I was just a 15 year old kid dreaming about security research. Then I uncovered my first exploit.
Since I was young, I always had dreams. One was to go to Hack the North (the largest hackathon in Canada), which I achieved this previous September. It surpassed my wildest dreams. My team even won an API prize from eSentire.
But the point of my story isn’t that I went to some hackathon and won some prize. The point is that I accomplished something that I thought was completely beyond my abilities.
Do you know that feeling? “Yes, I know that there are people out there who can pull that off. But only people with years of experience at [skill].”
Well that was me 3 years ago, when I started out programming.
I thought the idea of making a computer do something was pretty cool. It never crossed my mind that one day I would do anything amazing with it.
In fact, I told myself over and over that all the things I was building had already been done before. That the value in this process was just in me gaining experience from recreating it.
Well, winning a prize at Hack the North broke my self-suppressing chains. No — it ripped them off completely. I was ready to do anything.
Another dream I had, though much smaller: obtaining a GitHub hoodie.
I’d always admired GitHub as a company, and thought it would be so badass to wear a hoodie from them.
2 months later, I was a low point, stuck in my work. I remembered this GitHub hoodie dream of mine.
The issue was, I couldn’t just buy the hoodie. How could I wear something that implied so much skill while having just used money to purchase it? I hadn’t earned it, but I wanted it.
I thought for a couple of ways I could earn it. Maybe a hackathon where GitHub sponsored, like GitHub Game Off. But they all had too many variables.
Then I remembered hearing about their bug bounty program. When I heard about it, though, I dismissed it. I thought, “that’s far to advanced for me.”
Well not anymore. It was time to get to work.
Let’s Get Hacking!
I was really pretty clueless poking around their website. After all, this was my first time attempting to hack a website.
I finally landed on GitHub’s issue system. I already knew that they parsed your comments with their own markdown parser. And with that, I had found my vector of attack. After 6 hours of work, I found a vulnerability far from serious, but good enough to try submitting.
It was a little scary, as you can only submit 5 bugs as a new user, and then you’re toast. I went through HackerOne’s submission process, something I had never even heard of up until this point.
The Response
2 weeks later it was accepted. Sort of.
The exploit was extremely low risk, but GitHub still offered to send swag and pay me. Because of HackerOne’s Hack the World event, I also got unlimited private repositories for life and double points on HackerOne!
Though the hack may have been low risk, and I have personally done much larger projects and better defining competitions, I still find this as a milestone in my career as a developer.
It didn’t matter what I looked like or how young I was. What mattered was my experience in software. And I hope that will always be the case.
I bought my hoodie with a portion of the Github money, and I now wear it with pride as I crusade across other websites searching for my next hack.
