‘Persistence is key, and so is not expecting a huge payout on day one’
It all started with a Commodore 64, but Alex Chapman’s passion for programming crystalized into an interest in ethical hacking following a careers advice day at university.
Since graduating in computer science in 2007, the London-based vulnerability researcher has worked in pen testing, red teaming, and security research during stints at Deloitte, Context Information Security, and Yahoo.
Having also worked for HackerOne and on Yahoo’s vulnerability disclosure program, the full-time bug hunter’s thoughts on the future of the bug bounty market are well informed.
Speaking to The Daily Swig, Chapman explains his interest in CI/CD systems and containerization, as well as why greater collaboration between hackers and involvement from pen testing firms would be a boon for the bug bounty field.
When and how did you get into ethical hacking?
I think I got my first PC, a Commodore 64, when I was eight or nine. When my dad brought it home from a trade show, I took it apart.
I started programming, give or take, as soon as I started using computers properly, so [age] 10, 11, 12, and then I got quite interested in the security scene.
I was expecting to leave university to do a development job, but then somebody came in from, I think, Ernst & Young for a careers day and said you could actually do ethical hacking as a career, which blew my mind.
I think I submitted one bug [to a vulnerability disclosure program], but it wasn’t until I started getting involved in bug bounties from the program side at Yahoo that I really got into it.
I was at HackerOne for just under 12 months, but a lot of that time was actually compassionate leave because my wife and I lost our daughter.
When I went back to HackerOne I wasn't ready, so I took some time off, really started getting into bug bounty [hunting], and decided to give it a go full time.
Are there any particular technologies that you’re interested in probing?
I’m not good at web hacking. It doesn’t interest me as much as source code analysis, reverse engineering, or system analysis.
I’ve spent a lot of the last two years focusing on CI/CD systems. That’s where I enjoy hacking: where complex systems interact and things could logically go wrong, as well as your classic reverse engineering and looking for bugs in native apps.
What else do you look for when deciding which programs to target?
I’ll generally work on programs that I know other bug hunters have had good experiences with.
I do this full time and I’ve got to pay the mortgage, so I also look at the top 10-15% of programs for payouts.
But if I felt like a program was becoming a grind, I would probably move on to something else. So, exploring interesting technologies is the biggest thing that drives me, as long as I can make enough money.
Have you encountered any problems with responsible disclosure?
The biggest issue has been slow payments, where programs have taken 6-9 months to pay, so I do tend to stick to programs that I know pay within a reasonable time scale.
And, once or twice, trying to convince the program that a bug is a bug – perhaps I didn't explain it well enough in the initial report or provide good enough examples.
I think that’s where a lot of the rub comes from between hackers and [vulnerability disclosure] programs: we’re not necessarily that good at explaining the bug or explaining the risk.
The rise of containerization prompted Chapman to find several ‘overlapping bugs’
What security vulnerability are you most proud of discovering and why?
A couple of years ago, at H1-702, I managed to get code execution on GitHub. The bug itself wasn't particularly great, but it was an area I’d been meaning to look at for a year or so.
I had always suspected the bug would be there, so when I finally got around to looking for it, it was just very satisfying to know it was there – and it was my highest payout.
What are the most interesting trends in terms of the code and technologies researchers are trying to crack?
The biggest thing that I see – and it’s partially because I go looking for it – is the use of containers.
Recently I’ve done a lot of programs with containerization and Kubernetes, and found particular bugs in one program, then checked them against other programs running similar technologies. I've only found a few overlapping bugs, but each one has led me down a different path to then find other bugs in other programs.
What advice would you give to an aspiring or inexperienced bug hunter?
Don’t expect the world from bug bounties; it’s a slow process and can be a grind. I had 13, 14 years of experience as a professional doing security work, penetration testing, and research, and I still find it difficult to find bugs.
Persistence is key – and so is not expecting a huge payout on day one.
Any other career plans in the next few years other than continuing full-time as a bug hunter?
Nearly two years into it, the one thing I would consider moving away from bug bounty for is community, [working in a] team, and [career] progression.
While I’m able to make a very good living with bug bounties, there’s no ‘next step’ [in terms of joining or running a team].
I have an idea about setting up a team of bug hunters. There’s three or four people who work as pen testers locally who I would love to get involved, but trying to convince them to leave full-time employment is proving more difficult than I’d hoped.
That’s interesting, as bug bounty hunting does seem to be predominantly done as a solo endeavor. So, you think a more collaborative approach could be fruitful?
Certainly. I think that would be a very lucrative way of doing it. Everyone would bring their own skills and experiences to the table.
When I have collaborated with other hackers for live events, or for one or two bugs, that conversation is key. Just to be able to explain things and have someone challenge your assumptions often leads to things you would never have thought of on your own.
I’m very much an introvert, so I'm happy working on my own, but not seeing people every day, it certainly does get to a point where I would much prefer to be working in a team.
Is there anything else you want to add about bug bounty or infosec more generally?
I’ve noticed recently that bug bounty has a bit of a PR problem in that a lot of people assume it’s always about very bad bugs being submitted by everyone.
I’ve seen bug bounty from all three dimensions – the platform side, the program side, and the bug bounty side – which not many people have seen.
In the coming years – hopefully in the next 12-24 months – I think we'll see bug bounty being accepted by traditional penetration testers a lot more.
Even traditional British penetration test companies, I think, will be using their consultants’ time on bug bounties when they don't have engagements. I'd love to see professional companies working on this as they would any normal pen test engagement.
One thing that I disliked about working as a pen tester was the target was always defined for me.
Whereas if consultancies can say to you, “you don’t currently have an engagement, here’s a list of bug bounty programs that we think could be lucrative”, it covers that thing of research time, you get to apply those skills elsewhere, and it would have a potential return on investment.