►
From YouTube: Live GitLab Ask a Hacker AMA with Johan Carlsson (@joaxcar) Bug Bounty / Security Researcher
Description
We chat with bug bounty hunter and web developer, Johan Carlsson (@joaxcar on HackerOne) about how he got his start in bug hunting, what his workflow looks like and his sources for continual learning.
* See the notes from this AMA: https://docs.google.com/document/d/1M_LQbo5LqNKTKdN88FBkK-gIyULe1-HvyQDFLqTi0kA/edit?usp=sharing
* See Johan on HackerOne: https://hackerone.com/joaxcar?type=user
* See our AMA playlist: https://www.youtube.com/playlist?list=PL05JrBw4t0Kqvvpk9PmRO6fZ0xmnKBp_s
B
All
right
cool
welcome
everyone
to
the
gitlab
security
teams,
hacker
ama
series,
we're
really
excited
to
host
johann
carlson
for
today's
ama
johan
is
a
web
developer
by
day
and
within
the
last
year
he
started
bug
bounty
hunting
and
has
already
made
his
way
quickly
on
our
top
10
hacker
hackers
contributor
list
on
hacker1
johann.
Would
you
like
to
introduce
yourself
a
little
bit.
C
C
B
A
A
All
right,
oh
yeah,
so
it's
super
impressive
that
you
went
from
what
you
call
having
zero
knowledge
and
bug
bounty
hunting
to
landing
on
our
top
ten.
What
do
you
think
has
enabled
you
to
be
so
successful
or
successful
in
my
eyes
and
in
the
eyes
of
our
program,
and
do
you
have
any
other
tips
for
newcomers
when
it
comes
to
diving
into
bug,
bounty
hunting.
C
Yeah,
so
I
can
begin
with
clarifying
probably
that
zero
knowledge
is
a
a
big
statement
when
you
have
just
finished
like
three
years
of
university
computer
science.
So
I
of
course
I
knew
stuff
about
computers
and
the
web
and
everything,
but
I
had
no
zero
experience
in
bug,
hunting
and
then
didn't
know
that
much
about
it,
security
or
all
these
web
related
issues
like
cross-site,
scripting
and
whatever.
I
didn't
know
anything
about
that.
C
I
think
that
my
what
have
worked
for
me
is
like
a
genuine
interest.
I
guess
and
perseverance
like
just
I
kind
of
when
I
get
into
something
I
kind
of
start
tinkering
a
lot
with
it
and
it
becomes
like
my
only
focus
and
I
go
around
and
think
about
it
during
the
days
when
I
have
some
time
over
and
stuff
like
that.
So
I
think
my
my
tip
would
probably
be
like
to
keep
it
interesting,
because
otherwise
it's
really
hard.
I
guess,
to
to
find
anything
or
to
be
successful.
Then.
C
C
D
C
I
do
read
like
the
release
post
every
month
and
then
I
wait
patiently
for
the
security
release,
which
is
even
more
interesting,
and
I
found
a
lot
of
most
of
the
time.
I
find
the
areas
of
gitlab,
which
I
haven't
seen
or
noticed
before,
and
it
doesn't
necessarily
mean
that
I
find
a
bug
that
is
like
really
similar
to
the
one,
but
it
points
me
in
some
direction
and
I
start
digging
that
way.
But
I've
also
found
issues
by
just
like
randomly
clicking
on
issues
on
your
issue.
A
D
C
Yeah,
I
guess
that's
it's
a
bit
tricky
question
for
me,
because
the
business
model,
depending
on,
if
you
ask
like
the
hacker
or
the
the
program-
I
guess
for
me-
I
I
really
I
I'm
trying
to
push
on
like
impact-
should
be
rewarded.
I
guess,
and
also
like
thorough
research
and
good
reporting.
That's
what
I
try
to
push
when
I
speak
with
programs
and
triage
teams,
and
that
also
includes
like,
of
course,
a
bug
on
one
program
like
a
cross-site.
Scripting
is
a
good
example.
C
A
D
C
Yeah,
I've
looked
at
them
like
browsed
through
it
sometimes,
but
now
I
took
a
look
at
it
when
I
I
saw
the
question
and
it's
really
impressive.
I
need
to
dig
into
it
more
because
I
have
some
like
hints
for
what
I
should
look
for.
I
guess,
as
I
I'm
I
have
never
like
written
a
single
line
of
ruby.
I
haven't
even
like
read
it
before.
C
I
started
digging
into
your
code
base,
so
it's
been
like
a
really
confusing
long,
uphill
battle
there,
navigating
the
code
base,
and
so
the
the
guidelines
have
some
good
tips
for
me.
Yes,
what
I
as
a
developer,
I
I
guess
it
can
be
hard,
even
if
you
someone
says
like
ssrf
to
you
and
they
try
to
explain
it.
It's
really
hard
to
know
like.
Why
is
this
even
important,
and
you
have
to
be
like
reminded
again
and
again
like
what's
the
actually
the
problem
here?
