 Okay, everyone, I'm going to get everything moving a little bit quicker, but I've got a big slice of pizza I want to get eating. And I will hand over to everyone because I've got a big group of people next to me. So rather than me introducing, I will just hand over to the bug crowd lot and let them introduce themselves. So without further ado, thank you, everyone. Can you hear me okay? Alright, I'm really excited because it's many of our first times actually talking at DEF CON. So this is pretty exciting. I'm going to just quickly do a quick intro and then have these guys talk a little bit more about themselves. My name is Chloe Miss Daughey. I work at Bug Crowd. I'm a secure researcher advocate. I'm also one of the founders of Women in Security, WOSAC, and also the founder of Women Hackers. And I'm really happy to be here because we're going to dive into our, these are three of our bug crowd ambassadors that I get to work really closely with and I'm so excited for this panel. I have Jesse all the way down to the right. And then in the middle I have Sam. And then here I have Darryl. Anyway, I'm going to have Jesse, can you please go first and tell a little bit about who you are and your background? So that's my gate job. So I spend time making sure our product line is secure. I also run our bug bounty program. And then I spend nights and weekends hacking against other companies on bug bounty programs. I am Sam Curie. I've been doing bug bounty for about three years. I started off doing full time research for about a year and now as a security analyst, I work three hours for another year and I have been doing bug bounty for a year. I have been a bug crowd ambassador for about a year, I'd say. Yeah, and it'll do some really cool stuff as well. My name is Darryl Lopstad. I've been on bug bounty for like about two years. I currently work as a senior penetration investor and I've been doing under like seven. Nice. Okay, so tell me how long have you guys been an infosack? Seven years. What about five or six years? Yeah, I think I've definitely dropped continuing the market at this point. Nice. Okay, so let's start with you Darryl. Oh, actually Sam, let's keep it with Sam. Okay, so Sam, tell me when did you start hacking and what were the moments that led up to that? Yeah, so like, probably my sophomore year at school actually started messing like what up stuff. I moved into Brooklyn, I think like when I was senior in high school. I like spoke with some friends of mine who have been doing it and I kind of taught them how to do it. I remember I was working at like Darryl King. It's a good time. But I got paid for like about five hundred dollars. And at a time I was like, two weeks back at Darryl King. So I was like, the static. So that's how I decided like spend a lot more time doing it. And then after high school, I just did it full time. So I went to university. Nice. Jesse, what about you? Alright, so yeah, I would say like the first time and I would like consider myself like happy. It's also in my school. So I thought it was a watch that I could program my program to control all the teams in my school. And so I definitely got attention about that. But I was kind of like my first experience actually trying to break something. And that's why I didn't just be interested in security in general. So I started doing a lot of research on different things, mobile app and that kind of stuff. And then that led into my career starting when I spent five years working for the Department of Defense doing some of the security stuff. And then move over to private industry after that. All right, Darryl, your turn. So I got started a little later than everyone else here. I can start out here doing anything in for a second till I was about 25. So again, into the main hall later. And after I figured out that I had set up enough deadlines, I went over and started doing it in for a second, a lot more and then go to the private sector as well. Nice. Okay, so what tools did you start with? Not. Anna and Bert is where I started and that's it. There's just a hard one called live HTTP headers. And that's kind of accepted by a KQ class. So I think first of all, I used to call it that. And it's like to, you should be able to, there's just like really, really the easiest way to learn for websites these capabilities like the problem of transactions you were trying to live on. But yeah, I'd say go to you for sure. It is definitely my first tool for me. And I've probably spent way too much time trying to figure out why my shit didn't work. And just using my Chrome Dev tool for something is what you're doing with that. Nice. Okay, so when you started learning and even today, how do you keep up like with everything? Do you use Twitter? Do you follow certain blogs? Are you one of those people that likes the vlogs more on YouTube? What do you tend to use? There's a lot of, there's a lot of cool stuff. But most of it Twitter, right? I follow like, probably like 400 or 500 people overall into a center lid. And so you like keep up with like, you know, if something happened, there's any