
Teen Becomes First Hacker to Earn $1M Through Bug Bounties - ohjeez
https://digit.fyi/teen-hacker-earns-1m-via-bug-bounties/
======
shiado
Pro tip if you are a startup and want free security advice. Just sign up for
all the bounty sites and for every single bounty just tell the submitter that
it is a duplicate bug and pay them nothing, then hot patch it immediately and
when they get suspicious tell them that their bug report had absolutely
nothing to do with the timing of your patch. I know there are companies that
do this because I have had it happen twice. There needs to be a bug bounty
site with some sort of bug escrow to prevent this behavior.

Edit: pardon the tone, I understand that these types of problems are very very
hard to solve because they aren't purely technical and involve humans.

~~~
tptacek
I don't doubt your lived experience, but for real companies, the economics of
ruthlessly withdrawing bounties don't make sense; bounties just don't cost
enough money to be worth picking fights over.

There are some patterns where I've seen people not get paid just on general
principle; for instance, people find systemic issues and, rather than
disclosing the root cause, try to claim bounties for every instance of the
flaw (you'll get paid, but not for every instance). It's possible that naive
development teams sometimes get this confused, and, for example, consider "all
XSS" to be a single systemic bug.

~~~
kbenson
>> if you are a startup

> for real companies

I wouldn't consider those entirely equivalent sets. I imagine plenty of
startups probably don't fall under the criteria you would consider "real
companies", or at least not in the beginning before people have a chance to
mature into their roles or flunk out of them.

> the economics of ruthlessly withdrawing bounties don't make sense

The economics of something and how people try to justify it or let their own
egos get in the way often don't match. I mean, I still have to kick myself
sometimes because while I work at a small company, agonizing over a couple
hundred dollars a month in service fee differences is not a good way to spend
my time given my hourly rate and the time a more expensive option might save
if it does what it says. Ingrained thinking can be hard to overcome.

------
JMTQp8lwXL
I wish I had a knack for this type of work. That's quite a bit of cash. I do
feel I am a competent software engineer, but understanding data structures and
algorithms doesn't necessarily correlate to one's ability to identify security
vulnerabilities.

~~~
badfrog
> understanding data structures and algorithms doesn't necessarily correlate
> to one's ability to identify security vulnerabilities.

No, but it does suggest that you're likely capable of learning security work.
Just like your data structure and algorithm knowledge didn't come for free,
nobody is born knowing how to find security problems. You need to work for it.

~~~
HeavenBanned
What's a way to learn security work? Genuinely curious.

~~~
joshuakcockrell
One of the best introductions to the field is going through overthewire’s
bandit vulnerability games.
[https://overthewire.org/wargames/bandit/](https://overthewire.org/wargames/bandit/)

They have 30+ levels where you ssh into a server and attempt to find some type
of vulnerability. They start out very easy and get tough quick. It’s very eye
opening to see the types of exploits that exist.

They also have a set of challenges aimed at serverside web security.
[http://overthewire.org/wargames/natas/](http://overthewire.org/wargames/natas/)
I went through the web challenges last year and they helped a ton in my web
dev roles.

~~~
ddebernardy
> One of the best introductions to the field is going through overthewire’s
> bandit vulnerability games.

Out of curiosity I visited your first link and played the first dozen+ levels.
It's just been bash-fu and occasional man reading/googling. Judging by the
subsequent level instructions I went through, there didn't seem to be much
more in there. I'm like, if you really want to learn more about shell
commands, there are man pages. Admittedly, a game is arguably a good way to
tutor a lazy reader. Still, did I miss anything else in there by not finishing
the game?

~~~
awodol
bandit is just the beginner intro to shell series that is meant for pure
beginners to unix, you didnt miss anything. All of the other games on there
are actual wargames to learn about security

------
tptacek
This is 1MM over 3-4 years, right? $330k is good money, but it's also in the
ballpark for gifted vulnerability researchers in SFBA.

