Corben Leo, popularly known as “cdl”, is currently a Computer Science student at Dakota State University but he’s been a security researcher and a bug bounty hunter for years. He’s attended a handful of live-hacking events as a top hacker on many programs hosted by the U.S. Department of Defense, Verizon Media, Starbucks, and others. He currently has 13 CVE IDs assigned to his findings and has been recognized by over 8 Hall of Fames including Apple, Google and Microsoft. Cdl has many achievements to be proud of but he’s just getting started. He started Lynx Security — an LLC devoted to making the web a more secure place. Cdl has soared to the peak of his profession thanks to his precocious talent and a strong belief in hacking for good. He shares why that matters below.
How did you discover hacking?
When I was a freshman in high school, my school gave MacBooks to students to do our school work on. These laptops had a student account with basic user permissions, and also an admin account. There was also a web-filtering application, installed on the laptops, which blocked any non-school-related websites that a high-schooler would want to go on during classes. After a bit of Googling, I figured out that you could boot the computers into something called "Single User Mode", mount the file system, remove a file, restart it, then set it up like it was brand new. You could create a new administrator account, therefore giving you the ability to uninstall the filtering application, or do anything else you wanted. I was ecstatic and couldn't keep it to myself, either, so I did it to all of my friends' computers. They got caught within a day or two and eventually gave me up as the perpetrator, so I got in trouble for "hacking" when I didn’t even know what that meant. The school gave me detentions for a week, so I spent my after-school hours with the IT guy fixing computers. I was intrigued by hacking and later became obsessed with it. I taught myself how to hack over several years and eventually heard about bug bounties towards the end of high school. At first, I was oblivious and didn't realize that the information security industry existed, so I was pumped to learn that people hacked as a job.
What motivates you to hack and why do you hack for good through bug bounties?
I enjoy the creativity and the challenge it provides. Nothing quite beats the chase of vulnerability hunting. The thrill and adrenaline that hit you when you identify vulnerabilities are also addictive. I'm motivated by the opportunity to sharpen my skills, learn new things, hack with others, and also make a positive impact. A tremendous advantage is that bug bounty is quite lucrative when you're good at what you do, and I'm grateful that I get to make money doing something I love. Everyone wins: I get to challenge myself and get paid for vulnerabilities I find, while companies become more secure, which ultimately keeps everyone safe.
What keeps you engaged in a program and what makes you disengage?
I continuously engage in programs that have proven to communicate effectively to their researchers. It is arguably one of the most important elements in operating a successful bug bounty program. Communication leads to a greater understanding, and if neither side understands the other, you're stuck at an unsettling impasse. Disengagement occurs when communication doesn't occur at all, or at least not effectively. Taking the few minutes to communicate proves you value the researcher's time because if researchers feel unvalued, they will spend their time elsewhere. Also, the speed bounties are paid at is important. I would rather not wait a year to get paid.
How many programs do you focus on at once? Why?
I tend to focus on one program at a time, but also jump from program to program often. When I get tired of looking at the same applications or hosts, I switch to a different program because it's refreshing to have some diversity.
How do you prioritize which vulnerability types to go after based on the program?
I take into consideration a program's biggest risks based on some quick threat-modeling. I map out the application's functionality: understand its use-cases, hypothesize what could be processed and transmitted, what technologies are being employed, etc. After, I go through them and assess those potential risks.
What do you wish every company knew before starting a bug bounty program?
Be ready and prepared, don't be afraid to slowly ease into it!
How do you see the future of collaboration on hacking platforms evolving?
I wouldn't be surprised if collaboration becomes more popular among researchers. I also wouldn't be surprised if there are more team-style live hacking events. There's a lot of power in collaboration.
Do you have a mentor or someone in the community who has inspired you?
Hard question, there's a lot of people in the community whom I've collaborated with, learned from, and am inspired by including Brett (ziot), Naffy (nnwakelam), Frans Rosen (fransrosen), Justin (rhynorater), Sam (erbbysam), the other Sam (zlz), and more.
What advice would you give to the next generation of hackers?
Getting good at anything isn't a sprint but a marathon, so don't be discouraged. Be willing to put in the work and keep working at it a day at a time. Soon enough you will be surprised how far you've come!