EdOverflow is known for contributing a bunch of stuff: active in the community, one of the people behind security.txt – a standard for structuring responsible disclosures, bug bounty hunter and a member of Detectify Crowdsource.
We got a chance to quiz him about security.txt, his motivations for being involved with hacking communities and why he chooses to report to responsible disclosure programs without bounty rewards:
Why did you propose the security.txt standard?
As a security researcher, I am familiar with the difficulties with finding a vendor’s security-contact details. This inspired security.txt, a proposal that aims to minimise the time needed for security researchers to find contacts. The project primarily attempts to solve this problem by making it as simple as possible for anybody to set up. Someone with little technical knowledge can follow along and create a text file that adheres to the specification with minimal effort.
Have you learned anything about responsible disclosure since then?
The legal aspects of coordinated disclosure, most notably #legalbugbounty by Amit Elazari, have been particularly eye-opening for me since I have no background or prior experience in this area of the security industry. Her work has caused a major shift in how the bug bounty community view bug bounty program policies. It has made me more aware of the risks involved and how to provide bug bounty hunters with a secure platform to communicate their findings without fear of repercussion.
You also spend a lot of time sharing knowledge in other ways. Can-I-Take-Over-XYZ and bugbountyguide.com are two examples. What motivates you to spend time on this?
Working on projects allows me to put my skills to the test, meet new faces, and get feedback from various members of the security industry. All of these factors motivate me to keep creating projects. In addition, I often find myself actually needing these tools and projects I build, so I could see why someone else might benefit from them. This is why I usually publish my work on GitHub and other platforms that allow others to easily access my work and make contributions.
What advice do you have for anyone looking to advance with hacking?
Start by becoming a problem solver. Read technical articles and books, and whenever you stumble across a problem and challenge yourself — do not just jump to the solution. Really try to figure out a possible solution before looking it up. Also question things, do not just take them at face value.
I often draw parallels between mathematicians and hackers. In my opinion, both are problem solvers and really demonstrate “the hacker’s mentality”. Alain Connes, a French mathematician and Fields medal winner, claimed that one should read mathematics books backwards. The goal being that the reader would encounter theorems and be forced to think about how they could prove that theorem. Personally, I would nearly go as far as saying that hackers should try a similar approach. If you encounter some new technical or security-related problem, ask yourself how you could go about implementing it in practice and then maybe how to misuse it. Ask yourself how could someone else make mistakes while setting up a particular feature or technology when you read documentation and specifications.
How can someone get more involved in the security community, what would be a good first step?
I recommend contributing to open-source projects. This is a great way to meet new people. I find the process to be more rewarding than simply reaching out to random members of the community at first. Your contributions are more likely to be noticed and hackers might be more willing to help you out in return. That being said, do not be afraid to reach out to someone you look up to or want help from. Networking is really important in the security industry.
Besides online networking, consider going to meet-ups and joining local security groups. Meet-ups are a fantastic opportunity to meet people and make new friends.
When you actually hack yourself, what kind of vulnerabilities do you usually look for?
I love this question for one particular reason, it might finally explain to some readers why I sometimes report security vulnerabilities to vulnerability disclosure programs which do not reward hackers with bounties. Whenever I heavily rely on a particular product and the team maintaining the project has a disclosure program, I might find myself testing the product for my own security. So the vulnerabilities that I have reported to projects such as GitLab, Rocket.Chat, and Keybase, for example, come as a result of me hacking myself.
In terms of the exact findings, those tend to be bugs specific to the product I am using. This comes as a result of really knowing the ins and outs of the target because I am an actual user. I think Keybase put this best in one of my reports:
“[…] we applaud the researcher [EdOverflow] for thinking about our product specifically, not just applying a generic checklist.”
In your opinion, what is something that often gets overlooked by bug bounty hunters?
Not sure about how often this is overlooked, but I would like to remind readers and fellow hackers of how important it is to balance hacking with a healthy lifestyle — mentally and physically. I know from experience how easy it is to overlook healthy habits when you are completely invested in security. Try to remember to take regular breaks and even consider finding other interests and activities outside of security to keep you going so that you do not get overwhelmed by everything security.
Finally, you are also a member of Detectify Crowdsource. From your perspective, what is the biggest benefit of that approach compared to traditional bug bounty-programs?
Detectify Crowdsource has been especially useful for me to earn money with previously-disclosed vulnerabilities and some interesting techniques that I have been holding on to over the years. Knowing that my findings could still benefit Detectify clients out there and are not completely used up is extremely encouraging.
I also like the 0-day disclosure assistance that Detectify offers. Not only am I able to reach out to the right people concerning my findings, I am still able to earn money from those findings.
Find out more about EdOverflow:
Twitter: @EdOverflow
https://edoverflow.com/
Are you interested in joining EdOverflow and other security researchers on Detectify Crowdsource? Email the Crowdsource team at crowdsource@detectify.com or learn more on the blog.