Our dialog with Ian Carroll (Employees Safety Engineer at Robinhood) spans the historical past of bug bounty at Robinhood, Ian’s method to bug bounty program administration, and why the hacker expertise is so necessary to him. Stick round for the top of this text the place we interviewed Ashwarya Abishek, the highest hacker on Robinhood’s program with over $100,000 in bounties earned! Ashwarya explains how he determined to develop into an moral hacker and why he selected to hack Robinhood.
> Buyer Q&A with Ian Carroll
Q: Inform us who you’re.
Ian: My title is Ian Carroll, and I am a workers safety engineer at Robinhood. I lead our bug bounty applications at Robinhood, and I am additionally a member of our Crimson Group, the place we work on discovering and fixing safety points in Robinhood, very similar to a bug bounty researcher would.
Q: Inform us a bit about Robinhood and why cybersecurity is so necessary to your enterprise.
Ian: Robinhood is a buying and selling app that enables our clients to commerce shares and cryptocurrencies, save and spend cash with our spending account, and extra. Security First is Robinhood’s main firm worth, and defending our clients and their property is extraordinarily necessary to us. It is our accountability to make sure we’re offering confidence and belief for our clients as they entrust us with safeguarding their cash and investments.
Q: Inform us about your HackerOne journey. How has your program developed over time?
Ian: Robinhood has had a HackerOne Bounty program since 2016, almost since Robinhood itself launched! Our CEO was truly nonetheless a member of our HackerOne workforce after I joined. Based mostly on our early successes, we’ve got elevated our devoted assets to develop this system additional. Prior to now yr, we expanded our program’s scope, launched two new non-public applications on HackerOne, and awarded extra bounties over the previous yr than ever.
We’ve additionally improved our inside processes for dealing with submissions. As soon as validated, our Vulnerability Administration workforce has constructed a stellar course of for monitoring and dealing with vulnerabilities coming from the bug bounty. Service homeowners can see all the vulnerabilities for his or her service and the related SLAs for each reported vulnerability. We additionally began utilizing CVSS ranges to calculate bounty funds, which drive extra constant payouts and remediation in our program.
Q: What function does your bug bounty program play in your total safety panorama?
Ian: Our bug bounty program is a crucial manner for us to validate that the work we’re doing to enhance our safety is working. Our Product Safety and Enterprise Safety groups create complete mitigation plans primarily based on findings from the bug bounty program and vulnerabilities from different applications reminiscent of pentests and crimson workforce engagements. These efforts end in a discount in every kind of concern. Equally, findings from our bug bounty program typically allow us to determine companies or options that want additional consideration from us in order that we will additional goal penetration assessments, further code opinions, and so forth.
One key instance of this has been round our acquisitions – we’ve been in a position to rapidly add the property of our new acquisitions into our HackerOne applications, after which we instantly begin to get visibility into the precise dangers every asset could have. The acquired corporations additionally respect getting this new visibility, which permits us to construct relationships with their groups whereas working collectively to remediate any experiences.
Q: Inform us about your favourite bug or most fascinating discovering out of your program. Every other stunning outcomes from this system?
Ian: A few of our greatest experiences have truly come from our personal clients who create a HackerOne account simply to submit a discovering to our program! One actually fascinating report we lately obtained was from a buyer utilizing a specific smartphone the place the biometric authentication wasn’t working appropriately solely on that particular mannequin. We had been capable of finding another person on our workforce who had the identical cellphone and reproduce the problem, however we might have by no means observed this type of concern ourselves! We rapidly acquired a repair out and paid them their first bug bounty. Our clients have additionally helped us discover advanced points in our buying and selling flows that don’t seem like regular safety points in any respect, however are extremely impactful to our enterprise.
Q: How do hackers enable you to spot vulnerability tendencies throughout your assault floor?
Ian: I am very proud of the scope of our bug bounty program, the place we settle for nearly any safety concern that would affect Robinhood, no matter what technical asset has the issue. We additionally get a variety of fascinating submissions about third-party vendor merchandise and misconfigurations as a result of we’ve got all of our domains and purposes in scope. As well as, we run non-public applications for our acquisitions to additional strengthen these property.
As a comparatively youthful firm, casting this huge web helps us determine tendencies throughout the whole lot we use. Sooner or later, we’re engaged on creating and distributing experiences to our different groups on safety primarily based on the Widespread Weak spot Enumeration (CWE) tendencies, which can assist groups simply determine the forms of vulnerabilities we’re seeing!
Q: Ian, together with being a buyer, you additionally hack on the HackerOne platform. From experiencing either side of the coin, what are some finest practices for forming mutually helpful relationships with hackers?
Ian: It’s been very helpful for me to have the attitude of each a researcher and a program supervisor. It offers a variety of perception into how either side work together and what they count on and helps me give attention to what I do know researchers would respect essentially the most. My first priorities with our program had been to arrange fast and constant triage and awards to researchers, as I discover it is a battle for a lot of applications.