sort of story and I think it's shared basically, you know, for instance, like that zoom bug, like, I'm sure like everybody heard that if you run Twitter, I guess. Yeah, there's simply two videos in particular, typically on YouTube. And then more in that you can typically go like, you know, like, Yeah, I agree. Twitter is like my go to. It's kind of how I stay in touch with everybody. But another thing that's really important is like the sense of community, right? So going out and like reading other researchers reports is critical to learning, right? And you use those baseline, because then you can take that attack and try to be more with it and build upon that and then share back. So I think that's really important how to stay engaged. Yeah, Twitter for sure is, and then I have a awful amount of blogs that I had in my RSS feeds that blow up. But like Jesse was saying, I kind of I go in with lots of other people do and then I kind of put myself in that like the mindset of what I found it like that. Usually no, it's not I would know. And I try to figure out how they came to the conclusion of trying what they did and try to like supplement what I actually do to at least add that Nice. Okay, so tell me since you guys shared a little bit about your like personal experience with being hacker and like the resources that you use. I'm just curious now because I just did a talk on safe harbor just like a couple hours ago. And I'm just curious. What was the first bug you ever submitted of all time? The first page submission I had was a sequel injection. That it meant 10 days. Is that up? Is that what you wanted? Yeah. How was it? How was it? Was it exciting? Was it like holy crap? I think like the first page bug I had was like the SMTP induction on hackers. And it was like, is that the kind of thing that basically you can serve character online feeds and like an email header and modify it. And like, so you could like, if 200% before you could like modify it was from and it's really cool because it was all silent stuff. But it was like $1,000. I'm getting my freak out. Yeah, so the first program that I had was actually on Starbucks. Like why not? So Starbucks, I don't know what I was doing. So I just threw in a report like, you can actually get paid like 100 bucks or something. That's a lot of coffee. So keep going and try hard. I learned from that right because I all the questions are taking back and asking about my report. I could take that and like, okay, this is how I need to address this and further reports that I submit to the learning experience. So Jesse, have you ever been scared when submitting any sort of bug of being prosecuted? Yeah, so a couple of years ago, I actually presented over Skybox about a big vulnerability that I found across like 10,000 different websites from the government websites, right? So that was super scary, because I had to find a way to disclose all that. And it was very nerve rapidly, because like most of these companies had no idea how to fix this stuff. They didn't have a vulnerability management program, right? So it was kind of shooting the dark and like, I hope that a fear of nothing happened. So that was a little scary, but I pulled it off. I'm here today. So that's good. I think when I first got online, there was a lot of programs, very particular guidelines. And they didn't mention anything for like Google stuff. And I was just kind of like, you can only hack on this. And this is the same, like, I found this like secret, and I could get up and I was like, I submit this, like I said, I'm like, I don't know, I was, I was, I don't think a fear of prosecution, but like, I felt very like, or did I guess for me, I think it was another secret injection that I found that the bounty brief was, it was, was a very specific about what they couldn't do. But it did say something along the lines of, you have to get the whole whole database to get paid for it. So I was a little more overzealous than I probably should have been. And looking at it now, I think probably should have been really pissed. Okay, now I have to ask this. How do you guys feel about safe harbor? What are, what's your opinion on safe harbor? I would have liked to have been on the program that got, that could have gotten really risky. I think it's great. I think like, I think when we're in Donna's first game out, it was very like, like, oh, yeah, we're on a frosty, you don't worry about it. It's like, okay, yeah, but then I know it. There's not a lot of legal research and like, it's really not legal. And it's really cool to have like an actual guide on for it. One of my bugs recently, it's really cool. It was like, the program had like, very extensive, like, research or protection. It's like a Tesla program. But like, like, yeah, like, you know, when I cross to you, here's the actual legal guideline for it. And then like, if you break your Tesla, like, we'll help you fix it. That's really cool. But yeah, the direction it's going is like, fantastic, I think. And I think it's really powerful. I'm like, going away from like, the, hey, if you connect to your