This blog is part of an interview series. These bug hunters continuously dominate the leaderboards and thanks pages. Today, we are thrilled to share details from our interview with mlitchfield!
Mark winning “most valuable hacker” at HackerOne’s live hacking contest
Mark Litchfield made history last month as the first hacker to earn over $500,000 USD in bug bounties on HackerOne!
He recalls Yahoo was the first bug bounty program he submitted a bug to before they joined HackerOne. “I got an email from Michiel [Prins, HackerOne co-founder] stating there was some money waiting for me. If I recall, it was for around $1,400. At that point, I decided maybe there is some good money to be made in this, and so it began.”
In three years on HackerOne, Mark has helped companies like Dropbox, Zenefits, Uber, LocalTapiola and Shopify resolve over 450 vulnerabilities. He is ranked in the 91st percentile for signal, 93rd for impact and he has earned over 11,300 reputation. The winner of our H1-702 live bug bounty hacking contest, Mark is a regular on hacktivity leaderboards and an inspiration to many.
To get in the zone Mark uses two laptops, both running Burp Suite, and his JBL Pulse bumping Pandora’s Tiesto radio LOUD! He shared, bug bounties have “helped pay my bills and keep a regular supply of Heineken and Marlboro reds flowing :).” Three years into his bug hunting career, Mark selects programs to work on based on the rewards, as well as the programs maturity. “How well do they respond, how quick do they fix / pay.”
Mark has always been a “breaker” and got his start in security in 1999 when he was looking to escape the business of selling computers. “It became apparent there was no money in selling computers,” he shared. His brother David was in security and recommended Mark take the MCP Windows Server NT4 admin course. Three days after completion, David and Mark were focused on churning out vulnerabilities for their new London based company, Cerberus Information Security Ltd. In 2000 Cerberus was acquired by @stake. A year later they set out to set up NGS Software (later acquired by NCC Group) along with close colleagues Dave Snr, Sherief Hammad, Robert Horton and Chris Anley. All the while, Mark continued to churn out security vulnerabilities and perfect his craft.
Show Me The Money
To attract the top hacker talent, Mark says it is all about the money. He reminds companies that this is a marketplace, and your bug bounty program is competing in that market. “The more you offer the more appealing your “product” is compared to your competition.” Mark said companies including Zenefits, Yahoo, Dropbox and Uber really get this. “They take security seriously and understand the value of these programs and as such offer appropriate awards.”
For security teams getting started with bug bounties, Mark recommends they award bounties when bugs are triaged. He believes, “The researcher has essentially done their job at this point, now it’s down to your dev team. It will also stop a lot of noise within your inbox. Once fixed, you can shoot the researcher a message to ask if they could verify the fix.”
On his public $500,000 bug bounty challenge, Mark said, “I think in everything you do in life it is important to set yourself some goals and challenges,” and this was no different. “At times, you can find yourself unmotivated, by making your goals public as I have done in the past on Twitter, you have now put yourself and your reputation on the line. Sometimes you achieve it, or get close, either way you always remain motivated and ultimately succeed.”
Hacker Pro-Tip is Worth $60,000+
For new hackers, Mark is ready to share a little secret with you. “When a new program is launched and the doors are “open”, everyone is going after the same old targets and the proverbial low hanging fruit. I do not. It’s not very often I get a duplicate because I am not playing the same game [as] everyone else.” While hackers are “scrambling” for the low hanging fruit, Mark goes after Insecure Direct Object Reference vulnerabilities. “It may take a lot longer to find these issues, but when I do it is literally quality over quantity. I look at all the functionality offered, will register 3 accounts, a control account and two others that hack each other.” Don’t believe him? To date, he has made over $60,000 on just five IDOR vulnerabilities alone.
Mark also recommends hackers consider what the company cares about most when picking a target. “Ask yourself what is [it] they do, where do they make their money etc. Go after core functionality.” Wherever the company makes the majority of their money is bound to be a high value to the company and result in a higher payout.
The Future of Bug Bounties
On the future of bug bounties, Mark recalls that just two years ago bug bounties were still seen as a security gimmick, and many companies would simply have never considered them. Today, bug bounties are now a widely accepted form of security audits.
Mark predicts that traditional security consultancy firms will evolve to the performance based model used by private bug bounty programs. “Gone will be the 100 page traditional security company report you just paid $50,000 [for].” Mark expects these performance paid pentests are what’s next. He describes these as “Small Private Bug Bounty Teams, selected for testing in-house business applications via VPN’s etc that would normally only be made available to the traditional security company.” “Using this new approach, you may have only paid out $10,000, but you paid for results.” Mark also predicts one day we won’t just offer bounties for bugs, he can also see bounties for tools or solutions to internal problems.
Have a questions for Mark? You can find him on Twitter at @BugBountyHQ.
Stay tuned for our next hacker hall of fame blog in our series. Have a question for a top hacker? Email us, at [email protected], find us on Twitter at @Hacker0x01, or let me know @lkozz.
Originally posted 2016-09-28 04:00:00.