We additionally attempt to be candid and clear with hackers. In our non-public applications, the place we’ve got NDAs in place, we will typically share supply code snippets and different inside documentation to assist the researcher perceive the foundation reason for a difficulty or why the severity was set in a selected manner. Moreover, once we can escalate a difficulty to be extra extreme than what a researcher reported, we all the time pay the researcher for the upper severity. We hope this builds a variety of belief and goodwill between each the researcher and Robinhood.
Q: What is going to long-term success seem like for hacker-powered safety at Robinhood?
Ian: We intention to maintain shifting left within the product improvement lifecycle and letting researchers discover as many vulnerabilities throughout as many new and present options as attainable. Now we have been granting our VIP researchers entry to new product releases earlier than most of the people has entry, and we hope to proceed doing this for the foreseeable future. Moreover, we’re engaged on take a look at accounts in order that researchers exterior america can take a look at our property simply as anybody else can.
> Hacker Q&A with @ashwarya
Q: Inform us who you’re.
Ashwarya: Hello! My title is Ashwarya Abhishek. I’m from Delhi, India. I got here from the monetary discipline as an aspiring chartered accountant, however circumstances introduced me to bug bounty, and I’ve been doing it full-time since 2020.
Q: How lengthy have you ever been hacking/within the cybersecurity trade?
Ashwarya: I’ve been into bug bounty full-time since January 2020. I began doing bug bounty in 2014 as a part-time pastime after I found the HackerOne platform. Again then, I’d learn public experiences and apply comparable logic to completely different applications (Yahoo, Twitter, and so forth.). That method acquired me just a few bounties, however quickly I acquired responses of ‘N/A’ and ‘Informative’ on all my experiences, leaving me with horrible stats (<200 Status, damaging Sign, <10 Affect). I quickly realized that bug bounty was not for me, and I give up someday across the starting of 2016. I used to be solely sending experiences with out understanding my findings, so these responses had been certain to occur eventually.
Throughout 2018-2019 I used to be going via extreme monetary points, and out of nowhere, I obtained a Personal Invite from Exness to hack on their HackerOne bug bounty program. Out of curiosity, I opened the hyperlink and accepted the invitation. There have been a number of issues occurring in my thoughts for the subsequent two days as this invitation and the sudden recollection of HackerOne and bug bounty introduced a ray of hope into my life.
On January 1, 2020, I made a decision to give up my day job and bounce into bug bounty. The explanation was easy: earnings from my day job – even when I saved for the subsequent decade – wouldn’t assist me get out of the monetary points I used to be going via, however there was a ray of hope from bug bounty.
Everybody who got here to find out about my choice referred to as it harmful as I didn’t possess any cybersecurity diploma or certification and had no coaching. Even my previous HackerOne stats had been screaming to not pursue the infosec route full-time. There was additionally no surety that I’d be capable of discover sufficient bugs to earn near my month-to-month wage.
Circumstances finally introduced me to this path, and I don’t remorse my choice to give up my career. I began from scratch, step by step discovered, and I haven’t seemed again since I began full-time in 2020.
Q: How lengthy have you ever been hacking on Robinhood, and why did you select to give attention to Robinhood’s program?
Ashwarya: I began hacking on Robinhood on January 1, 2022. I hack on Robinhood primarily because of their response effectivity and first rate bounties.
Q: What do you take pleasure in about hacking on Robinhood? What retains you motivated to hack on this program?
Ashwarya: I’m motivated by the huge scope of Robinhood’s program. It’s been a full yr, and I imagine I haven’t totally explored 50% of their endpoints, and gaining access to the restricted companies all the time excites me. At first, I sensed that there have been only a few hackers who might have gone deeper with this program (because of restrictive entry), so I believed there was a variety of potential for me and my 100% handbook method to hacking, and I wasn’t mistaken with my judgment.
I additionally worth Robinhood’s transparency throughout report analysis, and their bounty pay-out upon triage retains me motivated to proceed digging round this program.
Q: With out making a gift of scope that’s not already public, how do you method the goal?
Ashwarya: Broadly talking, my handbook method stays plain and easy.
1. I manually verify each single subdomain each few days to determine potential subdomain takeovers or application-level misconfigurations. It additionally helps me to determine any hidden subdomain apps the place I must dig deeper since there are increased possibilities you would possibly find yourself with API keys or secrets and techniques in a .js file linked with these hidden apps.
2. I manually go to each API endpoint repeatedly till I perceive the circulation and its meant goal. As soon as I’m conversant in the endpoints and flows, it’s far simpler to identify any bizarre habits and potential modifications/points. Though it is a time-consuming job, it’s crucial factor for me with any goal, and it’s definitely worth the effort.
3. I don’t method a goal with any particular points in thoughts. As a substitute, my method depends purely upon the logic within the goal course of flows.
Q: If somebody was new to this program, what recommendation would you give them?
Ashwarya: Attempt familiarizing your self with the flows first (API routes, and so forth.). Robinhood’s scope may be very huge (there are 1,000+ API endpoints within the main goal itself), and there’s a good likelihood you’ll catch points in case you are conversant in how issues work right here. However should you solely depend on automation (public instruments), chances are high fairly excessive that you’ll find yourself disenchanted.
Author: ktansley@hackerone.com
Date: 2023-02-22 15:00:00