like, I don't know, neighbor's Wi-Fi, you're going to do it all the way, like that whole like, recording. So I don't know, it's crazy. Yeah, I mean, I think it's great. And from like, a program management perspective to, you know, you have safe harbor on your right, you're gonna need more hackers on your phone. So it's great. But when like, a lot of I try to look by right when I'm packing, if I ever hit a gray area, I stop and ask myself, okay, are you being an asshole? Maybe like, actually, you reach back out to the program and say, hey, you guys want me to keep going with this or whatever, that way, they realize like, you really do care. You want this trying to like, interact with them and engage with them. It's pretty cool. I actually think I'll think about that in the future when it comes to submissions, like, am I being an asshole right now? That's fantastic. For those that don't know, has anyone ever heard of disclose.io? Raise your hand. Okay, we got a couple people. This is great. So those that don't know Disclose.io, you can go to the GitHub page and actually look at all the different companies that practice safe harbor. So if you ever want to like, try to find vulnerabilities or hack on something, I highly recommend going to that list first and checking it out to see which ones are the much safe ones. Okay, so since we dive into the background now, let's go into bug bounty because bug crowd, first of all, and we're on a bug bounty panel right now. So tell me, you guys, how did you hear about bug bounty? And how long have you been a hunter? I think you guys kind of briefly talked about it, but give us a little bit more details. And Sam, why are you, since you're holding the microphone? Yes, when I first like, got started in like, sending security stuff, like I play video games a lot. And like, there are people in the community who are like, sort of into web stuff. When I came to the video game hacking, it's pretty fucking accurate, right? Like, it's like, people are popping into this forum all the time. And it's like, might be the exploits on stuff. But like, one of the guys in the chat was like, hey, you know, first one of mine, like a vulnerability on the form hub, you get like a hit rep, you know, like, in my community. So like, that's like, all right, let's let's do it. So I went and I felt like a cross-expecting vulnerability. And like, I don't know, I'm kind of excited because that's the first time that I get to that interview, just like, bugging itself. But yeah. So I've been, hopefully, active for three to four years now, I'd say, in like, bounties in general. But I really got my started running and I took it out on long-term projects, creating more of a sale course, myself and run my bounty program. So I got to see how that worked out in a large enterprise perspective. And then that's when I started hacking in and of myself, because everyone was like, how powerful this is for this, and what needs you to do it? I've been on the boat crowded and balance for about two years, or, I think two years exactly yesterday or something. I had a pop-up from Sandy and saying, congratulations. Okay, well, I'm like half there, I'll like that. Not all at once. But yeah, I don't think I had any really big thing other than my wife went to night school and I went forward. So I started hacking on it. And that's where I got my nice. Okay, so let's start with you. Since you got it, you're ready. So tell me how many bug bounties have you been awarded? And that's single bugs. I think I'm at 70 ish at the moment. I think somewhere around here. Nice. Okay, so ranked in terms of priority and importance. What are the top five tools that you use? And I know number one is always going to be burp suite. Yeah, like it comes with a program, like honestly, like, there's like a staple tool, right? Like your search and sell a search. And then there's some other like interesting tools that like, I think obviously going to be a top five for some people like that. And then like burp extensions, right? Like, I'm definitely going to like my top five is going to be awesome now. But brand mine, I'm still like that. Yeah, I really, I'm kind of as a research analyst, I tend to focus on tools too much. I really like doing like manual boot dives. I think I talk about most of my bugs, but like they're definitely situations like where you're getting interested in trivia or whatever. Yeah, those are like my top five are cool. Yeah, so of course, so I would say like, aside from that, I love working on programs that have a really huge scope. So like in like sub domain integrations, they master that opera tone that goes out and actually just takes a snapshot of each sub domain that you find. So you don't have to go through it manually to look at the results. We'll just put it next to a report. You can scroll through and see if there's anything valuable like adding manuals or whatever that's exposed. So I use that like to research. That's it. But one like general thing to do is like, a lot of people don't need to automate things essentially, they're having this program. So in a