When Katie Paxton-Fear, aka @InsiderPhD, was invited to be a mentee at the HackerOne live event in London, h1-4420, for the first time, little did she know her life was about to change. She found two bugs on Uber that day, which she says made her shake with excitement so much, she could barely finish her report. She describes the feeling of discovering these vulnerabilities as a really intense high she is forever chasing now. Currently a part-time bug hunter and graduate student working towards a PhD in defense and security, Katie is also sharing her knowledge with fellow hackers on her popular YouTube channel. Besides hacking, another craft she has fully mastered is knitting. Katie may be less known for her knitting chops but that's what keeps her calm and grounded. In fact, she always rocks her lucky socks during live-hacking events. Read more about them below.
How did you come up with your HackerOne username?
My PhD is in insider threats and it kinda sounds like inside-a-phd
How did you discover hacking?
I have some friends who are hackers who dragged me into it, but now I love it!
What motivates you to hack and why do you hack for good through bug bounties?
I love the challenge, there's something really fun about bug bounty where you have a puzzle but all the pieces are blank. You can figure out a developer by just looking at the product they made, and then think about ways to break it. I definitely focus on products I personally use or that I might use, it helps me focus on the bigger picture.
What makes a program an exciting target?
New programs are always exciting, and targets whose applications I already use. I love an interesting scope though and the right scope can be amazing to hack on. I love working on scopes where I can keep the entire logic in my brain at once, it helps me fit together all the pieces.
What keeps you engaged in a program and what makes you disengage?
Communication is key for me, I want to work with programs who want to work with me. I want to know that a program will care about my findings and take it seriously but also keep me updated on the progress of my bug. I think about hacking as a collaborative effort so I want to work with people who'll collaborate with me!
How many programs do you focus on at once? Why?
I am a single-program person. I like to go deep and become almost an expert on a target for a while. Plus I like to highlight likely bug locations+ideas and let those ideas sit while I learn more about a target.
How do you prioritize which vulnerability types to go after based on the program?
I'm a big fan of APIs and so the OWASP API Top 10 has become my Bible! Plus I read a lot of API write up and disclosures. For me I prioritise likely bug locations and work on them rather than focus on particular vulnerabilities.
How do you keep up to date on the latest vulnerability trends?
Twitter, honestly it's amazing how many tips, conferences, advice, write ups and disclosures are all in one space. It can be really difficult to find the right people and to follow and really focus on getting the best timeline, but once you do, it can be difficult to look away with all the free knowledge the best hunters give out!
What do you wish every company knew before starting a bug bounty program?
It can seem daunting to let a bunch of hackers loose on your systems, but we're all good people and we care about security!
How do you see the bug bounty space evolving over the next 5-10 years?
I see a lot more automation and recon, but I think we'll see more formalised methodologies and people really focusing on the best way to hack for them. I hope to see more organisations getting involved so we can see even more targets with even more cool stuff to hack!
How do you see the future of collaboration on hacking platforms evolving?
Collaboration is key, especially in getting those difficult bugs, just having someone to chat to can be the difference between struggling or picking up bugs!
Do you have a mentor or someone in the community who has inspired you?
So many people in this community have been really important to me and have acted as mentors! Daeken, TomNomNom, Rhynorator have been formal mentors and continued acting as not just mentors but also supporters! Dawnisabel has also given me a lot of her time to talk about iOS and teaching me iOS bug hunting!
What educational hacking resources do you wish existed that doesn't exist today?
I'd really like to see a realistic CTF, where there's an entire web app but only like 1 bug and it's a low severity. Seems like a strange request + a lot of work but I think newbies struggle with CTFs, especially in getting used to hacking applications that might only have one bug.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
I'd love to see more statistics, especially regarding program responses.
What advice would you give to the next generation of hackers?
Start hacking, don't just learn, take the plunge, you'll never feel ready but you will have bugs!
What do you enjoy doing when you aren't hacking?
I make lucky socks! They are basically the key to my bug hunting, I knit each pair while watching and learning, imbuing them with cyber security knowledge.