Congratulations to @mayonaise, the ninth hacker to earn $1 Million hacking for good on the HackerOne platform!
Over the past 2 years, @mayonaise has helped to find over 170 real-world vulnerabilities in enterprise and government organizations, earned his place as a live hacking event MVH (most valuable hacker), and holds the record for most bounties ever earned by a signal hacker at a live hacking event as of h1-2004 last month.
Hacking is here for good, for the good of all of us, and @mayonaise epitomizes this. His unique, machine-learning-style approach to hacking has earned him a Reputation Score of over 7,000 and a place on the Top 100 all-time leaderboard on HackerOne, as well as the #5 spot on the 90-day leaderboard.
The positive power of a community of ethical hackers like @mayonaise pools our defenses against data breaches, reduces cybercrime, protects privacy, and restores trust in our digital society.
We sat down with @mayonaise to learn more about his unique approach, focus, and journey to being one of the top hackers in the world.
Q: Tell us a little about yourself! What’s your handle? Where are you from/living? What do you do full-time?
My name is Jon Colston, and my hacker handle is Mayonaise. My wife and I live in Las Vegas but spend a fair amount of time on the east coast enjoying time with friends and family.
I have 24 years of experience in fast-growing startups leveraging analytic modeling and technology solutions to optimize business processes and increase the overall efficiency of organizations. While I operate several businesses in the commercial/residential lending verticals, I have focused the majority of my time on bug hunting for the last two years.
Q: How does it feel to make $1M hacking?
It feels incredibly rewarding to have crossed the $1M point. A lot of time and energy went into this achievement, and it's nice to look back and say it was worth it. Both personally and financially.
I try to follow the adage "Onward & Upward," focusing more on where I am going versus what I have done. Centering on the future begins with the belief that something good will happen, and this experience has provided an overwhelming sense of hope.
Q: How did you come up with your infamous hacker handle?
The Smashing Pumpkins debuted their album Siamese Dream in the summer of '93, and it was an impressionable time in my life. To this day, many of the songs I still consider as best friends and "Mayonaise" is a personal favorite.
With the title's obscure pronunciation (My Own Eyes) and it's poignant lyrics summoning personal faith and patience to overcome challenges, there was no other choice for a hacker name.
Q: You’re known for your unique, data-centric approach to hacking. Can you tell us more about that and how your background in data analytics informs how you approach a target?
Analytics is extracting actionable information from data sets, and my skills in this area serve well in finding vulnerabilities on extensive scoped programs. There is an art to formulate the proper questions that led to the discovery of potential issues and a science to collecting, organizing, and storing data for queries used to answer the questions asked. Both are equally important and dependent upon another.
One area where analytics has created opportunity is in asset discovery. I have been able to identify patterns in naming conventions and refine brute-forcing techniques that differ from many of the hacker community's standard toolsets. The same methodology has proved successful in areas of content discovery too.
Furthermore, I make it a practice to store as much data as possible for future reference. If I discover a vulnerability on one host, then I will query for similar endpoints that display comparable functionality or characteristics across all other domains. This approach frequently creates opportunities for one issue to cascade into several reports.
Q: You broke the record of most bounties ever earned by a single hacker at an LHE. How did you do it?
It still seems surreal; I never imagined being in this position two years ago, and it feels incredible. Upon joining HackerOne, you quickly realize there are a multitude of factors associated with bounties and bug hunting. Impact, scale, reach, program, and policy all come to mind. However, still, I can attribute the success at H1-2004 LHE to two primary elements that significantly contributed toward the total bounty amount.
The primary contributing factor was the event’s scope, which included credentials to applications that have not undergone a thorough “hacker hardening” examination. I took advantage by going directly at weaknesses I thought were most likely to exist, spending the majority of my time exploring SSRF and IDOR attacks. It led to a strong tournament start with a nice run of critical bugs.
The second factor, and accounting for almost half of the bounties, resulted from the capture of my first “Mother of All Bugs” - or MOAB, as I like to call it. It’s an amusing term I have given to elusive vulnerabilities that satisfy the three key attributes:
- No one else knows to look for it.
