Bug Bounty Update: Introducing our Most Valuable Hackers!

Sharing updates from our promo event and spotlighting our top hackers.

Divyashree Joshi, Senior Security Engineer, Product Security

In April 2021, Uber ran its Bug Bounty Promo event in partnership with HackerOne. This event was made successful with participation from all our valued researchers! We received 37 submissions, 6 of which were for high-severity vulnerabilities. We paid out a total of $45,500.

In a new twist, we ran scripted Proof of Concepts for the very first time on our program and received 14 scripted POCs from our researchers!

We saw some amazing bugs and we are thrilled to announce our Most Valuable Hackers from the event — “whoareme” with a bounty of $15,000, and “hunt4p1zza” and “pmnh,” who collaborated and each won a total of $9,750. Naturally, we interviewed them to find out what makes them so awesome, and we’ll be publishing those conversations in a two-part “Hacker Spotlight” series, starting with this installment. Read on, and stay tuned, to learn more about our top hackers , their journey and what motivates them to help Uber stay secure.

Uber Hacker Spotlight: whoareme

Hailing from Ukraine, Nick is 24 years old. During the last 1.5 years, Nick has been a full-time Bug Bounty Hunter on the HackerOne platform. Previously, he’s worked as a Node.js Engineer for almost five years, creating High Load Web Apps for tech startups.

He loves learning new stuff about Information Security and tech. When in a good mood, he works on developing automation tooling for the security industry. In a pre-Covid world, Nick loves traveling in his free time!

How did you come up with your HackerOne username?

“Whoareme” — this nickname is a question from the past that helped me understand myself better, start to be in the place that I adore, and do the things that I love to do.

And right now, my nickname on HackerOne is just a reminder for myself. I’m here because I love doing Information Security.

What’s your strategy that got you to the top?

Continuous improvement professionally, and a strong focus on the project I’m working on. I’m trying to understand all the services that the project has, knowing all the functionality and technologies the project uses, I’m creating a threat model for each service. That information helped me focus on the most critical business sides.

How did you discover hacking?

Well, to start with, when I was six years old, my parents didn’t allow me to sit on a computer for a long time. And I always tried to understand how to find ways to steal my parents’ computer password :) I asked my uncle for help. He is a computer repair master.

And he recommended that I read the Basic Book about Computers. He motivated me to find a way to do that. After reading the book a few times I didn’t find a way to hack my parents’ computer and play a lot of video games. But that was an excellent start to understanding how computers work.

Five years later, I started to play the MMORPG Lineage 2 game on unofficial servers. But unfortunately, getting some items in the game was hard enough. So I thought, how do I get around that? That’s when, I learned a lot about how game servers work and how they communicate with the game. Knowing that information, I was able to sniff my traffic to the game server and modify it to break game logic and clone items in the game.

Back to 2019. I was working on a huge enterprise project that focuses on delivering products to customers. I worked with almost 150 really qualified Node.js engineers. One day in my free time I just decided to code review all the microservices on my project. I was shocked when I found a lot of SQL Injections, Account Takeover, Prototype Pollution, Account Privileges Escalation to Admin vulnerabilities. Until that moment I never thought about my role in the security field, but this motivated me to start hacking professionally on HackerOne.

What motivates you to hack and why do you hack for good through bug bounties?

I think the way I feel when I find some high or critical vulnerability in a very big service is the most exciting part for me. You know, my so-to-say addiction is to compete with the best whitehat hackers in the world.

I’m confident that my job is helping people worldwide and making their personal information safe as far as I am trying to prevent data breaches.

I am hacking through bug bounties as it allows me to feel free. I have an opportunity to work when I want to and only on projects that excite me. And earn money in the profession that I am actually keen on. That’s all that makes me happy!

How do you prioritize which vulnerability types to go after based on the program?

As I said before, I threat model the program. When I am doing that I am able to see what’s important and what’s not for the business, and prioritize what features I should focus on making a significant impact. After that, I consider other features and other vulnerabilities with lower impact. Also, a very important strategy for me is to focus only on one type of vulnerability on all services during my research. It helps me not to lose attention and not miss something.

Last year I was primarily interested in exploiting Server Side vulnerabilities and working with Mobile Applications. Exploiting attacks on the Front-End is also fun. Nevertheless, this is not common because modern frameworks/libraries sanitize and escape untrusted values.

How many programs do you focus on at once?

Actually, all the time I’m hacking only one company, namely Uber. I think this is the only way to know a project better than other hackers and in some cases even better than engineers working inside a company.

What makes you excited to hack on Uber?

I’m excited to hack on Uber because I love that product, and in my opinion, it is definitely an opportunity to work with the best engineers in the world. Particularly we are talking about big scope and interesting, modern technologies that use various microservices. Uber Bug bounty program offers excellent, fast communication and great rewards for good reports.

What has the Uber program done that you’ve really enjoyed?

The first thing that I really enjoy is good communication. For instance, when I just started hacking on the HackerOne platform and found a few vulnerabilities on Uber I was not able to submit my reports because of program rules for new HackerOne members. I found the Bug Bounty program manager on LinkedIn and asked her about that. In a few hours, my problem was solved. At that moment, I understood that it is definitely people who care about security on their project.

What is more, I really do enjoy participating in the program because of the Loyalty Program bonus. It was a good idea to make additional awards for top researchers after the end of each half. I think a good motivator for me was the April promo event. I’m really enjoying engaging in stuff like that!

What did you enjoy about the Uber April promo event?

Definitely, the adrenaline rush! It always interests me much when I have the competitive part. I think multipliers of rewards are a perfect thing that motivated other researchers and me. Also, the idea to create additional bonuses for scripted POCs was great — I never expected that!

Any advice for anyone interested in starting up fresh as a bug hunter?

To be honest I don’t see the fastest ways to become a good bug hunter without knowing at least one programming language and frameworks that are used on the Web. I read a lot of stories about how people become “successful” bug hunters without knowing any language. However, I am convinced that every Security Engineer needs to get software development experience first to understand how things work and to know exactly what they are eager to hack. It should be mentioned that communication skills are also essential in being successful. You always need to communicate with other people about your reports. Gaining working experience in some software company would also be a great chance as there you would have an opportunity to learn lots of different critical things.

Overall, you need to keep yourself motivated on that path. For me, it was a long-term investment. Learn as much as possible about front-end and back-end development, stay up-to-date with InfoSec news. Tend to understand common problems with those technologies, and try to think outside the box.

One more piece of advice — try to select your favorite program. Until I found my first vulnerability in Uber, I spent almost one month and a half without any result. But, when I understand how things work, everything becomes easier.

—

Thanks for reading, and don’t forget to tune in to our next installment, which will spotlight our other top hacker team and their bug hunting adventures.