sense, you can do it if the program allows, but I think the tools as it's like if you're lost in the word trade, your tools are accomplished. It's going to play the general direction of law, but it's not going to help you navigate all past, right? So you're still going to have to go do the manual analysis of like different vulnerabilities and stuff. They try to actually figure out what you're doing. The tool is not meant to end all the off everything, unfortunately. So basically everything that was just said, but probably the go to is that I would add there for a walk and said that I found some a ton of things because I didn't rely on the things that the tools that everyone has on GitHub and all that and just did my own kind of projects. And that's where I found the bulk of my bigger bugs. Okay, Darryl, tell me what is your favorite bug you've ever gone? So probably it's being recorded. Sorry. Just actually let you know. Okay, well, I can't do the same thing. Okay. So probably the favorite one that I've worked on was we we had a bug where we got some deep we found some default credentials and logged it into the site. And then the next day when he came back to it, the license expired. So we had to go look on showdown for another like server. We stole the license from now and applied it to the one that had expired. And then I found an authenticated SQL injection in it. Well, I think I think my favorite book probably was when I found that recently. Basically what's happening is there's like a login functionality for website and it's also registration. And I think they're using with a very old system for the actual core handling of authentication. And what if you sent like a front sense ABC for the agent and there's taken it, you send it, you check it and pull back, right? And something interesting about this was if you sent ABC percent zero zero, it thinks the string length is forward. And then it goes down thinking this thing is forward somewhere in translation that gets turned into three. And then the server says, okay, well, we can send back four bytes for you know, a memory. So it sends it back. And then you get a random piece of memory, right? So instead of sending it to you see you send thousands and megabytes of null bytes. And the server's like, all right, you know, this is a too long to use your name. We've checked if it exists or not and hit that system. We're going to send back the data. And then it just sends back raw server memory. So, you know, like you run it for, you write a script, you run it for an hour. And then you're sitting looking like 10 gigabytes of server memory. And if you run it through draft and you're like, okay, let's search RSA private key and pull like server secrets. And all right, so let's search my password. Let's see if it's logging passwords. We need to find a password. So it's right script to automate like pulling keys using passwords. And it's just a really unique bug. Yeah, so mine's more like a general classic stuff that I've been looking at recently. So a lot of companies are using Slack that communicate it with their structure, right? So we can use that team to work on Slack and it's pretty much a bold one. So I love recon. So you go out and you work for different Slack opens and like get hub or did like their repositories, right? And you take those and a lot of times, but they're still active. And it will just give you full access to your core Slack. So that's a lot of fun because you know, there's all kinds of stuff in there and customer data and kind of stuff. So if you can you can get into Slack, you can pretty much own the phone. Nice, that's very much true. So okay, how much time do you usually spend a week hunting? It depends so much. Sometimes it's like none. Other times it's like 50 hours. Like I feel like acting for a lot of people is like, you spend two weeks dead. It's like I don't do anything. And then all of a sudden I see like this manic week where you're like up from like 3pm to like 3am and your whole sleep schedule gets off. But probably you're not smarter than like 20 or 30 hours. Average probably up two to three or as many as many hours that I just go without sleep to supplement that with. So I would say on average, it's probably 15 to 20 hours a week. But it's kind of like watching like then watching TV, right? There are some weeks like just spend like way too much time hacking. And then other weeks I don't touch it. And it's a tentative thing to step back and take a break from that because you can really separately burn out in this industry. I'm glad that you guys kind of talk a little bit about like how you need to take time off sometimes. I always like to ask this question, even though it's never part of this topic in particular. But because we are in the hacker community itself, how do you guys deal with mental health? Well, all the time it's just like distancing yourself for a little bit like what you're saying like, you know, it's going to be like doing it crazily. Like being able to like correctly like decide when enough is enough. I'm like, let's say you're like, I don't