- It can be found on different hosts, functionality, and endpoints, making it “cease-fire” resistant.
- It has a rating of high or critical impact.
My first glimpse of this MOAB was in May of 2019; however, the trail ran cold and was left forgotten until the beginning of March when I discovered a similar vulnerability. With a fresh set of eyes, I had a revelation and changed my approach to how I hunted for this bug. It resulted in ten LHE vulnerability reports and awarded ~27,000 jars of mayonnaise by Luke’s calculation. The timing could not have been better.
h1-2004 grew into an unprecedented opportunity for me, and I feel so fortunate to have been able to participate. Special thanks to Chris Holt and the VZM Team for assembling a fantastic scope. I wish the tournament did not have to end; there were moments where it felt like I had captured lightning in a bottle. It’s a memory that I will not forget.
Q: You focus heavily on one specific program. When did you start hacking on them, why do you dedicate a single program, and what do you like about their program?
When I began bug bounties in late 2018, Verizon Media’s extensive scope was attractive, and I believed my experience in digital marketing provided a slight advantage. I still hold these as compelling reasons; however, the list of incentives to remain loyal has significantly increased with time.
Anyone who has consistently engaged with Verizon Media has experienced their dedication to the hacking community. Generous bounties are the primary motivation for many; however, its additional areas of support that I find quite valuable and worthy of avocation.
- Consistent Participation within LHEs
- Opportunities to Work on Exclusive Targets
- Accessibility to Team Members via Industry Forums
- Support and Engagement from Executive Team Members
- AMA with Product Managers & Development Teams
- Dedicated SSRF Servers
- Openness to Discuss Differing Points of Views
- And Ultimately, Superior Swag
I’ve continued to remain focused on Verizon’s program because I believe substantial efficiencies are only achievable by developing expertise. The breadth of their program’s scope allows me to expand my attention as needed, always tailoring focus to find the goldilocks zone as my understanding increases. As long as I experience continued productivity gains, I will find it difficult to deviate from this path.
Q: Which hacking project or vulnerability has presented you with your greatest challenge so far?
Without question, I find the Live Hacking Events to be the most challenging and rewarding experiences with HackerOne. My natural disposition as a friendly competitor and the innate desire to perform well generally results in +20 straight days of long hours filled with an intense focus on the targets in scope. I enjoy every second of it.
Q: In light of recent events around the world, we’re seeing a surge in HackerOne and Hacker101 registrations. What advice would you give to aspiring ethical hackers or folks just beginning their bug bounty journey at this time?
My advice is to map the initial phase of your journey by asking yourself the following questions. Spend at least 30 minutes each. Your answers will point you in the right direction.
- How do my experiences and skills make me unique to the bug bounty world?
- What ways can I use this to my advantage?
- What am I willing to sacrifice for the commitment to this journey?
- What are my strengths/weaknesses? Why?
- How can I improve my efficiency?
- What percentage of "hacking time" am I willing to dedicate to research and study?
- How do I discover what I don't know?
- How am I creating an environment to be successful?
- What other questions should I be asking?
Q: You’ve had a diverse background in many different industries. What draws you to cybersecurity and how does the industry compare to others, especially in the present job climate?
Throughout my career, the companies I served always had a connection to consumer finance. Regulation, seasonal demand, economic conditions, and liquidity markets are a few examples of external factors we continuously navigated to remain profitable for shareholders. If a variable moved, so followed staffing. It was one big math equation where a headline the papers would indicate how the next six months likely played out.
The cybersecurity industry appears to be much less volatile. At the start of the pandemic, I was concerned businesses would retreat to a defensive position, protecting employees by eliminating budget for all contract positions and VDP programs. Surprisingly, I witnessed the opposite. Companies shifted payouts to incentivize researchers to focus on bugs with higher impact, a move that mirrored the increasing threat from bad actors taking advantage of the lockdown.
Marten Mickos mentioned in one of his blog posts on HackerOne that the average cost of a breach is approximately $8 million. It was the lightbulb moment as I realized the monetary value researchers provide to businesses. It became crystal clear the demand for our services to help ensure their online security is not going away.