Fifteen Famous Bug Bounty Hunters
For today’s article, let us acknowledge fifteen famous and 1337 bug bounty hunters who have been the talk of the web. This list does, not enumerate all the top bug bounty hunters in top crowdsourcing platforms like Bugcrowd, Hackerone and Cobalt (formerly Crowdcurity), but people who have proven to be worthy of their contribution and have embodied the true hacker culture – although some people who have topped in the leaderboard will also be enumerated.
The goal is not to list people who topped the leaderboard in Bug Bounty programs just because of the number of vulnerabilities they submitted, which could be inaccurate. This is in honor of Bugcrowd’s “State of Bug Bounty” PDF report.
Bugcrowd’s “The State of Bug Bounty” reports:
A self-employed “security researcher” based in Pakistan was the most prolific submitter overall with a submission count of 1,094—nearly three times that of the points leader and nearly four times that of the top paid researcher. This is especially noteworthy given his first submission wasn’t until February 18, 2014—roughly a year later than the points and rewards leaders.
While his 1,094 submissions make him the top submitter out of the entire research community, a well below average priority rating of 4.42 and a very low total average reward per valid submission of $20.54 make this researcher very noisy. These figures suggest that this researcher uses a shotgun approach for finding and submitting bugs, even if the issues found end up being flagged as invalid bugs. Further proving this hypothesis is the fact that this researcher possesses an extremely low 4% acceptance rate for his submissions.
Given these figures, one might come to the conclusion that this researcher puts a higher value on submission count notoriety over rewards—with 120 Hall of Fame entries, it would be hard to argue this point. So, while very proactive and active, simply put, this researcher submits things that aren’t as valuable as other researchers’ submissions. The top, in this case, is far noisier than signal desired.
Names are not arranged to their ranking. Alright, let’s start!
Drum roll please…
- Stéphane Chazelas
Stéphane is a *nix and Telecom Specialist who discovered the GNU Bourne-Again Shell (Bash) Shellshock vulnerability. He is also involved in the UNIX and Free Software/Open Source community (writings, contributions to projects). He reported Shellshock in Hackreone and was rewarded with $20,000 USD for his responsible disclosure.
- Rafay Baloch
Rafay is a Pakistani independent security researcher who owns rafayhackingarticles.net. He once found a remote code execution vulnerability inside PayPal for which he was awarded $10,000 USD and also was offered a job by PayPal, but turned down the job offer. Rafay is an active participant in bug bounty programs and is listed in large number of hall of fames including Google, Facebook Microsoft, Twitter, and Dropbox. He is best known for discovering Android Stock Browser Address Bar Spoofing, which affected Android Lollipop and previous versions.
- Frans Rosén
Frans is currently the second in rank for the top bug bounty hunters in Hackerone. He is a Dev/Security/Founder at Detectify. He was interviewed by Adam Crouchley for finding a flash-based XSS vulnerability in Mega which scored him a €1,000. Kind of big for a SWF issue but still a good find though. He has reported many security vulnerabilities wherein he was rewarded with a large amount of money.
- Jason Haddix
Aside from being the former top bug bounty hunter in Bugcrowd, Jason is currently the Director of TechOps in Bugcrowd. Together with Daniel Miessler, they head the OWASP IoT, OWASP SecLists and OWASP Mobile Top Ten projects. He is a great web and mobile hacker.
- Nir Goldshager
Nir is the CEO of Break Security. He has also worked in Imperva with a unique research position, bypassing Imperva Web Application Firewall. He ranked top 1 in Facebook Security Hall of Fame (White Hat Hacker) https://www.facebook.com/whitehat/thanks/ in the year 2012.
- Roy Castillo
Roy is a Filipino bug bounty hunter who reported stored XSS in Gmail for iOS, and is known for reporting a bug in Facebook that exposes primary Facebook email addresses. He is considered as one of the first Filipinos to have participated in Bug Bounty Programs. Prior to his fame in bug bounty hunting, he took an advantage of a XSS in Facebook that allows outsiders to add scripts to Web pages. His status “Off to Danao City” swarmed some Facebook users because it couldn’t be deleted, and Roy couldn’t be blocked — because he wasn’t in the friend’s lists of the profiles on which he appeared. Kinda naughty LOL.