know, not like anything. Now that having a good time, you're kind of forced yourself into a schedule. It's good to always step back and like maybe, you know, try to spend time, you know, family friends and like that. You know, it's like if I don't have that like kind of like, you know, I'm really excited to do this. It's simply hard to find those. So like the more I spend time doing that, it's just like the more I'm stressful, the more like feeling kind of exhausting it is. But just knowing when to step back, I guess. Yeah, so I think taking like disconnecting is very super good. So when I get back in the day and I'm completely disconnecting, at least, I mean, in my detox and then probably where that happened again. But definitely step in the way is good because if not, you will get burned out really, really quick. And then like through the day to unpacking on something and I'm just like, you know, I'll step back from that and I'll go like, move along. And I will solve so many problems, one out on the lawn and come back and just be able to hear it. And so it just stepping back sometimes is really, really good for me. I see a lot of people on Twitter said like goals for themselves, like I'd better find 100 bucks in 10 minutes or whatever they choose to say. And then they update everybody every whenever they do. I don't generally set any any kind of goals for that. I find something that's fantastic. It's going to pay for something like I'm going to go over, but I don't really set any kind of goals like for that, especially on realistic ones that a lot of people could probably get in there pretty fast. Nice. Thanks, you guys. OK, so since we are in Recon Village, I have to ask what tools do you tend to use and why are they better or more effective than others when it comes to recon? I think we did touch a little bit on that, right? But I'm going to go right back to set off and grab in off just the things that anything bash related is is my favorite. It depends. But yeah, like I think it's really about like all those tools now. So just like a lot of times like the building tools for like specific things that come up for specific mentalities, for instance, like I feel like until a couple of years ago, like doing good luck, like process and kind of cool secrets from people wasn't as big as it was. But as that time went on, people felt these really great rules for like you can auto generate the guy who is going to pull them and run it for people for possible ways for like specific terms. So typically, like it's just like kind of going to lose for a particular program. But honestly, like one thing I think that kind of difference for me, maybe other people is just like taking a particular program and sticking to it. And that's kind of their constant is just like learning over time all the quirks and like the functionality. Like for instance, there's a group of researchers who like only hack on Facebook. And then you go to the discussion now and they're like, yeah, you know, like, oh, like GraphQL, yeah, yeah, yeah. And like it's very particular and you can tell they've spent a lot of time trying to understand it. And I really understand like the ecosystem. So I think that has like a cool kind of thing. But yeah. Yeah, so the get up integration pools, S3 pocket integration pools are called like my code too. And like if I'm approaching a target, those are going to give me a good idea. Like if this target pretty hard to get over, is there a possibility is here if I'm the first up? If I start seeing them like S3, I guess they've been something bad for some of them. I think they're great for other problems because the problem number is here. But yeah, so just a new integration stuff. I love Recon. And I think that you can get a lot of stuff out of it if you really focus on it. But I am looking at myself. I like to jump across multiple programs. It probably isn't a good thing. I'm showing people on my money set on the focus. But when you have these tools, it's easy to just kind of like spray and spray on different sites. So you can see what you find. Nice. OK. For those that don't know, by car, we actually just released a basically Recon video, Recon Discovery video module. So by car, we have by car to university. It was kind of started by Jason Hattix. Who knows Jason Hattix? Cool. He's my mentor. So he basically grew up by car to university, get back to community, give him more curriculum in a sense so you can all learn. And for other people around the world can learn as well that don't have that access. But yeah, we just posted it yesterday. So there's a Recon and Discovery video, which is really helpful and very useful. I just want to kind of end with one question for you guys. What do you see the future with by body? Oh, that's interesting. I feel like by body is a great tool for like discerning people who are passionate about security, right? Like I think what's interesting about money and like the future for by body is just like this hotbed of like research activity. Like in the past couple of years, there's been so much like people who have been introduced