Ziot, otherwise known as Brett Buerhaus, lives and breathes cybersecurity. When he’s not working as a Security Engineer for Blizzard Entertainment, he’s solving challenges and drafting write-ups. He’s been solving puzzles since 2014, and his most recent write-ups include h@cktivitycon Pizza Time, Nahamcon - Trash the Cache and JosieBellini’s Yours Truly Puzzle Walkthrough. You might also recognize him as one of the main administrators and co-creator of Bug Bounty Forum. Brett has won multiple security awards including being the Most Valuable Hacker for h1-212 in New York City, as well as DEFCON 23 and 24 Uber Badges. Brett has found over 366 vulnerabilities on HackerOne for enterprises such as Verizon Media, Dropbox and PayPal. Read on to learn more about his path to advancing his cyber skills with hacking challenges.
How did you come up with your HackerOne username?
This is an alias I've been using in gaming for a long time. In the past, people in the security scene tried to hide their identity with aliases. Even on HackerOne, I originally used the name “nagafen”. This was a reference to Lord Nagafen, a dragon in the MMORPG EverQuest, one of my favorite games growing up. Eventually, I realized that I need to not hide my name on HackerOne, and had it switched over to “ziot”. As this scene has become more legitimate and the word “hacker” is not as scary anymore, I have even started to use 'bbuerhaus' on some social media places.
How did you discover hacking?
My discovery of hacking and security came mostly from hosting forums and seeing people exploit video games. There were a lot of times I was in awe of what people could do with a piece of software, defying the rules given to them, and making it do what they wanted it to do.
Combined with learning programming and having to patch forums against vulnerabilities, this led me down a path of wanting to discover these vulnerabilities myself. Over time, I started to learn how to identify these issues and exploit them.
I also tell people that very early on I got involved in Capture the Flag, Alternate Reality Games, and puzzles. Sometimes these things are not directly related to security, but it encompasses the same mindset. You are given obstacles that you need to deconstruct and figure out how to get to an end goal.
Not to be cheesy, but in some ways hacking is just a state of mind - a way of seeing things.
Getting a professional security job, doing consulting gigs, and getting involved in bug bounty has formalized hacking for me a lot. Despite this maturity and formalization, the grassroots passion and motivation have never left me.
What motivates you to hack and why do you hack for good through bug bounties?
For a long time I would have said that I did it out of curiosity and a desire to discover new knowledge. As I get older, I would say that I am definitely driven a lot by money.
I would say that there are some programs I would probably never hack on except if I want to help them or I am motivated by something else, such as curiosity.
An example is a program on HackerOne (private, can't say which) where I had submitted over 100+ vulnerabilities to them before they even had a bounty program or rewards. I did this in my free time, half because I cared about them, half because I was curious, but really I just wanted to challenge myself against them.
What makes a program an exciting target?
Big scope, interesting features, and good payouts. Smaller scopes can be excited, but only if they're new or interesting.
What keeps you engaged in a program and what makes you disengage?
I stay engaged to a program if I feel like I am actually helping them and that they care about my efforts. Communication from their security team goes a long way. There are a few programs that have done this very effectively and I have spent most of my time hacking on them.
Disengagement comes as a result of slow response times, disagreements that we cannot resolve, and a corporate-y feel where I don't feel like I am actually contributing to the company. If my reports are just for your compliance and I'm a simple metric number, why bother? The only way you'll retain my attention at that point is with big rewards.
After years of hacking and hundreds of reports, only a few programs have sent me personally written thank you notes and one program sent me a holiday card. Maybe there are thousands of hackers out there and I'm not that important, but those are special and always mean a lot to me.
How many programs do you focus on at once? Why?
That's a hard question to answer. At any given time, I'm focusing exclusively on one target. But that may mean it gets a few hours of attention at noon and I'm looking at a different target at midnight. I've got a security folder with 100+ folders in it, one for each target. Some of them are gigabytes of recon data, js files, notes, etc. I don't do the scaled up recon and exploitation throwing the same vuln at 100+ companies. I enjoy focusing on a single application at a time.
How do you prioritize which vulnerability types to go after based on the program?
My initial time on a program is spent just using it to see what features exist. For example, I'm only going to be looking for PDF style vulns if I see that they have a feature that generates PDFs with user-input.
