Let’s meet with Kalin, Bug Hunter from Poland.
What’s your background ?
I’m 25 yo ,I didn’t study, it’s kind of a waste of time in Poland. Well, depends if hacking the school PCs in junior high school counts? xD
I have started my carrier in IT industry as a Data Center Operator, then I got promoted to Junior Dev. They had to do it because I have pwned their application once, and after promotion with the access to source code I was able to find few more critical bugs. Also with the help of Shellshock I was able to download/view the files of the CTO that were stored on one NAS.
3 years ago I have joined a awesome security company, and in my current position I’m responsible for : Mobile apps testing / Web apps testing / Code reviews / General technical advisory on the customer side.
My nickname Kalin comes from my surname KALINowski. I can be also found on the Internet by @llamaonsecurity/@llamasbytes handle.
Why are you interested in bug bounty ?
It started bug bounties as a time-killer in my first job, then I forgot about it and came back to it when I started the carrier in IT security. Participating in bug bounties improves your skills and increase the overall knowledge. Once I had to dig into the PNG file format structure to execute the XSS payload on web servers. It was quite an unique experience. Financially speaking, 1 euro is equal to 4.15 PLN (my local currency) so participating in bug bounties can be profitable.
Bug Bounty requires skills, mental ability, a sort of digital hygiene : can you share some basics, principles ?
To be effective as a bug hunter you have to keep yourself in the information loop. Get the grasp of latest bugs, exploit techniques by following right people and visiting right websites. Personally, I can point you to an awesome active bug hunter: https://twitter.com/_bl4de, his retweets helped me few times. As for websites, I would recommend https://www.reddit.com/r/netsec/ & https://www.bugbountynotes.com
Tell us about the Infosec community in Poland and more generally in the eastern part of Europe.
The IT Security community in Poland is mature. We have a great Infosec related websites:
https://zaufanatrzeciastrona.pl | EN version: https://badcyber.com
https://sekurak.pl
https://niebezpiecznik.pl
If you want to go on IT Security conferences you can chose from many options
like Secure 2018, Security Case Study 2018, Semafor 2018, they are hosted yearly. That said, I’m not aware of the situation in other eastern Europe countries.
Apart from this discipline, do you have any other interests ?
I’m a husband and a father of 4 yo, so I don’t have a lot of time for myself. But if I had to point one thing that helps me to relax, I would pick games: Digital and paper games.
How do you proceed for reporting a vulnerability when there are no official bug bounty programs ?
So it depends on many factors. Mainly, I am guided by 3 questions :
– “Is the target a government unit, public services provider?”
– “How much free time do I have?”
– “Does the affected vendor/page/app have a contact information in language that I can understand (hint: Polish,English)?”.
I can share some examples of my methodology.
1. if I have time for extra activities and the vulnerable app is from an English speaking country and the contact form is in English.
> Outcome: Report immediately.
2. If the vulnerable app is made by non English speaking people and the contact form is in language unknown to me.
> Outcome: Do not report the bug./Schedule for later.
3. If the app is a .gov domain. I’m trying to report the bug in the .gov domain even if I don’t have a lot of time.
> Outcome: Report to a proper cert in that country.
4. If the app is in Europe and it is related to a critical industry like banking, public transports etc.
> Outcome: I would look for direct contact if it fails I would try to look for an alternative it might be a CERT unit or some Coordinated Vulnerability Disclosure programs like https://zerodisclo.com
5. If the app is a NGO or a hospital, contact form is in English and I have some time.
> Outcome: Direct contact.
Sometimes, I’m trying to reach specific organisation through my contacts, this is a last resort 🙂
