather than time spent. There's also the side of it that as you said, continual testing, it's all good and well having penetration testers in say for five days, and then on the sixth day, somebody commits something that introduces the security vulnerability.

Do you then have to wait until the next cycle that you have planned for penetration testing for somebody to find that? It potentially leaves security vulnerabilities exposed for a larger period of time. Now that's not to say that penetration testing, isn't a great model. I think that bug bounty hunting and penetration testing can work really well together in tandem.

But I think it's definitely one of the reasons that bug bounty hunting is growing is this whole new idea of continuous testing. And I think it's just becoming a more widely accepted way of working as well. One of the great motivations for businesses could also be that you have access to security researchers from across the world in different time zones.

It doesn't necessarily need to be rigid and one company supplying everything for your security testing. So, yeah, I'd definitely say that the continual testing model is becoming a lot more popular from what I've seen.

[00:14:27] Cyril Noel-Tagoe: Yeah, you raised some really great points there. I know that a lot of organizations, when they're looking at kind of their penetration testing, they've got, maybe two or three different companies on a rolling schedule so they can get different opinions each time. But with the bug bounty, you actually open it up to different opinions once you open up the program. And also what you said about kind of outcomes focused instead of paying for time. I think that's a really good thing to draw businesses in who maybe have been on the fence about bug bounty programs. But what would you say to those businesses that are on the fence and that kind of perceive bug bounty programs to be too risky? I think that's a myth you hear quite a lot.

[00:15:03] Jessica Howarth: Yeah, definitely. And it's actually something that I have asked myself as a journalist. So I have my own podcast called 'I'm Scared of the Internet'. And one of my previous episodes I spoke to Inti from the bug bounty platform Integriti. And I asked him this specific question, and I said like, "how do you almost persuade companies that it's not too risky to have security researchers that they don't know testing their networks?" And he said to me that really it's all about the platform itself being the go between, being good at communicating with each other. And also the trust goes two ways. So firstly, the bug bounty platform itself, any reputable bug bounty platform will have verified these bug bounty hunters.

So they will have to supply government documents to prove that they are who they are. They will have to go through a series of checks so that the bug bounty platform can trust them and can trust that their actions are honorable before they're even able to partake in any programs. So that's one layer of trust that the businesses can rely on.

And there's also the two-way trust approach. In order for bug bounty hunters to trust the business, the business itself has to agree to something called safe harbor disclosure. So it's basically an agreement that the business is going to give permission to the ethical hackers to test certain areas of their website or their API.

They're given permission to do this and as a result, they know that this business, this organization isn't going to come after them legally. So computer hacking laws are different across the world. In the UK, for example, they are very outdated and it is possible for a business to prosecute under the computer crime act.

It's possible for them to prosecute someone even when they have good intentions. So trust is a two-way street, these bug bounty platforms are tried and tested with ways to verify the good guys are actually the good guys. So I think that takes the risk out of the equation.

[00:17:38] Cyril Noel-Tagoe: Yeah. And I think what you said about kind of making it safe for them to report is so important as well. As, especially if you've got someone who's, let's say they stumbled across something. If they feel like they're gonna be prosecuted, if they reported to you then it's something that someone to be able to figure out, someone else might be able to figure out who might not have the same kind of ethics. And maybe they would actually want to exploit it. But because the person who found it first was scared of reporting it. You, you haven't been able to fix it. So...

[00:18:05] Jessica Howarth: Absolutely.

[00:18:06] Cyril Noel-Tagoe: So, what's some examples of the top bug bounty programs that a budding ethical hacker can sign up to? Is there an easy way to find out about new programs?

