At 16 Alyssa Herrera discovered BugBounties and HackerOne--she hasn't looked back since. Now a full time bug hunter, Alyssa makes sure to give back to the community by sharing the knowledge she gained on her way to the number two spot on the DoD leaderboards.
Tell us a bit about yourself.
I’m a full time bug bounty hunter and security researcher based in California, United states. In my free time I tend to play games and talk with friends usually.
How did you first get interested in computers and hacking?
I got interested in computers when I was in middle school. My school provided us with computers, but like most middle schoolers, I wanted to play games on the admin computer systems. I got my first start with hacking when I was trying to get administrative access to a school given laptop, to play games.
At what age did you start hacking?
I started hacking web applications around 16 years old when I heard about Google’s bug bounty program. This lead me down a rabbit hole of googling about bug bounties and web application vulnerabilities through OWASP. I eventually found Hackerone and that’s sort of how it all started.
Did you have a mentor who encouraged your interest?
I don’t have a mentor, I more so just taught myself through blog posts and disclosed reports. It was really interesting to me and I fell in love with the work. It’s extremely rewarding to help secure companies from potential vulnerabilities.
What motivates you to do this type of work?
What motivates me is wanting to help out security companies protect against breaches and improve their general security. Another motivation is being a role model for other women who also might want to get into this field of work.
What types of bugs do you like to hunt (we’ll go out on a limb and say it’s SSRF? ;)
I tend to really love hunting for SSRF and IDOR type issues. With my recent research, I have really come to appreciate the Server Side Request Forgery vulnerability, as it is quite a serious and prevalent in many aspects of web applications.
In your blog post Piercing the Veil: Server Side Request Forgery to NIPRNet access you discuss submitting a bug before you have fully exploited it and obtaining permission from the security team to demonstrate its full impact. Can you discuss the ideal relationship hackers would have with security teams? How do you think such a relationship should be fostered?
An ideal relationship between hackers and security teams would be one of respect. Security teams should understand that hackers aren’t the bad guys. Hackers want to do their best to help out and aren’t trying to disrespect or show any bad faith towards the security team.
At the same time, hackers should understand that security teams can make mistakes. For example, when a security team closes hacker’s reports as non-applicable, but the hacker feels otherwise, then the best option would be for the hacker to then provide a well written out statement as to why they believe it's an issue and provide their evidence to back up the claim.
It’s best that we both teach each other something to grow a better a relationship between the hacker community and the security teams. One way we could foster this and generally improve the relationship between hackers and security teams would be improving policies of security program, legalities of program is already being worked on with the legal bug bounty program.
Another improvement would be clear written rules on what a hacker should do when they find a vulnerability like an RCE or SSRF. One program that does this is Yahoo, where they state what commands you should run to identify what level of access you have.
You seem to have really enjoyed hacking the DoD. Can you tell us the best thing you learned while hacking in that program?
The best thing I have learned from the DoD experience, was to never to pass up a website when you discover it’s running an odd CMS, something you are unfamiliar with, or when addressing a system with little to no known information about the vulnerability state. This has been a recurring theme when I am hunting within the DoD program.
Which hackers do you follow closely and admire?
I look up to Frans Rosen, EdOverFlow, James Kettle and Ron Chan. I really like the work they do, and they do amazing security research that demonstrates interesting ideas and concepts.
You work to educate the Hacker community through your blog and other channels, what role do you think bounty programs have in supporting the development of Hackers?
Bounty programs are much more valuable than many people think in helping educate hackers. They must advocate to fight the trend in the industry to shroud fixed vulnerabilities behind NDAs, as new hackers often rely on the skills demonstrated by those currently exercising them. Additionally, they should provide safe discussion areas for individuals to protect against external pressures to criminalize curiosity.
As someone who makes her living as a bug hunter, what do you look for in a program. Is there anything that you avoid?
I tend to look for extremely responsive programs or programs that are managed by HackerOne typically, the other thing I tend to look for is if the programs payout based on the impact or based on the vulnerability it self. I tend to avoid programs with bad response efficiencies or have poorly worded or written out policies.
Any final advice you would like to share for others looking to get into hacking or fellow bug hunters?
My advice would be that anyone can get into bug hunting. The community is welcoming to everyone of any skill level. Don’t be afraid to ask or reach out for help, as we are all still learning.