Robinhood Goes Long on Bug Bounty: Q&A with Ian Carroll and @ashwarya
Seven years of bug bounty, 21-hour average time to bounty, 130 hackers thanked, and hackers on both sides of the program: Robinhood’s Ian Carroll joins us to discuss his hacker-focused approach to bug bounty, and Robinhood’s top hacker @ashwarya chimes in with his experience.
Our conversation with Ian Carroll (Staff Security Engineer at Robinhood) spans the history of bug bounty at Robinhood, Ian’s approach to bug bounty program management, and why the hacker experience is so important to him. Stick around for the end of this article where we interviewed Ashwarya Abishek, the top hacker on Robinhood’s program with over $100,000 in bounties earned! Ashwarya explains how he decided to become an ethical hacker and why he chose to hack Robinhood.
> Customer Q&A with Ian Carroll
Q: Tell us who you are.
Ian: My name is Ian Carroll, and I'm a staff security engineer at Robinhood. I lead our bug bounty programs at Robinhood, and I'm also a member of our Red Team, where we work on finding and fixing security issues in Robinhood, much like a bug bounty researcher would.
Q: Tell us a bit about Robinhood and why cybersecurity is so important to your business.
Ian: Robinhood is a trading app that allows our customers to trade stocks and cryptocurrencies, save and spend money with our spending account, and more. Safety First is Robinhood's primary company value, and protecting our customers and their assets is extremely important to us. It's our responsibility to ensure we are providing confidence and trust for our customers as they entrust us with safeguarding their money and investments.
Q: Tell us about your HackerOne journey. How has your program evolved over time?
Ian: Robinhood has had a HackerOne Bounty program since 2016, nearly since Robinhood itself launched! Our CEO was actually still a member of our HackerOne team when I joined. Based on our early successes, we have increased our dedicated resources to grow the program further. In the past year, we expanded our program’s scope, launched two new private programs on HackerOne, and awarded more bounties over the past year than ever.
We’ve also improved our internal processes for handling submissions. Once validated, our Vulnerability Management team has built a stellar process for tracking and handling vulnerabilities coming from the bug bounty. Service owners can see all of the vulnerabilities for their service and the associated SLAs for every reported vulnerability. We also started using CVSS ranges to calculate bounty payments, which drive more consistent payouts and remediation in our program.
Q: What role does your bug bounty program play in your overall security landscape?
Ian: Our bug bounty program is an important way for us to validate that the work we are doing to improve our security is working. Our Product Security and Enterprise Security teams create comprehensive mitigation plans based on findings from the bug bounty program and vulnerabilities from other programs such as pentests and red team engagements. These efforts result in a reduction in each type of issue. Similarly, findings from our bug bounty program often let us identify services or features that need extra attention from us so that we can further target penetration tests, additional code reviews, etc.
One key example of this has been around our acquisitions – we’ve been able to quickly add the assets of our new acquisitions into our HackerOne programs, and then we immediately start to get visibility into the specific risks each asset may have. The acquired companies also appreciate getting this new visibility, which allows us to build relationships with their teams while working together to remediate any reports.
Q: Tell us about your favorite bug or most interesting finding from your program. Any other surprising outcomes from the program?
Ian: Some of our best reports have actually come from our own customers who create a HackerOne account just to submit a finding to our program! One really interesting report we recently received was from a customer using a particular smartphone where the biometric authentication wasn’t working correctly only on that specific model. We were able to find someone else on our team who had the same phone and reproduce the issue, but we would have never noticed this kind of issue ourselves! We quickly got a fix out and paid them their first bug bounty. Our customers have also helped us find complex issues in our trading flows that don’t look like normal security issues at all, but are highly impactful to our business.
Q: How do hackers help you spot vulnerability trends across your attack surface?
Ian: I'm very happy with the scope of our bug bounty program, where we accept almost any security issue that could impact Robinhood, regardless of what technical asset has the problem. We also get a lot of interesting submissions about third-party vendor products and misconfigurations because we have all of our domains and applications in scope. In addition, we run private programs for our acquisitions to further strengthen those assets.
As a relatively younger company, casting this wide net helps us identify trends across everything we use. In the future, we’re working on creating and distributing reports to our other teams on security based on the Common Weakness Enumeration (CWE) trends, which will help teams easily identify the types of vulnerabilities we are seeing!
Q: Ian, along with being a customer, you also hack on the HackerOne platform. From experiencing both sides of the coin, what are some best practices for forming mutually beneficial relationships with hackers?
Ian: It’s been very useful for me to have the perspective of both a researcher and a program manager. It gives a lot of insight into how both sides interact and what they expect and helps me focus on what I know researchers would appreciate the most. My first priorities with our program were to set up quick and consistent triage and awards to researchers, as I find this is a struggle for many programs.
