►
From YouTube: Live GitLab Ask a Hacker AMA with Johan Carlsson (@joaxcar) Bug Bounty / Security Researcher
Description
We chat with bug bounty hunter and web developer, Johan Carlsson (@joaxcar on HackerOne) about how he got his start in bug hunting, what his workflow looks like and his sources for continual learning.
* See the notes from this AMA: https://docs.google.com/document/d/1M_LQbo5LqNKTKdN88FBkK-gIyULe1-HvyQDFLqTi0kA/edit?usp=sharing
* See Johan on HackerOne: https://hackerone.com/joaxcar?type=user
* See our AMA playlist: https://www.youtube.com/playlist?list=PL05JrBw4t0Kqvvpk9PmRO6fZ0xmnKBp_s
B
All
right
cool
welcome
everyone
to
the
gitlab
security
teams,
hacker
ama
series,
we're
really
excited
to
host
johann
carlson
for
today's
ama
johan
is
a
web
developer
by
day
and
within
the
last
year
he
started
bug
bounty
hunting
and
has
already
made
his
way
quickly
on
our
top
10
hacker
hackers
contributor
list
on
hacker1
johann.
Would
you
like
to
introduce
yourself
a
little
bit.
C
C
I
don't
know
what
you
call
that,
but
my
bachelor
thesis
from
university,
so
that
was
my
like
first
reports
to
you
guys.
What's
during
that
time,
and
now
I
live
with
my
family,
I
have
three
kids
and
having
a
hectic
life.
B
A
Of
course,
I
would
but
I'm
over
here
multi-talking
about
to
post
this
link
on
to
twitter.
So
let
me
find
my
question.
A
All
right,
oh
yeah,
so
it's
super
impressive
that
you
went
from
what
you
call
having
zero
knowledge
and
bug
bounty
hunting
to
landing
on
our
top
ten.
What
do
you
think
has
enabled
you
to
be
so
successful
or
successful
in
my
eyes
and
in
the
eyes
of
our
program,
and
do
you
have
any
other
tips
for
newcomers
when
it
comes
to
diving
into
bug,
bounty
hunting.
C
Yeah,
so
I
can
begin
with
clarifying
probably
that
zero
knowledge
is
a
a
big
statement
when
you
have
just
finished
like
three
years
of
university
computer
science.
So
I
of
course
I
knew
stuff
about
computers
and
the
web
and
everything,
but
I
had
no
zero
experience
in
bug,
hunting
and
then
didn't
know
that
much
about
it,
security
or
all
these
web
related
issues
like
cross-site,
scripting
and
whatever.
I
didn't
know
anything
about
that.
C
I
think
that
my
what
have
worked
for
me
is
like
a
genuine
interest.
I
guess
and
perseverance
like
just
I
kind
of
when
I
get
into
something
I
kind
of
start
tinkering
a
lot
with
it
and
it
becomes
like
my
only
focus
and
I
go
around
and
think
about
it
during
the
days
when
I
have
some
time
over
and
stuff
like
that.
So
I
think
my
my
tip
would
probably
be
like
to
keep
it
interesting,
because
otherwise
it's
really
hard.
I
guess,
to
to
find
anything
or
to
be
successful.
Then.
A
Thank
you
hey.
I
think
you
have
the
next
question.
C
Yeah,
so
I
have
been
diversifying
because
I
get
a
lot
of
invites,
of
course,
on
hack,
one,
that's
kind
of
how
it
works.
When
you
find
something,
then
you
start
getting.
These
invites
most
of
it.
C
I
haven't
had
time
to
look
at
at
all,
but
I
have
been
using
it
to
like
learning
and
test
out
some
more
like
simple
or,
as
I
call
like
off-the-shelf
vulnerabilities
that
are
not
as
present
in
in
git
lab
and
your
program
at
the
moment,
but
so
finding
some
more
more
like
basic
csrf
issues
or
cross-site
scripting
issues
and
stuff
like
that,
but
also
some
other,
like
really
interesting
things.
C
When
I
get
to
use
like
all
the
like
other
tools
and
using
burp
a
bit
more
and
stuff
like
that,
which
I
don't
do
on
git
really.
C
But
what
I
have
something
that
I've
seen
is,
and
that's
probably
because
you're
a
big
player
on
the
hacker
one,
at
least
so
you're.
Not.
I
guess
you
don't
have
the
time
to
be
as
personal
on
like
every
report
as
to
like
the
small
programs
that
maybe
have
like
15
reports
or
something.
C
D
Ooh
yeah,
that
makes
sense,
and
this
the
other
question
I
had
was:
how
do
you
pick
which
part
of
gitlab
you're
going
to
dig
into?
Do
you
read
a
release
post
or
do
you
look
at
old
bugs
or
what
do
you
do.
C
I
do
read
like
the
release
post
every
month
and
then
I
wait
patiently
for
the
security
release,
which
is
even
more
interesting,
and
I
found
a
lot
of
most
of
the
time.