C
So
what
I
I
really
like
your
like
is
cvss
calculator
that
you
have
created
and
if
I
were
a
developer,
I
would
like,
like
a
calculator
like
that,
like
I've
been
developing
a
feature
that
I
could
just
like.
Click
through
these
questions,
and
then
I
get
some
tips
like
you
should
really
look
into
like
this
this
and
this
part
of
this
guidelines,
because
it's
quite
long
and
to
read
it
through
like
every
time,
it's
probably
time
consuming.
D
C
C
C
So
I'm
I'm
still
kind
of
most
proud
of
one
of
my.
I
think
it
was
my
second
valid
report
and
the
third
as
well.
It
was
like
a
multiple
issues
and
I
had
this.
I
had
this
really
really
long
discussion
with
andrew
back
and
forth
about
this
feature,
which
are
like
this
project
access
tokens
which
were
like
implemented
in
a
rather
special
way
where
you
created
this
bot
user,
and
I
it
was
a
my
the
first
time
that
I
really
like
just
found
a
bug
by
thinking
about
it.
C
D
C
C
I
guess
like
just
to
find
some
part
of
it
that
you
find
really
interesting
and
and
stay
in
that
area
if
it
generates
like
bug
bounties
or
if
it's
in,
like
ctfs
or
hack,
the
box
kind
of
things,
at
least
as
long
as
you
find
it
interesting.
I
think
it's
a
lot
easier
to
to
get
somewhere,
but
then
also
like
keeping
a
presence
online
like
on
twitter
and
linkedin,
and
so
I
guess
you
get
contacted
by
people
if
you
like
start
showing
your
work.
D
C
Yeah,
so
I
have
kind
of
three
environments.
I
guess
I
have
a
couple
of
accounts
on
gitlab.com,
which
I
use
regularly
for
testing,
and
then
I
also
have
this
local
installation
from
kind
of
source
or
like
the
arc.
Linux
thing
it's
a
nightmare
to
keep
it
up
to
date,
but
I
have
my
gitlab
ultimate
license
in
there.
It's
in
a
closet
over
here,
which
I
use
when
I
need
to
access
like
a
feature
that
needs
to.
I
need
to
be
like
admin
on
an
ultimate
box.
C
Otherwise
I
also
use
this
docker
like
just
spinning
up
local
servers
on
my
machine.
If
I
need
to
test
this
like
admin
stuff
without
the
ultimate
license,
but
other
than
that,
my
workflow
is
kind
of
just
like
browsing
around
trying
to
find
new
areas,
doing
it
on
my
phone
a
lot
of
times
like
reading
issues
and
stuff
like
that,
and
then
when
I
find
something
I
start
like
digging
in
reading
source
code
trying
so
a
lot
of
times.
C
C
D
C
C
If
I
know
that
someone
is
like
really
good
at
something,
I
can
try
to
ask
them,
but
I
don't
really
have
like
this
single
source.
Where
I
go
to,
I
guess,
except
for
yeah
the
the
like
resolved
issues
of
the
hacker
one
reports,
but
on
your
issue
tracker,
because
then
I
can
also
read
like
how
you
tried
to
fix
something
or
what
your
discussion
and
thoughts
how
they
went
and
stuff
like
that
and
like
related
posts
and
it's
a
gold
mine.
C
No
so
my
I
have
quite
I
don't
have
that
much
time
to
do
this.
Actually,
it's
usually
just
during
evenings
or
late
nights
when
sitting
in
front
in
the
sofa
in
front
of
the
tv
and
then
I
kind
of
sneak
my
laptop
up
when
the
other
family
falling
asleep,
and
then
I
poke
around
on
some
things
and
yeah.
So
that's
that's
it
whenever
I
find
the
time
to
do
it.
I
guess.
D
C
Well,
I
try
not
to
think
like
that,
because
then
you
go
on
this
like
spiral
downwards,
like
yeah,
I
could
have
started
eight
years
ago
or
whatever
so
now
I
try
to
just
look
forward
to
try
to
be,
or
of
course
I
should
take
notes
that
irritates
me,
like
all
the
time
when
I
I
stumble
up
upon.
Like
the
same
thing,
I
have
to
google
and
look
through
and
try
to
find
this
issue
where
someone
mentioned
how
to
do
something,
and
I
just
have
to
find
it
again
so
taking
notes.
A
I
thought
of
a
question
that
I
didn't
add,
which
kind
of
might
follow
on
to
what
you
just
said
johann,
but
we
discovered
through
twitter
that
there
are
some
hackers
that
are
that
use
gitlab
issues
to
help
to
track
and
collaborate
on
their
hack.
Do
you
use
gitlab
at
all
for
that,
and
maybe
now
that
you
want
to
start
taking
notes.
C
C
A
B
Yeah,
if
there's
no
more
questions,
thank
you
huge.
Thank
you
to
you,
johan,
for
taking
the
time
to
answer
all
of
these
and
and
to
do
the
ama
and
thank
you
to
everyone
for
joining
as
well.
We
had
a
lot
of
great
questions
today.
I
believe
this
is
available
immediately
right
on
youtube
for
the
recording
yeah
and
we
we
hope
to
see
everyone
on
the
next
one.