A Security Consultant at his own business (17Security), a student at the University of Nebraska Omaha, and a seasoned bug bounty hunter, Sam Curry, aka “zlz”, was only 12-years-old when he started hacking. He’s known for submitting security vulnerabilities to big companies such as Starbucks, Verizon Media and Twitter, but his most infamous discovery was a security vulnerability in Tesla, which he found after cracking his windshield. Sam has written countless attacks and exploits on his blog, sharing his thought process. Read on to learn more about his hacking techniques!
How did you come up with your HackerOne username?
About a month before joining HackerOne, a new website was released and I wanted to have a cool username. I spent about thirty minutes trying to find a three letter username that hadn’t been taken. Eventually, the username “zlz” went through and after I registered on that website, I used it for my HackerOne profile, also. Looking back I kind of wish I had chosen something more professional or a username that meant something to me, but at this point in time I’ve kind of adopted it for everything.
How did you discover hacking?
I discovered hacking through a forum dedicated to video game cheating. We’d all spend time trying to find bugs in online games (things to make your character invincible, get more gold, little things like that) and someone else from the group had found an issue on the website. It allowed them to send a very small fraction of money to another user and the service would round up the fraction to something larger than what was sent. We used this to get a large amount of gold on the game by sending gold between ourselves. I began exploring web application security after that.
What motivates you to hack and why do you hack for good through bug bounties?
I’m motivated to hack because of the massive freedom it provides in my everyday life. There is such a large number of organizations that are willing to pay competitive rates for security vulnerabilities that I’m able to do something different every day. I’m able to work remotely to find these vulnerabilities, and don’t have to live somewhere expensive to do it. I love the process that bug bounty platforms provide to do this safely.
What makes a program an exciting target?
If the applications in scope have interesting or complicated functionality.
What keeps you engaged in a program and what makes you disengage?
If a program has active development or a large amount of scope, I’ll maintain interest. If a program restricts the researcher (only allowing certain submission types, limiting the scope, or doesn’t allow for something like scanning), then I’ll typically become disinterested.
How many programs do you focus on at once? Why?
Only one because I love digging deep and am unable to focus if I’m trying to find vulnerabilities on multiple targets at once. Every once in a while I’ll find an interesting methodology that I try to apply to multiple targets but it’s not very often.
How do you prioritize which vulnerability types to go after based on the program?
I prioritize based on what vulnerabilities have paid the most historically per their hacker activity, and what vulnerabilities they define as most impactful on their scope page.
How do you keep up-to-date on the latest vulnerability trends?
I follow lots of security researchers and organizations that publish research, findings, and changes in things like HTTP or web browsers.
What do you wish every company knew before starting a bug bounty program?
The time it takes for a submission to receive a bounty is as important as the actual bounty amount in terms of maintaining happy researchers.
How do you see the bug bounty space evolving over the next 5-10 years?
It will be more clearly understood by the security community and will have grown quite significantly. The fact that organizations must have a bug bounty/vulnerability submission program in order to have a solid security posture will be fully embraced.
How do you see the future of collaboration on hacking platforms evolving?
The number of bug bounty communities will increase significantly (Discords, Slack groups, and local get togethers) and bug bounty platforms will continue to grow relative to the demands of collaboration.
Do you have a mentor or someone in the community who has inspired you?
There are far too many people who seem to always be coming up with inspiring research and I’d feel guilty not being able to list all of them. I look up to nearly everyone who spends their time coming up with new ways to think about this stuff.
What educational hacking resources do you wish existed that doesn’t exist today?
Some way in which people can actually share real processes of them hacking, similar to Twitch. This is unrealistic as it’s a bit dangerous, but would be great if it existed.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
All reports would be public!
What advice would you give to the next generation of hackers?
Working with others is one of the best ways to grow.