Hacker Spotlight: Interview with notnaffy

Shubham Shah (@notnaffy) started hacking because he was driven to beat his brother in video games. He was a full-time bug bounty hunter for several years and his competitive nature then drove him to develop his own automation tools (such as Common Speak) to become the best. Shubham used bounties as a testbed for building his platform, Assetnote, which combines advanced reconnaissance and high-signal continuous security analysis to gain insight into evolving exposure. To Shubham, hacking is freedom, so in his downtime, he’s still hacking and working on various attack surface management solutions. Read our interview below for some great insights from @notnaffy.  

How did you discover hacking? 

My father invested in my computer literacy early. As an immigrant with not much money to spare, he spent a significant chunk of his savings to buy me and my brother a computer. Naturally, my brother and I used to compete heavily when it came to online gaming. My brother used to always beat me. Being hyper competitive and naturally obsessed with computers, even at a young age, it drove me to hacking online games to beat him and eventually led to me finding hacking communities where I was exposed to a number of application security concepts. Hacking has always fascinated me, and I developed a keen, deep passion and interest from an early age. My father’s investment has definitely paid off.

What motivates you to hack and why do you hack for good through bug bounties?
I still vividly remember making $6.50 an hour while working at a fast food restaurant, making $800 over 8 months, and then receiving my first bug bounty at age 14 from PayPal for $1,500 USD for a bug that took me one day to find. Bug bounties have changed my life, financially, and have given me the ability to live a fruitful life over the last 10 years. I'm not going to lie, working those 8 months at the fast food restaurant was probably some of the hardest work I have ever done in my life, but with bug bounties, hacking is second nature to me. I genuinely enjoy participating in them due to my deep passion in application security. I hack for good because I am able to have a monumental impact on the security posture of companies that want my help, on an ad-hoc basis, and I get rewarded for it.

What makes a program an exciting target? 
For me, there are certain technologies I like hacking more than others. Programs which have a modern technology stack (React/Angular, GraphQL, or lots of APIs), Windows stacks (IIS/.NET/C#) or legacy applications (Java monoliths) or any program that regularly deploys new assets to their attack surface.

What keeps you engaged in a program and what makes you disengage?
A program becomes even more engaging to me when I have a relationship or personal interest with the folk working there, as often, in my head, I frame it as I am hacking the targets in order to further those relationships and show them what I am capable of. When my ex-colleague [Matthew Bryant](https://twitter.com/iammandatory) left for Uber, I focused a lot of time and energy into hacking Uber, simply so I could still work with him in some capacity. Today, I rank 3rd on Uber's public bug bounty program.

I disengage from bug bounty programs when they are no longer deploying new assets on their attack surface, or it becomes too much of a time investment that I cannot afford while running a startup these days. Another thing that disengages me are negative interactions where I feel like I have not been treated fairly. If a bug bounty program does not pay what I expect should be paid for a bug or treats me unfairly based on the number of bugs submitted, I do not give my time to them in the future.

How many programs do you focus on at once? Why? 
I usually focus on one program at a time. I will do my best to learn as much as possible about the company, from the way they do their deployments, the technologies they use, and the business logic that their applications encompass. The process of deeply learning about a program is often very time consuming, and once I have a good understanding of how everything works, bugs usually fall from the sky. I focus my energy like this: one program at a time. But once I have established this base knowledge, I can easily switch between programs I have completed this process for.

How do you prioritize which vulnerability types to go after based on the program? 
Once I understand an attack surface, I spend the time to map out anything I deem interesting. After identifying the interesting assets/endpoints/javascript/applications, I dive deeper into the logic and test specifically for server side and high/critical application issues or business logic issues. I do not spend time looking for client side security issues these days.

How do you keep up to date on the latest vulnerability trends? 
I receive push notifications from a number of sources (such as /r/netsec) and jump on top of any relevant application security posts as soon as they are posted. I also follow a number of twitter accounts (such as @ipssignatures) which help me stay on top of any new CVEs that get released.

What do you wish every company knew before starting a bug bounty program? 
Understand your attack surface, you cannot protect what you cannot see. Continuously monitor your attack surface so that you can discover exposures before any serious damage is done. In bug bounties, the concept of scope is loosely defined, and attackers will find vulnerabilities in assets you may not have had any knowledge of. If you're starting a bug bounty program, try to have a mature asset inventory so that you have a good understanding of which assets you should focus on protecting or to identify assets you may never have thought existed so that you can invest in them further. Perform security audits on these discovered assets or applications internally, before initiating a bug bounty program.

How do you see the bug bounty space evolving over the next 5-10 years?  
For bounty hunters:

As the complexity increases in application development and deployment, and as hackers move from point in time testing to continuous testing through automation, I believe that ephemeral security issues are more likely to be discovered. Ephemeral security issues are issues that only appear for a short period of time. 

In complex deployments, this could mean that a Git repository gets accidentally exposed during one of the deployment steps for a short period of time. Hackers today are moving to a more continuous security testing model through the use of automation.

For companies:

Be prepared to receive reports on vulnerabilities on assets that are deployed, very quickly. Bounty hunters will become more effective at identifying new assets as soon as they are deployed through automation, and perform security testing on them as soon as this happens. 

It's going to be important to have similar levels of automation on your side so that you are also aware about what is being deployed on your networks as soon as possible.

For the community:

Look forward to working in teams more often as the maturity of programs continue to improve. Hopefully through more support from the existing platforms to facilitate this, teams will become more of a reality. Already, we are seeing hackers collaborate frequently on targets, however, usually this is limited to adding collaborators to reports. In the future, the concept of teams may be a bit more fleshed out and working with a number of other people on targets will be commonplace. 

Also look forward to more people who are successful in bug bounties to share their knowledge, as ultimately, most of us are not only passionate about hacking but also teaching others to succeed too.

How do you see the future of collaboration on hacking platforms evolving?  
Teams will natively be implemented in platforms, and people who traditionally hack alone, will find that it is more effective to work fairly with a team on a target. Teams will take over individuals at a relatively fast pace.

Do you have a mentor or someone in the community who has inspired you?  
My co-founder [Michael] is a constant source of inspiration and in many ways my compass. He pushes me to go further in a way that most others cannot. He believes in me when I sometimes don't believe in myself.

If you had a magic wand and could change one thing on the HackerOne platform, what would it be?  
Native teams functionalities to facilitate deeper collaboration with a group of people. Private invites being sent to these teams based off of their success in previous programs. Teams ranking on the leaderboards.

What advice would you give to the next generation of hackers? 
Get really good at something. Whether that is application security, binary exploitation or another avenue of hacking. Become a master at it. Practice it to death. Become obsessed. Make it your primary passion in life. Once you have done this, everything else becomes easier. There will always be a way to financially benefit once you have become an expert at a topic.

What do you enjoy doing when you aren't hacking? 
When I'm not hacking, I enjoy developing an attack surface management solution: [Assetnote Continuous Security platform] with a team of incredibly smart but hard working people. My time is split between being an effective CTO and hacking on bug bounties when I can find the time.