This week’s Researcher Spotlight is on Jared Perry, a researcher in Canada with a 100% acceptance rate and an average priority of 2.78. Jared’s path to bug bounties shows how important it can be to network and connect with other bug bounty hunters in the community.
Find Jared on Bugcrowd and Follow him on Twitter @Jared_Perry.
How did you get started in security research? How long have you been doing bug bounty work?
I started in information security at a university dealing with everything from incident response to vulnerability assessments. I was lucky enough to have a great boss who provided a license and introduction to Burp Suite (https://portswigger.net) and that was really the start of application testing for me. Today there isn’t a moment I don’t have at least one instance of Burp Suite running. I also learned that the quality of application security from software companies in the education space isn’t always the best.
I have been doing bug bounties for about 2 years. After meeting @pwndizzle at Derbycon and talking with him about his experience with bounty programs is when I really started getting into bounties. That is also where I met @kym_possible, @g33kspeed and other awesome bug bounty people.
Do you have a specific focus or specialty that you tend to spend your time on?
I will usually rush through an application and pick off XSS, CSRF, access controls and more straightforward issues. Then I will find a feature and focus on how it works with an assumption that there is a vulnerability which hopefully pans out. I will also spend a lot of time on file upload and authentication.
How do you keep your skills fresh?
I work with smart and competitive people as a Security Consultant at Stratum Security. That reminds me that I still have to catch up with my coworker @craig_arendt on Bugcrowd ;). I also try to go to security cons and meet other appsec people whenever I can. Plus following other bug bounty or appsec people on Twitter.
What motivates you to do what you do? What keeps you going?
Bug bounties are challenging and I try to do the whole gamification thing in my mind. It is like a strategy game where you don’t know if success is always possible. That moment when you get the response you were looking for or your payload executes makes it worth it.
Any tips or suggestions that you would give to other bounty hunters?
Meet other bug bounty and appsec people. Find people to compete against and learn from. Follow people on Twitter.
What do you think of the future of bug bounties? Where do you see them going, where would you like to see them go?
I see bug bounties as being complimentary to traditional application testing and also becoming much more widespread. This should also increase payouts as companies compete for their program to get attention.