I
find
the
areas
of
gitlab,
which
I
haven't
seen
or
noticed
before,
and
it
doesn't
necessarily
mean
that
I
find
a
bug
that
is
like
really
similar
to
the
one,
but
it
points
me
in
some
direction
and
I
start
digging
that
way.
But
I've
also
found
issues
by
just
like
randomly
clicking
on
issues
on
your
issue.
A
D
Thank
you
is
eduardo
on
the
call
for
the
next
question
you
can
can
voice
it
I'll.
Just
read
it.
Could
you
describe
in
more
detail
the
business
model
of
bug
bounty?
Do
different
companies
offer
different
prices
for
the
same
type
of
bug.
C
Yeah,
I
guess
that's
it's
a
bit
tricky
question
for
me,
because
the
business
model,
depending
on,
if
you
ask
like
the
hacker
or
the
the
program-
I
guess
for
me-
I
I
really
I
I'm
trying
to
push
on
like
impact-
should
be
rewarded.
I
guess,
and
also
like
thorough
research
and
good
reporting.
That's
what
I
try
to
push
when
I
speak
with
programs
and
triage
teams,
and
that
also
includes
like,
of
course,
a
bug
on
one
program
like
a
cross-site.
Scripting
is
a
good
example.
C
It
can
be
like
very
critical
on
programs
like
gitlab,
where
you
can
access
really
sensitive
information,
and
you
can
muck
around
with
the
company's
ci
cd
flows
and
deployments
and
stuff,
and
on
some
programs
like
an
xss
is
really
nothing,
so
I
actually
think
it
should
pay
differently.
Yes,.
A
D
Now,
what
do
you
think
about
get
that
secure
coding
guidelines?
Anything
is
missing.
Have
you
looked
at
them.
C
Yeah,
I've
looked
at
them
like
browsed
through
it
sometimes,
but
now
I
took
a
look
at
it
when
I
I
saw
the
question
and
it's
really
impressive.
I
need
to
dig
into
it
more
because
I
have
some
like
hints
for
what
I
should
look
for.
I
guess,
as
I
I'm
I
have
never
like
written
a
single
line
of
ruby.
I
haven't
even
like
read
it
before.
C
I
started
digging
into
your
code
base,
so
it's
been
like
a
really
confusing
long,
uphill
battle
there,
navigating
the
code
base,
and
so
the
the
guidelines
have
some
good
tips
for
me.
Yes,
what
I
as
a
developer,
I
I
guess
it
can
be
hard,
even
if
you
someone
says
like
ssrf
to
you
and
they
try
to
explain
it.
It's
really
hard
to
know
like.
Why
is
this
even
important,
and
you
have
to
be
like
reminded
again
and
again
like
what's
the
actually
the
problem
here?
C
So
what
I
I
really
like
your
like
is
cvss
calculator
that
you
have
created
and
if
I
were
a
developer,
I
would
like,
like
a
calculator
like
that,
like
I've
been
developing
a
feature
that
I
could
just
like.
Click
through
these
questions,
and
then
I
get
some
tips
like
you
should
really
look
into
like
this
this
and
this
part
of
this
guidelines,
because
it's
quite
long
and
to
read
it
through
like
every
time,
it's
probably
time
consuming.
D
Oh
great
feedback
and
I'll
keep
going.
Samantha
is
not
present
right
now.
Are
there
any
resources,
books,
courses,
websites
that
you
found
really
helpful
when
you
started
into
this
and
you
would
recommend
to
a
newcomer.
C
C
C
So
I'm
I'm
still
kind
of
most
proud
of
one
of
my.
I
think
it
was
my
second
valid
report
and
the
third
as
well.
It
was
like
a
multiple
issues
and
I
had
this.
I
had
this
really
really
long
discussion
with
andrew
back
and
forth
about
this
feature,
which
are
like
this
project
access
tokens
which
were
like
implemented
in
a
rather
special
way
where
you
created
this
bot
user,
and
I
it
was
a
my
the
first
time
that
I
really
like
just
found
a
bug
by
thinking
about
it.
C
I
actually
found
it
while
shopping
showing
as
before,
going
to
sleep-
and
I
just
had
this
like
revelation
like.
If
I
do
this,
then
I
probably
can
elevate
my
privilege
and
then
it
worked.
It
was
a
really
really
great
feeling.
D
It's
more
like
a
logical
bug
that
you
created
is
muhammad
on
the
call.
I
don't
think
so.
D
C
Yeah,
so
I
guess
my
answer.
That
would
be
that
I
don't
really
know
because
I
don't
have
a
career
in
in
it
security.
Yet
I'm
like
my
tips,
would
probably
it's
just
kind
of
the
same
with
like
how
to
like
my
first
answer
to
heather
there.
C
I
guess
like
just
to
find
some
part
of
it
that
you
find
really
interesting
and
and
stay
in
that
area
if
it
generates
like
bug
bounties
or
if
it's
in,
like
ctfs
or
hack,
the
box
kind
of
things,
at
least
as
long
as
you
find
it
interesting.
I
think
it's
a
lot
easier
to
to
get
somewhere,
but
then
also
like
keeping
a
presence
online
like
on
twitter
and
linkedin,
and
so
I
guess
you
get
contacted
by
people
if
you
like
start
showing
your
work.
