Jesse, otherwise known as @randomdeduction on HackerOne, is the CISO of LIfeOmic during her normal nine-to-five and spends endless nights and weekends as a bug bounty hunter. With her years of experience in product security, Jesse takes her knowledge from bug hunting into running LifeOmic’s bug bounty program. Read on to learn what encourages her to continue hacking on different programs and her unique perspective on what makes a good hacker-powered security program.
How did you discover hacking?
I have always been interested in how things break. In high school, I bought a programmable watch and programmed it to turn all of the school TV's on and off, which didn't impress my teachers. My love for hacking grew while I was in college and I started doing research on digital forensics and OSINT. When I eventually started focusing on bug bounties my technical depth grew dramatically and gave me exposure to tons of different tech stacks.
What motivates you to hack and why do you hack for good through bug bounties?
The challenge. I like consistent change and bug bounties give me the flexibility to always be looking at something new.
What makes a program an exciting target?
Large scope! I love recon and when a company throws everything they have in scope I get really energized to find bugs.
What keeps you engaged in a program and what makes you disengage?
I stay engaged on programs that regularly update their scope. Nothing is worse than hacking on an app that hasn't changed in years and has had a ton of other researchers looking at it. It's discouraging.
How many programs do you focus on at once? Why?
I jump around a lot to different programs which probably makes it harder for me to find complex bug chains but it keeps me from getting burned out on a particular program.
How do you prioritize which vulnerability types to go after based on the program?
I like to take a look at the site and see how it operates before picking an avenue to go down. If I see a ton of potential for IDOR's while proxying requests, I will focus on that for a while. If I notice a big reliance on graphql I will start hitting it looking for auth flaws.
How do you keep up to date on the latest vulnerability trends?
Hacktivity, Twitter, running my own program on HackerOne, attending conferences, and being around other hackers at live hacking events.
What do you wish every company knew before starting a bug bounty program?
When making report decisions, ask yourself "Is this how I would want my report to be handled". Communication is key. Impact is a two-way street. Don't just close reports, give the hacker back impact by telling them why something isn't a security risk or valid. It will benefit both the program and the hacker (x10) in the long run. This communication and transparency will drive hackers to deliver more critical and complex reports in the future.
How do you see the bug bounty space evolving over the next 5-10 years?
I see more and more regulated industries finally thinking outside of the box and embracing the crowdsourced security model. Moving past a checkbox mindset in verticals like healthcare and finance is critical to not being the next organization in the news for a breach.
How do you see the future of collaboration on hacking platforms evolving?
Collaboration is key to success. Diversity of ideas can take a small bug and build it into an exploit that can be applied across many different targets. I hope more platforms build in incentives and functionality to better support those that choose to work together and share ideas.
Do you have a mentor or someone in the community who has inspired you? Don't be shy, give a shout out!
I always enjoy asking @dki random iOS questions when I am stuck while hacking at 11pm and am blown away by her skills/expertise in mobile. My retirement plan is to get as good with bash as @TomNomNom while sitting on a beach somewhere drinking mojitos.
What advice would you give to the next generation of hackers?
Try to not get discouraged by the number of hackers looking at a target. Approach each target like you are the first and only one to look at it. Otherwise, you will miss bugs based on your assumptions.