This week’s Researcher Spotlight is on @justinsteven. Justin is a very early member at Bugcrowd and become one of the top bug bounty researchers in the world. This week’s interview gives some great tips and insights into how to approach bug bounties, as well as a great back story to how Justin got started.
As for how I got started in security and appsec, I (mis?)spent my youth poring over textfiles and zines, admiring the phreaks of years gone by, falling in love with the culture and the community and the sense of curiosity that drove it. The first paper that I actually grokked was about softmodding the original Xbox, hot-swapping its IDE drive to drop font files (which weren’t covered by code signing) that would exploit the system dash on each boot. It was a feeling of “I couldn’t have found this attack chain myself, but it’s not voodoo magic. Get the Xbox to unlock its own HDD, drop files that aren’t covered by code signing, exploit a buffer overflow on boot because the font reports something lengthy in itself as being of 0 length or something and it confuses the system somehow. I kind of get this. Maybe one day I could be doing my own breaking.”