D
Good
good
tips,
we
have
another
question
from
yuki
osaki
who's,
not
on
the
call
right
now.
Well,
what
is
your
workflow
to
find
a
vulnerability?
Do
you
run
gitlab
in
your
local
environment,
as
opposed
as
to
testing
on
gitlab.com.
C
Yeah,
so
I
have
kind
of
three
environments.
I
guess
I
have
a
couple
of
accounts
on
gitlab.com,
which
I
use
regularly
for
testing,
and
then
I
also
have
this
local
installation
from
kind
of
source
or
like
the
arc.
Linux
thing
it's
a
nightmare
to
keep
it
up
to
date,
but
I
have
my
gitlab
ultimate
license
in
there.
It's
in
a
closet
over
here,
which
I
use
when
I
need
to
access
like
a
feature
that
needs
to.
I
need
to
be
like
admin
on
an
ultimate
box.
C
Otherwise
I
also
use
this
docker
like
just
spinning
up
local
servers
on
my
machine.
If
I
need
to
test
this
like
admin
stuff
without
the
ultimate
license,
but
other
than
that,
my
workflow
is
kind
of
just
like
browsing
around
trying
to
find
new
areas,
doing
it
on
my
phone
a
lot
of
times
like
reading
issues
and
stuff
like
that,
and
then
when
I
find
something
I
start
like
digging
in
reading
source
code
trying
so
a
lot
of
times.
C
I
find
like
the
source
code
for
it,
but
I
have
no
idea
like
how
to
get
there
in
the
application.
So
I
have
like
find
a
way
into
that
spot
and
then
start
trying
to
figure
out
if
there
is
a
vulnerability
in
there.
C
D
C
C
If
I
know
that
someone
is
like
really
good
at
something,
I
can
try
to
ask
them,
but
I
don't
really
have
like
this
single
source.
Where
I
go
to,
I
guess,
except
for
yeah
the
the
like
resolved
issues
of
the
hacker
one
reports,
but
on
your
issue
tracker,
because
then
I
can
also
read
like
how
you
tried
to
fix
something
or
what
your
discussion
and
thoughts
how
they
went
and
stuff
like
that
and
like
related
posts
and
it's
a
gold
mine.
D
And
a
very
serious
question
from
me:
do
you
have
some
sort
of
hacking,
pre-game
ritual,
do
you
you
have
you
set
up
at
the
same
time
of
the
day,
do
you
drink
the
same
thing
eat
the
same
thing
you're
on
the
couch.
C
No
so
my
I
have
quite
I
don't
have
that
much
time
to
do
this.
Actually,
it's
usually
just
during
evenings
or
late
nights
when
sitting
in
front
in
the
sofa
in
front
of
the
tv
and
then
I
kind
of
sneak
my
laptop
up
when
the
other
family
falling
asleep,
and
then
I
poke
around
on
some
things
and
yeah.
So
that's
that's
it
whenever
I
find
the
time
to
do
it.
I
guess.
D
Great
great
zooming,
all
right
stephan
asks
having
gone
from
being
new
to
bug
bounties
to
being
as
established
as
you
are
in
our
program.
Is
there
something
that
you
would
go
back
and
tell
your
past
self
to
do
better
when
you
were
new.
C
Well,
I
try
not
to
think
like
that,
because
then
you
go
on
this
like
spiral
downwards,
like
yeah,
I
could
have
started
eight
years
ago
or
whatever
so
now
I
try
to
just
look
forward
to
try
to
be,
or
of
course
I
should
take
notes
that
irritates
me,
like
all
the
time
when
I
I
stumble
up
upon.
Like
the
same
thing,
I
have
to
google
and
look
through
and
try
to
find
this
issue
where
someone
mentioned
how
to
do
something,
and
I
just
have
to
find
it
again
so
taking
notes.
A
I
thought
of
a
question
that
I
didn't
add,
which
kind
of
might
follow
on
to
what
you
just
said
johann,
but
we
discovered
through
twitter
that
there
are
some
hackers
that
are
that
use
gitlab
issues
to
help
to
track
and
collaborate
on
their
hack.
Do
you
use
gitlab
at
all
for
that,
and
maybe
now
that
you
want
to
start
taking
notes.
C
Should
start,
I
guess
no,
I
I
I
actually
I've
started
the
tinkering
with
that
myself
like
because
it's
also
great
you
can
write
like
the
markdown.
C
C
A
All
right
that
was
me
accidentally
hitting
siri
over
here
all
right,
james,
I'm
gonna
kick
it
over
to
you.
Then.
B
Yeah,
if
there's
no
more
questions,
thank
you
huge.
Thank
you
to
you,
johan,
for
taking
the
time
to
answer
all
of
these
and
and
to
do
the
ama
and
thank
you
to
everyone
for
joining
as
well.
We
had
a
lot
of
great
questions
today.
I
believe
this
is
available
immediately
right
on
youtube
for
the
recording
yeah
and
we
we
hope
to
see
everyone
on
the
next
one.