We also try to be candid and transparent with hackers. In our private programs, where we have NDAs in place, we can often share source code snippets and other internal documentation to help the researcher understand the root cause of an issue or why the severity was set in a specific way. Additionally, when we can escalate an issue to be more severe than what a researcher reported, we always pay the researcher for the higher severity. We hope this builds a lot of trust and goodwill between both the researcher and Robinhood.
Q: What will long-term success look like for hacker-powered security at Robinhood?
Ian: We aim to keep shifting left in the product development lifecycle and letting researchers find as many vulnerabilities across as many new and existing features as possible. We have been granting our VIP researchers access to new product releases before the general public has access, and we hope to continue doing this for the foreseeable future. Additionally, we’re working on test accounts so that researchers outside the United States can test our assets just as anyone else can.
> Hacker Q&A with @ashwarya
Q: Tell us who you are.
Ashwarya: Hi! My name is Ashwarya Abhishek. I’m from Delhi, India. I came from the financial field as an aspiring chartered accountant, but circumstances brought me to bug bounty, and I have been doing it full-time since 2020.
Q: How long have you been hacking/in the cybersecurity industry?
Ashwarya: I have been into bug bounty full-time since January 2020. I started doing bug bounty in 2014 as a part-time hobby when I discovered the HackerOne platform. Back then, I would read public reports and apply similar logic to different programs (Yahoo, Twitter, etc.). That approach got me a few bounties, but soon I got responses of ‘N/A’ and ‘Informative’ on all my reports, leaving me with terrible stats (<200 Reputation, negative Signal, <10 Impact). I soon realized that bug bounty was not for me, and I quit sometime around the beginning of 2016. I was only sending reports without understanding my findings, so those responses were bound to happen sooner or later.
During 2018-2019 I was going through severe financial issues, and out of nowhere, I received a Private Invite from Exness to hack on their HackerOne bug bounty program. Out of curiosity, I opened the link and accepted the invitation. There were lots of things going on in my mind for the next two days as this invitation and the sudden recollection of HackerOne and bug bounty brought a ray of hope into my life.
On January 1, 2020, I decided to quit my day job and jump into bug bounty. The reason was straightforward: earnings from my day job - even if I saved for the next decade - would not help me get out of the financial issues I was going through, but there was a ray of hope from bug bounty.
Everyone who came to learn about my decision called it dangerous as I did not possess any cybersecurity degree or certification and had no training. Even my past HackerOne stats were screaming not to pursue the infosec route full-time. There was also no surety that I would be able to find enough bugs to earn close to my monthly salary.
Circumstances ultimately brought me to this path, and I do not regret my decision to quit my profession. I started from scratch, gradually learned, and I haven’t looked back since I started full-time in 2020.
Q: How long have you been hacking on Robinhood, and why did you choose to focus on Robinhood’s program?
Ashwarya: I started hacking on Robinhood on January 1, 2022. I hack on Robinhood primarily due to their response efficiency and decent bounties.
Q: What do you enjoy about hacking on Robinhood? What keeps you motivated to hack on this program?
Ashwarya: I’m motivated by the wide scope of Robinhood’s program. It’s been a full year, and I believe I haven’t fully explored 50% of their endpoints, and getting access to the restricted services always excites me. In the beginning, I sensed that there were very few hackers who could have gone deeper with this program (due to restrictive access), so I thought there was a lot of potential for me and my 100% manual approach to hacking, and I wasn’t wrong with my judgment.
I also value Robinhood’s transparency during report evaluation, and their bounty pay-out upon triage keeps me motivated to continue digging around this program.
Q: Without giving away scope that’s not already public, how do you approach the target?
Ashwarya: Broadly speaking, my manual approach remains plain and simple.
1. I manually check every single subdomain every few days to identify potential subdomain takeovers or application-level misconfigurations. It also helps me to identify any hidden subdomain apps where I need to dig deeper since there are higher chances you might end up with API keys or secrets in a .js file linked with these hidden apps.
2. I manually visit every API endpoint repeatedly until I understand the flow and its intended purpose. Once I am familiar with the endpoints and flows, it is far easier to spot any weird behavior and potential changes/issues. Although this is a time-consuming task, it is the most important thing for me with any target, and it is worth the effort.
3. I do not approach a target with any specific issues in mind. Instead, my approach relies purely upon the logic in the target process flows.
Q: If someone was new to this program, what advice would you give them?
Ashwarya: Try familiarizing yourself with the flows first (API routes, etc.). Robinhood’s scope is very wide (there are 1,000+ API endpoints in the primary target itself), and there is a good chance you will catch issues if you are familiar with how things work here. But if you solely rely on automation (public tools), chances are pretty high that you will end up disappointed.