and like this really good about money. And so I feel like by money and like as time goes on, it's kind of turning into like this like really, really cool community of people who like find a little stuff and like work with each other to find bugs. Like the future of like actual programs and stuff like it's been scaling up so crazy like like work with 100 companies and stuff. I just think it's going to get bigger and bigger and it's going to be like a great it's kind of like a really great tool for like community stuff and like people like put something to it. Yes, so I think more more companies are going to have a bunch of programs, right? It's kind of the trend, right? It's thinking about them and actually trying to be proactive. But I think on top of that, they're going to be companies out there that are going to start thinking about one kind of programs in different ways and try to get creative with their approach. So I see more and more companies maybe leaning towards using it more instead of the like reactive approach like people finding bugs and stuff that's already out there. They use it like proactively and before you ever a little feature out, right? Have your hackers come in and test that and give you feedback and interact with them. So I think the engagement isn't out of ownership for the next few years. Yeah, it's going to explode because it has been and it's going to continue. I don't see it stopping. I mean, I'm a pen tester and I think it's a great supplement for that for sure. It's because like you have so many different people with a set of eyes looking at it instead of you got someone, one guy looking at it for maybe 30 hours with the curve for a given job, pen testing engagement. So I think it's a great supplement for any basically anyone. OK, I know I said the last question, but now I was just thinking for advice for those that are new at Bug Bunny. Besides, you know, keep pushing. Don't give up when they first start. Is there anything else that you guys want to add on to that? I gave it once and then I got back into it after a couple of months because I got bored and I sort of find stuff right. And then I would prepare to think about other things not to put yourself to the James Petty over friends, friends of the world. I'm never going to be that good. I already know it, but there's so many things out there that you can still find just based on watching different techniques that have been released to everybody. I think like sometimes really recommends yourself, but all the other researchers have taken on the books. There's still, there's still a lot of stuff out there, right? When I first started, like, I remember like looking at programs and like, oh, you know, there's so many yourself, I was like, I'm never going to find a thing. And like day after day, there's like 20 more about issues, 20 more about issues. It's like, wow, what's, what's separating me from that? Like, how do I do that? And it's just like the dedication, right? Like not giving up. Like, I think there's a certain threshold and like right after you find your first bug, it gets so much easier. It's like, it's actually a possibility. Like, you know, like you can kind of convince yourself to put a little more time into it. But like, find your first bug. Like, it takes a little bit, but once you do that, if you're really into it, like, that's, I think that's going to happen. And also just to give you guys something that we're talking about a little bit earlier, finding your friends to do it, you know, like if you're in the university, like in your hacking club, like I guarantee you there's a couple of people who are like, yeah, like I want to spend time in the hack websites. Yeah, it's like cool. Yeah, so I would say like, if you start out hacking, right, you can be a little donkey and you can be like, what in the world am I doing after the first ball here? Just step back from that and think about what you're trying to attack, right? So let's reach your website, right? Go out and learn how to build that. Go out to AWS and deploy on a server because you're going to see these like things that the company's going to miss, right? The security misconfiguration is like the security, so you can go back and check that in your target. So go learn to build this stuff as well to be able to break it successfully. All right. I just want to say thank you guys for taking the time and being on this panel. And I want to say thank you to Recon Village for existing and also all of you guys, thank you for existing. If there's ever a time in your life you ever feel alone, just know that someone appreciates you. So I've been hearing too many of terrible stories this week on mental health. Just know that you're not alone. We're in this all together as a hacker community. So thank you once again. And if you have any questions for them, we'll probably be right outside that door. And BugCrat has a suite that's open in this hotel. The suite number is 3151. Once again, it's 3151 and there's free drinks and a lot of cool news swag and you can get your stickers there. Thank you so much.