~~~
pszndr
330K USD in San Francisco is much, much less than 300K USD in Buenos Aires

~~~
mattigames
People don't even conceive the difference, in Buenos Aires you can rent a
great house in a great neighborhood for 800 USD per month, in San Fran you get
a shared room where other 3 people live for that much -IF even that-. In SF
you spend at least 5 dollars going anywhere and going back using public
transport, in Buenos aires $2 is more than enough to go the the opposite side
of the city and back.

~~~
lucb1e
I know it is that way, but I don't understand it. It always seems to me like
it just indicates that the exchange rate is wrong: clearly I can buy more
stuff if I convert my money to pesos and spend them there, so the peso is just
worth less than the amount we get per euro.

Could someone recommend some a website or blog post that explains this? (Or is
it a simple enough explanation to fit in an HN comment without going hugely
off topic?)

~~~
chime
It's related to Purchasing Power Parity [1] and a good example of that is the
Big Mac Index [2]. Basically, even if you adjust for exchange rate, the same
amount of currency can buy 2 apples in one country and 4 in another. This
should not be possible in a globalized market because of the Law Of One Price
[3]. However, that only really applies in the long term, for buyers with
perfect information (i.e. full knowledge of all price/quantity options), and
for goods that are tradable. Land is not tradable internationally. You can't
just move 1000 sq ft. from Argentina to US. Same with labor e.g. people who
speak a specific language or perform a specific skill. Add to that local
taxes, transportation, and energy costs and you can see why the same apple
costs more in a different place.

Gas stations next to each other but divided by a state line in the US have
different prices. Taco Bell sells the same burrito for different prices. The
same factors apply internationally too, nothing to do with exchange rate.

Hope this was as ELI5 as necessary for HN-level discussion.

[https://en.wikipedia.org/wiki/Purchasing_power_parity](https://en.wikipedia.org/wiki/Purchasing_power_parity)
[https://en.wikipedia.org/wiki/Big_Mac_Index](https://en.wikipedia.org/wiki/Big_Mac_Index)
[https://en.wikipedia.org/wiki/Law_of_one_price](https://en.wikipedia.org/wiki/Law_of_one_price)

~~~
idontpost
> Gas stations next to each other but divided by a state line in the US have
> different prices

Hell, gas stations divided by a street have different prices. In one case I
saw, the one you could see from the freeway was +$0.50 per gallon compared to
the one you couldn't see from the freeway.

------
danschumann
I wonder if anyone has "cobra effect"ed the bug bounty world yet.. whereby
they leave vulnerabilities in their code in order to obtain a bug bounty.

~~~
satellitec4t
Obligatory Dilbert

[https://dilbert.com/strip/1995-11-13](https://dilbert.com/strip/1995-11-13)

~~~
danschumann
How did you find such a specific reference lol

~~~
satellitec4t
Someone showed me this strip ~10 years ago when the place I was working
briefly instituted a similarly counterproductive incentive policy. I just
Googled "Dilbert code me a minivan"

------
Narkov
I'm very happy for the kid and like the idea that these programs are available
but does this incentivise companies to effectively outsource their bug
finding?

From a purely fiscal point of view, why hire expensive full time staff to go
digging when you can just throw a few sheckles at stuff as it comes up?

~~~
geofft
This is similar to Katie Moussouris's argument from the article:

> _Moussouris, who created the bug bounty at Microsoft, warned that if badly
> implemented such programmes could see talent leaving organisations in favour
> of pursuing bug bounties, and thus damage the talent pipeline._

I've seen her argue this on Twitter before - the argument IIRC is that bug
bounties should always pay less than getting a job helping the blue team /
writing secure code in the first place, otherwise the incentives are all
wrong. It's great that you know about bugs, but it would be better not to have
them. And, also, there's a bit of a prisoner's dilemma involved in that you
don't want to let the rest of the industry drive up the expected payouts of
bug bounties beyond the expected salaries of secure developers, but you also
don't want to lose out on vulnerability reports either.

~~~
yen223
Step one: Work at a company with a bug bounty program

Step two: Introduce subtle vulnerabilities

Step three: Claim bug bounty under a pseudonym (or just get someone else to
claim it)

~~~
nickpsecurity
That's actually a great spin on old concept of subversion. I wonder if anyone
is doing it. It should be easier for C apps where someone could say they
didn't know about a specific kind of undefined behavior.

