You'll have to forgive Sean Melia for being only the number-two-ranked researcher in the 100,000-member HackerOne bug bounty community. After all, he splits his time between hunting for vulnerabilities and performing his day job as a senior security engineer and pentester for Gotham Digital Science. Melia, a 26-year-old resident of North Carolina, has reported over 700 valid bugs on the HackerOne platform alone and has submitted even more through Bugcrowd, Synack and other independently run vulnerability disclosure programs. Known simply as “Meals” on the HackerOne platform, Melia recently shared some of his bug bounty success stories and insights with SC Media.
How much have you earned as a bug bounty hunter?
In the past two years, it's around $400,000. It's a little bit less than that.
So you could do this full time if you wanted. You just choose to have a day job.
Yeah, I like having both, since it exposes me to finding more bugs. It's just more challenging to have both going on at the same time. I can learn different techniques at work…I'm just getting exposed to a lot more different applications. It's just trying to absorb as much information as I can, and doing them both at the same time is beneficial in that sense. And then I also have benefits, all that stuff at work. Bug bounties don't really have health insurance or vacation.
What was one of your most memorable vulnerability finds?
One of the more recent ones was back in June of last year. It was on [the Starbucks website] and it was a really trivial bug, actually. If you did an online order, like you shipped coffee to your house… you'd get assigned a tracking number. And that tracking number is an incremental number every time. So if I ordered one, it might be order #1,000, and then if I ordered another package it might be order #1001. And I could just increment through that and then view every other customer's order details. So [I could] increment up to #2002 and I would be viewing “John Smith in California,” whose last four of his credit card is “this number,” and his address and his phone, and what kind of coffee he orders. I got $6,000 for that one.
And then there were some other bugs on there as well, where if you signed up for a subscription to get coffee delivered to your house you could actually edit other people's subscriptions from your account. So, say “John Smith” every week gets coffee shipped to his house. I could update his subscription from my account so that his subscription gets shipped to my house instead… And [John] would get billed for it. So essentially, you could have just incremented through all the numbers and gotten every subscription sent to your house. But that probably would have gotten picked up – a thousand stacks of coffee going to one address!
Starbucks probably should have gifted you free coffee for life for finding that one.
I think, all in all, I got $40,000 in bounties [from Starbucks], so that could probably pay for coffee for a while.
Have you noticed a lot more non-traditional companies and organizations showing interest in bug bounty programs?
Definitely. The Department of Defense – the government's bug bounty – that was a total surprise to me when that happened. I felt that was pretty interesting that they got that approved, just because generally with the government there's a lot more red tape. So essentially, if the government can get a bug bounty program set up, it would be hard to say why another company couldn't do it.
[Also], the Internet of Things. I always love when I get invited to a program that has some hardware. I was Christmas shopping, and I got this email that I got invited to this [bug bounty] program and I was like, oh I've got to leave the mall immediately. I've got to go to Best Buy and buy this hardware. I've got to start hacking it. And I'm glad I did because I found two pretty cool bugs and made like $5,000 that night because nobody else had gone out and bought the hardware yet. I spent $200 on a device and ended up making around 5,000 bucks in one night.
What industries or business sectors would you like to see more involved in the bug bounty business?
It would be interesting to see banks get into it, but they probably wouldn't want a bug bounty program set up for banking applications. Maybe health care as well, because there's been a lot of issues with breaches. It's just hard to get approval for things like that. There's bureaucracy and that's probably the reason why they haven't started doing that, but maybe eventually we'll get to that point.
You're the number-two ranked researcher on HackerOne. Do you ever get competitive about it?
Yeah, I check it every once in a while to see what rank I'm at, just because I eventually want to get back to number one. It's just hard to find the time. If I had an unlimited amount of time, I think I could get back to number one. But it's just hard to fit in a social life, bug bounties and a regular job.
I know some of the other top guys. It's competitive, but we all share stuff with each other as well, so if we find cool bugs, we'll talk to each other about it and share different insights on how you can maybe exploit them more.
What are the best companies to work with when hunting for vulnerabilities? What traits do they have in common?
Companies I like working with have great communication with the researcher. If they're going to not reward for something, or they're going to reward less for something they communicate and they put context on it. They explain why.
I've worked with programs that say: “This is not applicable,” and they'll just close it out and give you no context why they came to that determination. For programs that are great to work with, they'll communicate: “We're going to pay less for this because of these mitigating factors,” or “We're not going to pay for this because it's hosted on a third-party system.” So it's great when a company will communicate those issues to you and maybe you can be proactive about it. If they've noticed a trend with you reporting a certain type of bug, they might say, “Hey, you might not want to spend any more time reporting these.”
One private program I still work on, they invited me on a private channel, so I got to communicate in real time with some of the developers and security team to ask them questions like: “Would you guys consider this a valid bug, or this?” And I got to bounce ideas off their head without me having to write up reports and submit them. So I really enjoyed that.
As far as policies go, Twitter's a good example. They specifically define their payouts for certain types of bugs. “For cross-site scripting, you get ‘this' amount.” So it's not a gamble. You know when you submit that bug, you're going to be rewarded with “x” amount of money.
Some companies that start a program, they might say, “Hey, we pay from $50 to $10,000,” but they don't exactly define what it would take to get the $10,000 payout. So it's awesome when a company gives you a road map of what types of bugs are most impactful to them, what's going to earn you the highest payout.
Did a company offering a bug bounty ever do wrong by you?
I got invited to a program over the summer, and the payouts were $100 to $5,000. Generally, a $5,000 payment would be some type of remote code execution or SQL injection where you can access customer data or bypassing authorization controls. I submitted maybe a little more than 100 bugs to this company and then the payouts were a fraction of what the maximum would have been.
I think I reported eight or nine remote code execution bugs and the most I got for them was $500. I'm thinking. in my mind, if a $500 dollar payment for a remote code execution bug is what I'm getting, what does it take to get to $5,000? And the company just was not very communicative of that. And to this day I still do not know what it would take. I'm assuming you would have to be able to steal all of the computers in the office to get that $5,000 bounty.
What is your philosophy on gray hat bug bounty opportunities – selling exploits to an outside company, organization or government? Is that something you would consider doing?
I don't know. I kind of enjoy doing the bug bounty scene, actually being able to talk about my bugs, disclose them if I'm allowed to. Maybe if I found a really cool one and I was going to make a million dollars, then I would definitely sell it. But the chance of me coming across that… Doubtful that that will happen.
What advice would you give to a company starting its own program?
There really isn't a net negative to starting one, especially if you start small, which is what I'd recommend. If a company is looking to start one, they should start a private program and maybe invite five to 10 researchers that were recommended by the bug bounty platform. That would be the way to go.
What attracts you to certain programs?
I exclusively work on private programs, since less people will be invited, so I'll have a higher chance of not having a duplicate bug. Also, if a program is offering up to $5,000 or $10,000, that's a good chunk of change, so I will definitely take a look at that.
Some companies scope their bug bounty programs to one website or two websites, and those can be kind of fun if they're big applications and they have a lot of functionality, but my more preferred programs are the ones that have a very wide ranging scope, or their external infrastructure is in scope, all of their external assets – like IP hosts, virtual hosts, domains on third-party services – are in scope. I like those because it's a lot more fun to build an attack surface for them and see all their external assets and spread my net as wide as possible, and then start looking at systems individually. You might find one bug on one system and then realize that they're doing the same things on a number of systems, and you might end up with five more reports or six more reports of really impactful bugs.