Hacker Q&A With EdOverflow
EdOverflow is a busy man. He’s found bugs for Razer, GitLab, and even HackerOne :). He writes about security and web development. He runs Securitytxt.org, which works to standardize how websites define their security policies, and he's a full time student studying computer science.
We recently chatted with Ed in-between his busy life about his background, his work, and his causes.
Tell us a bit about yourself.
I am a security researcher based in Zürich, Switzerland and am currently in my first year at ETH Zürich studying computer science. In my spare time I love swimming, playing the guitar, photography, and cinematography.
How did you get started hacking?
I started as a photographer, and slowly got interested in Photoshop. From there my interest shifted to UI design and web design. I was around 16 when I first started getting into security, but I have been bug bounty hunting for roughly one and a half years.
What about hacking is most appealing to you?
Learning and meeting people is actually what appeals to me the most. That being said, the money is important, because I have to make ends meet.
What types of bugs do you like to hunt?
I started in web application security focusing on common issues such as cross-site scripting and SQL injection. Then I dedicated a full year to purely hunting for crypto-related issues. Since HackerOne's H1-702 event in Las Vegas this year, I have returned back to hunting for web application security issues.
My main focus area is security research, therefore I invest a lot of time into discovering unusual behaviour in native functionality and frameworks which allow me to find unique bugs. Each bug produces a unique narrative — a cocktail of interesting and educative experience, and intuition.
What’s the best piece of swag you’ve received?
My favorite piece of swag was given to me as a result of my most memorable hacking challenge.
Jobert Abma, the co-founder of HackerOne, did a "Capture The Flag" while I was staying with a friend in New Mexico. After a long day of trying to solve the last step of the challenge, I called it a day and proceeded to walk out of the house to go to bed in a campervan parked in my friend’s garden. The issue was that I could not find the key to open the gate to the garden.
Luckily for me, or so I initially thought, I received a lock picking set during H1-702 a week prior to my stay in New Mexico. Half asleep and still annoyed by the fact that I could not solve Jobert's challenge, cracking open a lock turned out to be an impossible task, so I climbed up the fence and jumped over. Finally, I reached the campervan and could get some much needed sleep.
I was comfortably laying in bed when suddenly it hit me; the solution! Phone in-hand and with terrible Internet service in the campervan, I hastily threw together my solution and submitted it. It was not until the next morning that I checked my phone and realized how horrendous my submission was. There was no way I could leave it at that, so during breakfast, I put together my final write-up.
For finishing in the top five, I received a cool HackerOne sweatshirt. However, the whole story behind it is what makes it the best piece of swag I have ever received.
Who are some of your hacking mentors?
Tom Hudson, without a doubt, is by far my biggest hacking mentor. Tom is always willing to help and share his knowledge. I really enjoy conducting research with him because he is a fount of knowledge and is clearly passionate about what he does.
I collaborate with a lot of hackers including Gerben Janssen van Doorn, Yasin Soliman, Joel Margolis, and Daniel Bakker. Combining several brains when targeting a program can be extremely rewarding, not only in terms of what you find, but also the fact that you learn something new from each other.
My hacker idols are James Kettle, Frans Rosen, Orange Tsai, and Elliot Alderson. They all have something in common, they really demonstrate the hacker's mindset.
How do you choose which companies to work with?
Proactive companies that really want to work with hackers are the ones I personally like to work with the most. I use the term "coordinated disclosure" whenever I refer to the whole bug bounty process. The "coordinated" part indicates that both sides, the vendor and the reporter, need to put in some effort. A good example of this are my recent Automattic reports. Their team is a pleasure to work with, because they are extremely proactive, helpful, responsive, and value the reporter's effort.
What are some tips you would give companies thinking about starting a bounty program?
Consider hiring a bug bounty hunter. They know the community and what other bug bounty hunters expect from a bug bounty program. When I joined Gratipay last year, I was able to help the team change their program drastically, because I am very familiar with the other side of the playing field.
What is security.txt?
Security.txt is a text file located on websites and file systems that allows companies to share contact details and information regarding their security policy. By standardizing the process and making it as simple as possible, my goal is to help improve the coordinated disclosure process.
When did you start working on this project?
The security.txt project began while I was "recovering" from DEF CON 25 and H1-702 in my hotel room in New York. Just before going to bed I opened my GitHub gist of ideas that I plan on working on in the future, and one bullet point stood out, the shortest one, simply "security.txt".
What’s been the reception so far?
The amount of feedback that I have received from people from various areas has been the most surprising thing for me. I put together a team to work on the project and I am very grateful for everything people are doing to help make this idea a reality. Security.txt is constantly changing and my team is working together to ensure that every potential area where security.txt could be used has been addressed.
What’s up with the frog?
That shall remain a mystery.