- Emily Stark
Bitquark is also a former ranked #1 bug bounty hunter just like Jason Haddix. Although not much is known about his personal life, he has shared a lot of ass kicking security bugs disclosed in his blog ‘bitquark.co.uk’. Google’s ‘Google Sites’ rewarded him a total of $13,034.80 for his five bugs.
- Don A. Bailey
Don is an information security professional and security researcher whose research has been featured on news exchanges around the globe, from CNN, Reuters, BBC, and Al Jazeera. He has acted as Director of Research for iSEC Partners, CTO of the up-and-coming start-up Revolar, and has founded his own IoT technology start-up, Lab Mouse Security. His vulnerability report on memory corruption on LZ4 software (CVE-2014-4611) earned him a $6,000 reward in Hackerone. He also has engineered memory corruption payloads for any application that uses LZ4 like Python and Ruby. Don has spoken at InfoSec and hacker conferences like Black Hat, Hack in the Box, 44con, Duo Security, etc.
- Neal Poole
He is a bug bounty hunter and a Security Engineer at Facebook working on the Product Security team. Prior to working at Facebook, he has reported close to a dozen flaws to Facebook, and also received a White Hat card and acknowledged in Facebook’s Whitehat Hall of Fame. He has also earned cash reporting flaws to Google and Mozilla, and blogs about each vulnerability he finds after they are fixed, detailing every step of his discovery and interaction with the affected vendor.
- JungHoon Lee
Lee is a Korean exploit developer who bagged a total of $225,000 in Pwn2Own at the CanSecWest 2015 security conference. He was able to exploit the browsers Mozilla Firefox, Microsoft Internet Explorer and Google Chrome in Pwn2Own. He also was able to compromise the Windows operating system and ended up with a shell in System by exploiting the Google Chrome’s hardened version during CansecWest 2014.
- Avram Marius Gabriel
Avram A.K.A @securityshell on Twitter has been listed on the responsible disclosure programs of Adobe, eBay, Facebook, Google, Microsoft, Twitter, etc. Aside from smashing bug bounty programs, he currently works as a security engineer at RandomStorm. He also maintains a cool blog in security-sh3ll.blogspot.com.
- Mazin Ahmed
Mazin is a bug bounty hunter who is the owner of blog.mazinahmed.net where he blogs about his vulnerability findings like the Multiple CSRF vulnerabilities in Facebook Messenger. He has been nominated for the Pwnie Awards 2015 under the category “Pwnie for Best Client-Side Bug”. He is known for his research on W3 Total Cache’s Vulnerability That Leads to Full Deface (CVE-2014-9414).
- Mohamed Ramadan
Mohamed is the lead author of the CODENAME: Samurai Skills Course. He has discovered vulnerabilities in Google, Facebook, Twitter, Microsoft, Yandex, Apple, Adobe, Nokia, AT&T, RedHat, SoundCloud, GitHub, Etsy, Nokia Siemens, Zynga, etc. One of his notable findings are Facebook Camera app for iOS which allows hackers to hijack accounts, Blind XXE on Facebook by uploading a document, and how attackers can sniff the images you upload on your Android Facebook app.
- Shubham Shah
Shubham is a security researcher and bug bounty hunter based in Sydney, Australia. He currently works as a security analyst for Bishop Fox. When he was still 16 years old, he was able to bypass the 2-Factor-Authentication (2FA) in Google, Facebook, Yahoo, LinkedIn, and many others. He has been listed in the whitehat hall of fames in PayPal, Facebook, Google and Microsoft for his responsible disclosures. At the time of this writing, he has five CVE’s credited to him.
Ethical Hacking Training – Resources (InfoSec)
State of Bug Bounty – https://pages.bugcrowd.com/rs/601-RSA-253/images/state-of-bug-bounty-08-2015.pdf