Hackers represent a global force for good, coming together to help address the growing security needs of our digital society. It’s been a couple of years since we sat down with Alyssa to discuss learning as a community and what she looks for in a program. In the meantime, she’s been busy sharing her knowledge. Check out her blogs here: https://firstname.lastname@example.org.
Today, we interviewed her again to get her perspective on hacking, what makes great programs, and how to stay plugged in to keep up with what’s happening in the space.
How did you discover hacking?
Discovery of hacking for me really started in early middle school and later on in high school due to wanting to play games on school-issued computers or access websites that had games on them. Then it led down this rabbit hole of googling ways to bypass things or “hack” them to do stuff I wanted them to do. Hacking became a practical way to apply curiosity and wanting to understand how things work, or how to achieve unintended behavior, as practical as it is to play games on school time that is.
What motivates you to hack and why do you hack for good through bug bounties?
The primary motivation for hacking has always been to learn and further my own understanding of security. The second reason has been to improve the security and privacy of users through bug bounties, and help companies get a head start on finding vulnerabilities or privacy-violating functionalities.
What makes a program an exciting target?
An exciting program is one that has a large scope, safe harbor, and a responsive /engaged team. These three specific reasons are what I find exciting in a target. If a target has any or all three of these, preferably, then I’d happily participate.
What keeps you engaged in a program and what makes you disengage?
Typically what keeps me engaged is a responsive team or a very interesting target. It’s important to be able to communicate and work with the program team. What makes me disengage is a lack of safe harbor/clear legal policy, inconsistent reward tables or not clearly defined scope and rules.
How many programs do you focus on at once? Why?
At most, I stay focused on one or two programs. I tend to find more bugs and get a better understanding of the program the longer I spend time on it.
How do you prioritize which vulnerability types to go after based on the program?
Primarily I focus on what would impact the company the most. For example, if it’s a medical company, I’d look for any sort of P-II related issues. If it’s a financial company, then I’d look for ways to manipulate money, any defrauding type vulnerabilities, etc. Otherwise, I tend to look for things I’m familiar with the most, or try to look for new vulnerability types I’ve not found before.
How do you keep up to date on the latest vulnerability trends?
Typically I keep up through Twitter or individual security chat groups.
What do you wish every company knew before starting a bug bounty program?
I’d like companies to realize that bug bounties need a structure to support them, which would prevent bug reports from stagnating, falling into the cracks, etc.
How do you see the future of collaboration on hacking platforms evolving?
I think there will be more bug bounty teams popping up and more collaboration-heavy live hacking events.
Do you have a mentor or someone in the community who has inspired you?
@albinowax and @fransrosen are the two who inspired me heavily through my years in bug bounty hunting.