Earlier this year, Jon Colston (or @mayonaise on HackerOne) surpassed $1 million in earnings from bug bounties, but, when you talk to him, it’s easy to see he is excited about the journey, not just the payout, because he is pursuing a passion close to his heart.
In just under two years, Jon has taken his hefty resume in digital marketing and expertise in data and put it to use when hacking for good. He recently broke the record of most bounties ever earned by a single hacker at a live-hacking event, and is currently ranked 22nd on the 90-day leaderboard. His unique background and insights make him a unique talent, resource, and disruptor in the bug bounty community. Interested in learning more about his exciting feats? Read on!
How did you come up with your HackerOne username?
Music has always been a significant influence throughout my life, and the album Siamese Dream by The Smashing Pumpkins is filled with songs I consider as best friends. Mayonaise is a personal favorite. With the title's hidden meaning and resonating lyrics about overcoming challenges, there was no other choice for a hacker name.
How did you discover hacking?
I found HackerOne in the Summer of 2018 while researching the "hack for good" movement. There were several documentaries and news stories that caught my attention, and I wanted to learn more. It wasn't until I joined the program and began actively searching for vulnerabilities that I realized hacking is the application of ingenuity. Since that's a trait we're lucky to be born with, I don't believe you discover hacking, but rather, it's our instinctual approach to life.
What motivates you to hack and why do you hack for good through bug bounties?
Bug bounties provide an advantageous opportunity to engage in an activity that is both mentally and financially rewarding. You have the flexibility to choose your path, focusing on areas that align with your interests.
I am motivated most by the thrill of the hunt, and the euphoria felt with each discovery. I'm not sure why I have as much fun as I do hacking, but something happens at the primal level that pushes me forward each day. Once I start, it becomes difficult to stop.
What makes a program an exciting target?
I find programs where I have relevant business experience fascinating. Having a background in digital marketing, the targets containing advertising platforms feel familiar. I know how systems operate to fulfill the requirements of publishers and advertisers. I like to think having this knowledge has assisted me in finding additional vulnerabilities that might have been unrecognizable by others.
What keeps you engaged in a program and what makes you disengage?
Programs with a broad scope and diverse functionality are engaging because it's simple to transition to a new target without losing progress. Often you can find information related to one application and apply it to others. It creates opportunities to establish a foothold faster and have single bugs propagate into multiple reports.
The diversity of targets helps keep things interesting, but there are times I become disengaged. It's usually due to mental fatigue, and I use it as an indicator to take a break and avoid burnout.
How many programs do you focus on at once? Why?
Not all programs are alike. While I dedicate almost 100% of my time on Verizon Media, it has the breadth of +50 average-sized programs. Dedication to one program has risk, but it's not without generous rewards. Specifically, it enables the development of expertise, and if you can think strategically to spot trends, sometimes you can find an elusive Achilles heel within a system.
How do you prioritize which vulnerability types to go after based on the program?
Testing prioritization is dependent on the functionality of the target application and my experiences with weaknesses found in similar circumstances. If I have discovered a vulnerability on a comparable platform, I'm trying to replicate the same attack first. Then I methodically go through each endpoint, spending 15-30 minutes collecting data and seeking identifiers that suggest an issue could exist. Often, I research ideas in tandem to find various ways to exploit vulnerabilities based on observed system behavior. If anything looks odd, it's going to the top of the list.
How do you keep up to date on the latest vulnerability trends?
I actively search online for attack examples as I test an application. Blogs, videos, and streams are excellent sources for new and fresh content. However, books are essential for organizing some of the broader, fundamental concepts into digestible segments.
Additionally, I prefer to pull information rather than having it pushed to me. I recognize I'm blind to concepts that fall into the "you don't know what you don't know" quadrant; however, being inundated with too much information is equally as confusing as having too little. This approach allows me to control the pace and not get overwhelmed.
What do you wish every company knew before starting a bug bounty program?
Adopting and implementing a vulnerability disclosure program is likely to be an unnerving decision for many management teams, mainly when the predominant perception of hacking is an inaccurate, worst-case scenario, movie portrayal.
A decade ago, a similar leap-of-faith decision was faced by companies when we realized a need to embrace social media. Relinquishing control of our brand and allowing consumers to have public discussions about their experiences was a scary proposition. Today, we look back and laugh at our unfounded fears. Businesses now endear social media as a tool to help them become better, which should be the same viewpoint for VDPs.
To managers thinking about starting a bug bounty program, it's understandable to feel uneasy having researchers hunting for holes in your security defenses. However, as issues are discovered and resolved, the source of distress will come from knowing unnecessary risks existed before the VDP's implementation and wishing you had acted sooner.
How do you see the bug bounty space evolving over the next 5-10 years?
"As business demand for web security continues to grow, I would expect to see new practices developed to improve overall efficiency—solutions designed to increase vulnerability detection speed and place pressure on lowering costs.
It does not necessarily mean we are to be replaced by automation and AI. Instead, I think a shift will occur to help researchers become more productive by reducing the burden of peripheral tasks. Focusing all of our attention on testing functionality naturally improves efficiency."
How do you see the future of collaboration on hacking platforms evolving?
Much of the discussion about collaboration relates to how researchers partner with others having complementary methodologies. While this will continue to be a trend, I believe the next evolution will be a collaboration between researchers and the companies. Hackers become active participants in the design and preproduction test phases of the development life cycle.
Do you have a mentor or someone in the community who has inspired you?
Without question, Ben Sadeghipour (@nahamsec) is an inspiration to all. The content he provides to the community of researchers is genuinely astounding, and I can not express how much his video streams have helped me enter and navigate the hacking world.
Nahamsec - you are pure motivation and a positive influence on the industry. HackerOne and the community of researchers are incredibly fortunate to have you as the person to step up and embrace such a vital role. Keep up the exceptional work, and I look forward to seeing you this Sunday, and the next, and the next, and the next.
What educational hacking resources do you wish existed that doesn't exist today?
Can a simplified pamphlet with pictures be created to provide readers with ten years of real-world experience? Perfect, I'll take two, please.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
HackerOne has accomplished a fantastic feat by mobilizing a freelance workforce to dominate a large segment of the cybersecurity vertical. It's a truly remarkable story and one that deserves celebration. While making the internet safe is a noble cause, I would suggest a byproduct of their efforts actually might be the tip of something equally as significant. If I had a magic wand, I would enjoy applying H1's business model to other endeavors to see what's achievable.
Pretend H1 launches a new division, and its first task is approaching product modifications to address COVID-19. Manufacturers worldwide have access to a massive thinktank where bright minds can contribute fresh ideas to solve matters quagmired in bureaucracy and old-school groupthink.
Although you might not have experience in manufacturing design, wouldn't you want a crack at solving some of these issues? Damn right you would, we all would - and that's my point. H1 has built a network of hundred thousand self-motivated problem solvers who thrive off on being challenged. It's almost impossible to capture lightning in a bottle, but from my experiences with HackerOne, there is something in the air that feels electric.
What advice would you give to the next generation of hackers?
The one piece of advice for hackers beginning their journey in bug bounties is always to save and organize your data. It will be an essential asset in building wordlists to brute-force domains and directories, mining for insightful trends, identifying flags that signal issues, and discovering bugs you missed during previous tests.
Data is the digital image of the experiences you acquired while testing. As you become a more skilled bug hunter, you will be able to turn that data into information and advance your skills further.
I would like to thank HackerOne and everyone on its team for the opportunity you have created for so many of us. It has been a pleasure, and honestly, a life-changing experience to be able to participate in your endeavor. I wish you continued success and that the journey has only just started. Onward & Upwards!