Alex Chapman, otherwise known as @ajxchapman, has been a bug bounty hunter for over a decade after starting in the field as a pentester for Deloitte in 2007. Alex says being a full-time bounty hunter gives him the freedom he's looking for to enjoy his work and spend quality time in London with his wife, baby girl and their West Highland Terrier. Alex became a hacker through his joy in challenges and a variety of projects, as well as the opportunity for continued learning. When he became a full time bug bounty hunter, he set himself a monthly goal of bounties earned to keep a consistent income and continue striving for something. A year into his journey, Alex reports he is more than meeting his goal which has allowed him to choose the focus of his work based on his technical preferences, and have a lot of flexibility in how he chooses to work. Check out our interview below to learn more about @ajxchapman.
How did you come up with your HackerOne username?
This is a boring one, unfortunately. At one of my first jobs, working at a large multinational, there was already another Alex J Chapman so they assigned me the email address ajxchapman instead of ajchapman and it stuck. The other Alex was a director at the company, I used to get a lot of interesting emails meant for him, which always amused me as someone working in security.
How did you discover hacking?
My introduction to hacking was the 1995 film Hackers, and I was hooked from the first watching. From then on I’d spend hours on dial-up Internet learning everything I could about programming and hacking, reverse engineering crackmes, following tutorials from +ORC, fravia and Woodman, and testing my skills on old school wargames. It wasn’t until I finished my undergraduate degree that I found out you could be paid to hack companies legally, and so I became a penetration tester.
What motivates you to hack and why do you hack for good through bug bounties?
Hacking is a job for me, a job I love, but a job nonetheless. I choose the programs I work on based mainly on companies I like and technologies that interest me, but at the end of the day, I do it to pay the mortgage.
What makes a program an exciting target?
I really enjoy hacking on programs with technically interesting assets, CI/CD pipelines, native applications, embedded scripting languages, etc. I find it really rewarding, both mentally and financially, diving really deep into how these systems work to discover the edge cases that have been missed or assumptions which turn out to be false, in order to find great bugs.
What keeps you engaged in a program and what makes you disengage?
Good communication and response times are key to program engagement for me. I’m willing to spend a lot more time on a program that actively engages me through my reports, than one that is slow to respond or sends only automated messages. Things as simple as getting a comment on a report from the program saying “amazing bug”, “great report”, or even just “wow!” are huge boosters and make me want to work closer with that team. Conversely, reports which get no feedback or take a long time to process just feel transactional and are likely to make me not want to work on a program again.
How many programs do you focus on at once? Why?
Previously I’ve been focusing solely on 1 - 2 programs at a time. I’m currently trying to increase that to 3 - 4 to give myself a little more variability and reliability when I stop finding bugs on one program.
How do you prioritize which vulnerability types to go after based on the program?
I don’t generally approach a program looking for specific vulnerability types, instead I try to focus on identifying high and critical impact issues, whatever they may be for that particular target. The exception to this is if I have found a good vulnerability on one program, I’ll check other similar programs to see if the same or similar vulnerabilities exist. This creates a good iterative feedback loop for finding bugs across programs with similar targets.
How do you keep up to date on the latest vulnerability trends?
Twitter is my go to resource for all things security and technology related. There is a lot of noise, but the signal tends to be of very high quality. I follow quite a lot of people outside the security space, as well, in an attempt to keep up to date on emerging and newly adopted technologies, techniques and trends.
What do you wish every company knew before starting a bug bounty program?
If I could give two pieces of advice to companies wanting to start bug bounty programs they would be:
- To get the most out of a bug bounty program you need to cultivate relationships with bug hunters. Consider bug hunters who regularly submit bugs to your program an extension of your offensive security testing team. Offer incentives for repeat reports, insight into new features or exclusive access to assets, and encouragement to follow up on bugs.
- The more transparent and open a program can be with bug hunters the more value the program will receive. Disclosing bugs can lead to fix bypasses the original reporter was unaware of. Publishing asset lists and details reduces the entry cost of finding bugs on those assets. Informing bug hunters of updates can identify bugs in those updates quicker. The GitLab program on HackerOne is a fantastic model to follow in terms of transparency.
How do you see the bug bounty space evolving over the next 5-10 years?
Like many in this industry, I imagine that the number of bug bounty programs is going to increase, potentially massively. I can see a future where it would be considered negligent not to have a bug bounty program for any company that produces hardware or software. I’d love to see more companies offering public research grants to look at the security of a particular product or feature, but I am less optimistic about seeing that become the norm.
How do you see the future of collaboration on hacking platforms evolving?
I expect we’ll start to see more formalised teams getting involved in bug bounty, outside of live hacking events, possibly even including traditional penetration testing consultancies.
Do you have a mentor or someone in the community who has inspired you?
I’ve had the good fortune to work alongside some amazing hackers in my time, some big names in the bug bounty and security research spaces, and some others who prefer to stay out of the spotlight. So instead of calling everyone out by name, I’ll just say thanks to everyone who has helped me along my way, taken the time to explain and teach concepts, and been there to bounce ideas around with.
What educational hacking resources do you wish existed that doesn't exist today?
The number of education resources available right now exceeds those available at any other point in history, I’m not sure I could wish for much more. All hackers should aim to be continually learning, but should try not to fall into the trap of perpetual learning over applying that knowledge.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Report editing and drafts, please! I take a huge amount of time and care over my reports, but inevitably after hitting that `submit` button, I notice a glaring typo in the first sentence that I somehow missed in the three proof reads before.
What advice would you give to the next generation of hackers?
Stay curious in everything.