------
yoz-y
This is great, especially that somebody with his skills could probably earn
much more working for shady "security" companies.

------
dooglius
I wonder if he's come up with some automated tooling to find them, seems like
this might be the best way to monetize if so.

~~~
tyingq
I found this, describing his specialty:

 _" Lopez specializes in the identification of Insecure Direct Object
Reference flaws also known as IDOR vulnerabilities."_

Then this, explaining IDOR:
[https://github.com/OWASP/CheatSheetSeries/blob/master/cheats...](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md)

It certainly sounds like the sort of thing you could automate to a pretty big
scale.

~~~
zulln
Do you have any suggestions on how? I do not doubt it can be automated, but it
is one of few vulnerability types I do not have an intuitively understanding
on how it should be done.

It seems hard to automatically understanding the difference with IDOR-
vulnerability in the HR-system (from your link), salary.php?employee=EMP-00000
where you can change the ID for another employee and article.php?id=123 in a
newspaper site.

~~~
dooglius
Would it have to understand the difference? You could do pretty well with a
crawler that detects such fields (by checking a simple increment, say) that
then spits out URL/field combinations. Then you just need to scan through
those and follow up on the ones that look like security holes.

------
armamut
I definitely do have respect to this guy named Santiago Lopez, while I'm
literally twice as old as him.

~~~
badfrog
What does the second part of that sentence have to do with the first?

~~~
tom_
Mx Armamut is perhaps not a native English speaker. Let us suppose that the
first part of the sentence is a statement, and the second part is the
rationale - then, by way of conjunction, a native speaker would probably
choose something like "because", or similar.

I expect there are languages where a word that translates neatly into "while"
would be most appropriate, while actually meaning something more like
"because". It's been a while since the last time I had to speak any foreign,
but I remember stuff like this being very common - a large part of the reason
I refuse to do it any more.

~~~
dahart
I’d say ‘while’ is perfectly fine for a native speaker in place of ‘because’.
You could leave ‘while’ out of the sentence, the comma alone implies
‘because’. The reason for the statement is implied by the two clauses sitting
side by side, many connective words would do equally well, right? The only
thing that suggests a non-native speaker to me is ‘respect to’, which is still
sometimes correct. Respect to charitable interpretations, and respect to
multi-lingual people.

------
mirimir
This is very cool, and props to the kid.

But damn, I wonder what Srinivasa Ramanujan or Norbert Wiener would have
focused on if they were 13 now.

And maybe that's just whataboutism.

~~~
vntok
Breaking SSL worldwide probably.

------
philip1209
I'm still waiting on YC to set up a bug bounty program after having two
verified reports :-)

------
plicense
I would love to see a breakdown of which company paid the most :)

Shopify, Uber used to be at the top of the list.

------
alexnewman
not saying in this case, but i’ve heard it can often be more effective to
group bug reports into more or less accounts. obviously privacy is a huge
concern in a bug bounty program and i find it absurd how much the vendors
charge small companies

------
cosmin800
Just imagine the amount of cash if he went all black :p

------
umvi
I like the picture at the beginning of some CLI novice trying to git push his
home directory

~~~
analogmemory
That reminds me of my idea to create "tech" stock imagery that isn't a joke

~~~
jaredsohn
So the opposite of what the Hacker Dojo did around 2012/2013:
[https://slate.com/technology/2013/02/hacker-photos-how-
hacke...](https://slate.com/technology/2013/02/hacker-photos-how-hacker-dojo-
pranked-wired-with-hilariously-stereotypical-stock-images.html)

------
thisisweirdok
Woo! We need more capable bug bounty hunters. So many reports are very very
very bad.

