The GitHub bug bounty team is excited to kick off Cybersecurity Awareness Month with a spotlight on two talented security researchers who participate in the GitHub Security Bug Bounty Program.
Security is core to GitHub’s mission, and our bug bounty team is continually focused on driving improvements as to how GitHub develops secure software. Since its launch in 2014, GitHub’s Bug Bounty program has amplified our ability to ship secure products beyond what we could have achieved without the help of our external security researchers. It’s also consistently been named a top bug bounty program by researchers. In the past year, we have grown our internal bug bounty team, working hard to also expand the existing program, including identifying new ways to engage with and further build our bounty community. To celebrate Cybersecurity Awareness Month this October, we’re interviewing a few of our researchers to learn more about their experiences hacking GitHub.
In our first interview, we’re excited to highlight two top contributing researchers to GitHub’s Bug Bounty Program: Robert Chen (@chen-robert) and Philip Papurt (@ginkoid), who were recently acknowledged in our write up on vulnerabilities they found in tar and @npm/cli/arborist. We interviewed Robert and Philip to learn more about their methodologies, techniques, and areas of interest for participating in the GitHub Bug Bounty Program.
Robert: As for learning, I was vaguely interested in security from a young age. I liked the idea of breaking software. Starting in high school, I participated in cybersecurity competitions, like CyberPatriot and CYBER QUEST, but the most impactful for me, personally, was probably picoCTF (https://picoctf.org/). This competition provided a gentle introduction and a fun environment to learn about many fundamentals of cybersecurity. After a few years of participating in CTFs, I decided to try applying what I learned to the real world, and I started doing bug bounty hunting through HackerOne. I think the best way to learn is through practice, and reporting vulnerabilities definitely helped teach me how to apply theory to the real world.
Robert: XS-Search is a really interesting bug class, and I know there’s a lot of active research in this field. It’s primarily an architectural issue, so it’s in a bit of a funny place. I think XS-Search vulnerabilities often do have legitimate impacts, but they’re often quite difficult to remediate, making them not very suitable for bug bounty programs.
XS-Search illustrates one of my fundamental beliefs about bug bounty. You can’t just find the bug, you also need to show how to fix it.
Philip: I like content security policy (CSP) bypass bugs a lot. There’s so many ways in which a CSP can be subtly vulnerable, and it’s always fun to figure out how to attack them. In addition to bug bounty, there are lots of challenges in capture the flag (CTF) competitions that have great (although sometimes contrived) CSP issues. After investigating CSP issues for a CTF challenge, I found some security bugs in Chromium! https://crbug.com/1115628
Robert: Interesting targets, attentive triage, and big bounties
Philip: GitHub has lots of complex products with room for fun and subtle issues—very few products are just regular CRUD apps. GitHub Codespaces was especially interesting to work on, and we spent lots of time understanding its authentication flows and trying to pivot from the Codespaces VM.
Robert: Probably to take nothing for granted. It’s exciting being able to find bugs in such widely-used products. Software that is widely used is not necessarily secure. It’s usually a good idea to approach targets without any preconceptions and just look for interesting interactions.
Philip: GitHub is rarely vulnerable to common web security issues. From researching GitHub products, I’ve learned that the best bugs can only be found by investigating the source code and understanding exactly how a service works. Subtle issues are always fun to work on and can sometimes be really impactful.
Robert: I get most of my information from Twitter. I tend to try and follow people who post interesting security analyses. If I find something particularly interesting, I also share it with friends.
Philip: I use Twitter to follow a few security experts and occasionally read Hacker News and some security-related subreddits.
Robert: Different people have different ways of looking at things. Often collaborating is helpful because it helps open up new perspectives. Especially with regard to vulnerability research, I think the sum is greater than the parts.
Philip: It’s really helpful to be able to bounce ideas off someone else, especially when looking for a way to exploit a bug or bypass some mitigation.
Robert: It might be tempting to learn about a bug class and blindly try it against every website, but I think it’s far better to first get a deep understanding of the underlying subsystems of whatever you’re pen testing. For example, the first step to finding bugs in web applications is to understand more about how the web actually works. This can be anything from site isolation to cookie behavior. Having strong knowledge in these fundamentals will make finding new bugs easier. Each bug is different, and interesting bugs show up in places with complex interactions.
Philip: I mostly agree with Robert here. Automated scanners won’t do much. Instead, beginners should really dive deep into a specific product or vulnerability class that they’re interested in.
Robert: My Twitter handle is @NotDeGhost.
Philip: I’m on Twitter at @ginkoid.
Thank you, Robert and Philip, for participating in GitHub’s first bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.
Interested in helping us secure GitHub products and services? Check out our open roles at https://github.com/about/careers!