As we wrap up Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to spotlight one of the top performing security researchers who participates in the GitHub Security Bug Bounty Program—@adrianoapj! And don’t miss our previous post highlighting @imrerad.
As home to over 100 million developers and 420 million repositories, GitHub maintains a strong dedication to ensuring the security and reliability of the code that powers daily development activities. The GitHub Bug Bounty Program continues to play a pivotal role in advancing the security of the software ecosystem, empowering developers to create and build confidently on our platform and with our products. We firmly believe that the foundation of a successful bug bounty program is built on collaboration with skilled security researchers.
As we continue to celebrate an amazing 10 years of the GitHub Security Bug Bounty program, we are also looking towards the future. As such, we are looking at ways to better engage with the research community to advance the security landscape. We remain excited about opportunities to meet people and give back to the security community. We love learning new things from our researchers that help us ship even more secure products, and we are always eager to make sure that our products are the best in class. As we look forward, we are truly thrilled and excited about what our future together holds.
As we conclude Cybersecurity Awareness Month, we’re interviewing one of the top contributing researchers to our bug bounty program. Follow along to learn more about their methodology, techniques, and experiences hacking on GitHub. @adrianoapj specializes in information disclosures and has submitted many interesting and unique issues.
How did you get involved with Bug Bounty? What has kept you coming back to it?
Long before getting started with bug bounty, I was already in tech for some years. I got into Bug Bounty when I first learned about it from a Brazilian cybersecurity YouTube channel and then I started to do some capture the flag exercises (CTFs) and watched videos from Hacker101, which helped me a lot to get all the knowledge that I needed to get started. The GitHub Bug Bounty program was the first program that I started to hack on and is currently the program where I send most of my reports.
Something that kept me really motivated at the start of my journey was the defense-in-depth class of bugs at GitHub’s program. In short, the first vulnerability that I reported to GitHub had a really low severity, but GitHub still decided to reward it with a bonus as a reward for the effort. Currently, what motivates me to keep hunting is the challenge of finding bugs, the visible impact of the issues that I find and report, and of course, the bounties!
What do you enjoy doing when you aren’t hacking?
Most of the time that I’m not searching for bugs I am actually working as a full-time Infosec analyst. But in my free time, I like going out with some friends from church and playing video games. This year I also started running, so that’s something that I like to do to relieve some stress.
How do you keep up with and learn about vulnerability trends?
Mostly, I read write-ups and public bug reports that have been disclosed on HackerOne. I am also a big fan of HackTheBox and HackTheBox Academy, where I go to learn new classes of bugs, challenge myself to improve techniques, and get new ideas to test on bug bounty programs.
What are your favorite classes of bugs to research and why?
My favorite class of bugs to research is information disclosure because they normally present a significant impact and they are easy to spot sometimes.
You’ve found some complex and significant bugs in your work. Can you talk a bit about your process?
I usually start by choosing the feature or website that I’m going to test. GitHub Stars was one of the first GitHub websites I ever tested. I’d learned about it from a post on X and decided it would be a good target since it was a new project and there likely wouldn’t be a lot of people searching it for bugs. I was right as I found a lot of great vulnerabilities there. I also like to look at the GitHub Changelog so I can test new features or changes, which are a great place to start for finding bugs, in my experience.
For my process, I rarely use automated tools. Instead, I start learning everything I can about the specific feature or project that I am searching for bugs. After getting a deep understanding about it, I write some possibilities and/or assumptions about what entry points for vulnerabilities could be. Then, I start to test these possibilities, and I’m either able to find bugs or I iterate and think about new tests, until I find something.
Do you have any advice or recommended resources for researchers looking to get involved with Bug Bounty?
Yes! I would say that perseverance is really necessary for researchers, especially when you are starting to get into Bug Bounty. Sometimes, researching for bugs can be frustrating, especially when you are dealing with duplicate or informative reports, or end up going down rabbit holes. But it’s important to know that every service is subject to bugs, and when you keep searching for them, sometimes you find something!
I have some recommendations for learning the necessary knowledge for Bug Bounty:
- Hacker101 (for people that are starting to learn about cybersecurity and Bug Bounty).
- HackTheBox and HackTheBox Academy (to everyone looking to improve skills and test knowledge on offensive cybersecurity).
- Write-ups in general, including blog or X posts, and public reports available on HackerOne.
Do you have any social media platforms you’d like to share with our readers?
My GitHub profile is adrianoapj and my LinkedIn profile is /in/adrianoapj
Thank you, @adrianoapj, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.
Interested in helping us secure GitHub products and services?
Check out our open roles!
The post Cybersecurity spotlight on bug bounty researcher @adrianoapj appeared first on The GitHub Blog.