The rest of the time it is a bit of a flow. I go through the JS files, the endpoints, then look at headers and responses. Does it look like software/CMS such as Wordpress or Drupal? Is this a custom built application? Do the errors help me identify what language they used to build this? With a little bit of poking around and fuzzing, you can usually answer these questions.
At that point, I'm looking for vulnerabilities specific to the initial results.
With all of that said, the flow is a lot less complicated than it sounds. It is hard to put into words how you think or approach these things. Maybe it is primarily human intuition based on past experiences? If I see an endpoint, I just try attacks on it that I think will work and adjust based on how it responds.
How do you keep up to date on the latest vulnerability trends?
The past few years, I would say Twitter has done a very good job at that. I have had people tell me that they don't understand Twitter, but I tell them that for me, personally, it has been an amazing tool for the security scene.
What do you wish every company knew before starting a bug bounty program?
- Dedicate a person exclusively to researching and managing your program. Have them reach out to other companies that host programs to get lessons learned before you start. They will be able to provide insights that may help you better launch your program. There have been years of lessons learned and I genuinely think these companies are happy to share some of these tips with you.
- Don't start public - unfortunately, there are people out there just going for cash grabs or have a general lack of experience. This is going to flood you with bad reports and make you jaded quickly. Start private with a handful of strong bug bounty hunters and maybe a couple of randoms with lower rep. Build up a process and start to add more people as you feel you can manage it.
- Bug bounty is an extension of your security arsenal, not security itself. Bug bounty is flashy, but you need to look at what your organization may need before you even consider it. Sometimes you will be better off starting with an internal app sec or pentester employee. You may even need product managers who can manage the flow of ingesting vulnerability reports. Or you need stronger engineering efforts to manage the additional work for patching vulnerabilities. As much as I love to get my hands on a vulnerable product and make bounty money, I would rather a program be stable and not die within a week because they could not manage the program or budget.
- Get a good pentest done before you even think about dipping your toes in bug bounty. This will give you a grasp on your security surface, low-hanging vulnerabilities, and let you better understand what your internal vulnerability management flow looks like. If there are any problems or hiccups during this process, you aren't ready for a bug bounty program.
How do you see the bug bounty space evolving over the next 5-10 years?
- A lot of bug bounty is web-based and I believe that eventually, browsers are going to become stronger at defeating a lot of these low-hanging vulnerabilities. As this happens, there will be a lot less low-hanging vulnerabilities and more emphasis on interesting vulnerability chains.
- Hacking resources, training, and tools are so widespread and available now that it is no longer tribal knowledge and paving your own way. This is going to lead a lot more people in the security industry. I also believe this will lead to saturation in bug bounty.
- As programs become more saturated, it will result in higher payout/rewards, but will become far more challenging and lead to fewer finds. In other cases, it may result in more noise and lower pay.
- More companies are going to get involved making it harder to retain attention from hackers. I believe companies are going to have to come up with new ways to incentivize hackers, other than just monetary rewards.
- Platforms are going to have to find ways to incentivize hackers to spend time regardless of saturation, if they want to retain customers. It may reach a point where hackers will no longer spend time hunting for free.
Do you have a mentor or someone in the community who has inspired you?
I will always give a shout out to NahamSec. He is a champion for the hackers in this community. He has also been an extremely good friend to me for years now. I probably would never have been able to work up the confidence to do the Live Hacking Events without his encouragement.
What educational hacking resources do you wish existed that doesn't exist today?
I honestly don't have a good answer for this. We barely had any resources when I was growing up and a lot of the resources were incomplete or terrible. There are endless resources for security nowadays.
What advice would you give to the next generation of hackers?
Don't get caught up in the money. You will disappoint yourself and burn out fast. There is a lot of money in this industry and bug bounty is one of the biggest culprits of flashing big numbers everywhere.
I joined a gaming company without the intention of pursuing a career in security because it was just a hobby of mine. Eventually I realized it was what I was passionate about and pivoted to focusing entirely on security.
If you love security and are passionate about it, the money will come later.
If you find yourself up late at night hacking on a program, writing code, making a game, or doing whatever it is that you love to do, and you don't know why... this is the thing that you should pursue in life. Don't let other people shape you too much. Be yourself and focus on what you want to do. Stay hungry and pursue it.