Cybersecurity spotlight on bug bounty researcher @inspector-ambitious

As we kick off Cybersecurity Awareness Month, the GitHub bug bounty team is excited to spotlight one of the top performing security researchers who participates in the GitHub Security Bug Bounty Program, @inspector-ambitious!

As home to over 100 million developers and 372 million repositories, GitHub maintains a strong dedication to ensuring the security and reliability of the code that powers daily development activities. GitHub’s Bug Bounty Program continues to play a pivotal role in advancing the security of the software ecosystem, empowering developers to create and build confidently on our platform and with our products. We firmly believe that the foundation of a successful bug bounty program is built on collaboration with skilled security researchers.

Since its inception nine years ago, our bug bounty program has been a fundamental component of GitHub’s security strategy. This dedication is manifested through live hacking events, the revamp of our VIP bounty program, limited disclosures on HackerOne, expanding bounty targets, over $3.8 million in total rewards via HackerOne since 2016, and much more! As we continue to explore opportunities to make our program more exciting for the researchers to hack on, we also heard the feedback from our community and launched the GitHub Bug Bounty Merch Shop earlier this year, so now every submission can potentially also receive a swag bonus along with the bounty!

To celebrate Cybersecurity Awareness Month this October, we’re interviewing one of the top contributing researchers to our bug bounty program and learning more about their methodology, techniques and experiences hacking on GitHub. @inspector-ambitious specializes in application-level bugs and has found some unique and intricate issues throughout their research. Despite the intricacy of their submissions, they skillfully outline easily understandable reproduction steps, effectively streamlining the investigation process and consequently reducing the triage time.

Can you share some insights into your journey as a bug bounty researcher? What motivated you to start and what has kept you coming back to it?

I’ve been passionate about cybersecurity since the age of 10. During the 1990s, I didn’t see it as a viable career option, so I decided to shift to programming around age 16. I dedicated myself to coding until just a few months ago, when we underwent a two-day offensive security training at work. The trainer suggested that I explore bug bounty programs. A couple of weeks later, I joined GitHub’s Bug Bounty Program and was immediately hooked. There is nothing as cute as an Octocat.

What do you enjoy doing when you aren’t hacking?

Trying to be a good husband and dad is my top priority. When I have time left (it’s not that often), I try to improve my knowledge of mindfulness and Stoic philosophy.

How do you keep up with and learn about vulnerability trends?

I listen to the Critical Thinking – Bug Bounty Podcast by Justin Gardner (Rhynorater) and Joel Margolis (teknogeek); it’s an amazing podcast. I also check Twitter/X from time to time.

What are your favorite classes of bugs to research and why?

I would say I have been focusing mostly on application-level logic errors so far since my skill set is still fairly limited as I’m newer to bug hunting.

What tools or techniques do you find most effective for discovering security vulnerabilities?

I use Kali Linux and VSCode for code review. I don’t automate anything and do everything manually. I haven’t formalized any methodology at this stage since it’s only been a couple of months.

You’ve found some complex and significant bugs in your work—can you talk a bit about your process?

I usually start by manually testing a feature or a set of features. Then, I spend some time thinking about where it would be interesting to break it. Next, I read documentation, RFCs, and code, if available. I never time-box anything, since the most interesting aspect for me is the journey that leads to the discovery.

What is the most valuable lesson you’ve learned from your bug bounty experiences so far?

Bugs are everywhere, so don’t be intimidated by anything. Nothing is 100% secure.

Thank you, @inspector-ambitious, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.

Interested in helping us secure GitHub products and services? Check out our open roles!