[00:18:15] Jessica Howarth: Yeah. I mean, there are a number of very popular bug bounty platforms that stick out to me. And these are your HackerOne, Bugcrowd, Integriti, Unify. They're just some of the more popular programs. And one of the reasons that the more popular is because they've just been producing some great programs... and in terms of finding new bug bounty programs. I mean, I'm shamelessly gonna plug something that we write at the Daily Swig now, because I genuinely think that this is a great way to find bug bounty programs. We have a monthly feature called Bug Bounty Radar. And in it, we include information of all of the new bug bounty programs from across the different platforms that have launched with the maximum reward, any notes of caveats or things that you need to know before taking part, and also it points you directly to the program too.

So obviously. Shamelessly, I would say Bug Bounty Radar from the Daily Swig, but I would also suggest Twitter as a great way to find new bug bounty programs and to find the kind of communities that you want to be involved in. So because bug bounty researchers are self-employed, a lot of the time you don't need to be loyal to one particular platform. They all have different programs. You can maybe go with HackerOne and Bugcrowd and then maybe check out Integriti, they're based more on the European side. But a lot of these platforms have very strong communities within them where people are proud to hack for a certain one. So I would suggest having a look on Twitter for new programs, for getting involved in the community itself. And for just checking out other people's successes and other people's methods of finding these bugs, you often find that a lot of hackers once there's an agreement that they can disclose the bug and the technical details about the vulnerability that they found, a lot of them post it on Twitter. So yeah, they would be my top recommendations.

[00:20:40] Cyril Noel-Tagoe: Awesome. And is there any last pieces of advice you'd like to give anyone interested in ethical hacking?

[00:20:47] Jessica Howarth: I would say, just give it a go. Just have a look for... if the only thing that's stopping you is the technical knowledge, then there are some great YouTube resources, like I said previously. There are some great online courses on how to find web security vulnerabilities. Have a look around, search around. Educate yourself on how to find the vulnerabilities, how to reproduce them. Once you've started learning a bit more about that, I would just say dive in at the deep end, everybody who starts off in this industry starts off as a newbie. Everybody needs to build up the experience and the technical knowledge.

So don't let the fact that maybe you are not experienced or highly knowledgeable hold you back from having a go. I would encourage anybody who has a curious mind who wants to learn more about it to, yeah, just give it a, go follow some great security researchers on Twitter. Check out... #bugbountytips is a great one where you do get a lot of people from the community posting their tips and advice. And just, yeah, just immerse yourself in it. Have a go see if it's for you.

[00:22:12] Cyril Noel-Tagoe: Some great advice there. Give it a go and check out bug bounty tips, the hashtag. Well, thank you very much, Jessica. Before we let you go, you mentioned earlier you have your own podcast, 'I'm Scared of the Internet'. Could you just tell our listeners a little bit more about that?

[00:22:28] Jessica Howarth: Absolutely. Yeah, so my podcast, 'I'm Scared of the Internet', it's a cybersecurity podcast for people who don't necessarily know a lot about it. I started it as an educational podcast to give people a bit more knowledge and advice on how to be less scared of the internet. So that's everything to do with how to protect your data, to what is ethical hacking, and yeah, it's for people who are curious, but might not necessarily know where to get the answers to these questions.

[00:23:09] Cyril Noel-Tagoe: Awesome. And you said you had an episode on ethical hacking on there before. So any interested listeners who now we've peaked their curiosity can go there to find out more.

[00:23:18] Jessica Howarth: Absolutely.

[00:23:19] Cyril Noel-Tagoe: Perfect. Well, thank you again, Jessica, for sharing your time and your insights with us, I've really enjoyed learning more about bug bounty programs. And I, you know, I might even try some myself.

[00:23:30] Jessica Howarth: You should. You should.

[00:23:32] Cyril Noel-Tagoe: And, and thank you to all our listeners for tuning into this episode of Cybersecurity Sessions. If you've enjoyed this podcast, please be sure to like, and subscribe or leave a review on your podcast platform of choice. We'd love to get your feedback.

You can also get in touch with us via our Twitter @cybersecpod or by email to podcasts@netacea.com. Thanks again for listening and we'll see you again next month.