►
Description
We chat with bug bounty hunter and security researcher, Alex Chapman about his approach to bug hunting, why he hunts on our platform and about his favorite scene from the movie Hackers.
* See the notes from this AMA: https://docs.google.com/document/d/1YB7h3VQMCAUxfr9rhX1Lg6bwZiw2micKYBaOY-z_I2s/edit?usp=sharing
* See Alex on HackerOne: https://hackerone.com/ajxchapman?type=user
* Read our blog interview with Alex: https://about.gitlab.com/blog/2021/03/04/ajxchapman-ask-a-hacker/
* See our AMA playlist: https://www.youtube.com/playlist?list=PL05JrBw4t0Kqvvpk9PmRO6fZ0xmnKBp_s
A
Hello,
everyone
and
welcome
to
this
edition
of
get
labs.
Ask
a
hacker.
I'm
lawrence
bierner,
director
of
application
security
here
at
getlab,
and
today
we're
chatting
with
alex
chapman
a
security
researcher
who
has
made
significant
contributions
to
the
gitlab
security
program
through
his
ethical
disclosure
of
vulnerabilities,
he's
found
a
contributor
to
many
other
companies
and
organizations
as
well.
Alex
has
been
a
hacker
one
security
researcher,
since
2017.,
with
a
total
of
81
vulnerabilities,
discovered
welcome,
alex
thanks
for
taking
the
time
today
to
chat
with
us.
A
We
really
appreciate
that
tell
us
a
little
bit
about
yourself
and
and
maybe
about
your
career
as
a
security
researcher.
B
Yeah,
brilliant
thanks
and
thanks
for
having
me
so,
as
you
say,
I'm
a
full-time
bug,
bounty
hunter
which
I've
actually
been
doing
full-time
for
the
past
just
over
two
years
now,
but
before
that
been
a
penetration
tester
as
a
as
an
external
consultant,
I've
been
part
of
internal
red
teams.
I
actually
worked
for
bug
managing
platform
for
just
under
12
months
and
and
then
I
took
to
delete
to
doing
bounty
hunting
full-time
from
there.
A
B
Yeah,
I'm
sorry
this
is
my
scarily.
This
is
my
only
source
of
income.
So
yes,
where
I
spend
most
of
my
time,
obviously.
A
Good
for
you
good
for
you,
I
I
think
I
can
speak
for
several,
probably
on
those
calls
we're
we're
a
little
envious
of
you
in
there,
so
that
is.
That
is
awesome
to
hear.
So
you
know
the
sort
of
the
format
here
we're
gonna
go
through
some
of
the
questions
we
have
in
our
document.
I
encourage
everyone
who
has
joined
us
to
add
questions
to
the
doc,
we'll
get
to
them.
A
We'll
read
them
off,
we'll
get
alex
chat
a
little
bit
about
them
and
and
let's
get
started
so
our
first
question.
C
B
Sure
this
is
obviously
a
very
broad
question,
so
I'll
try
and
try
and
give
it
a
general
answer,
but
so
when
I'm
looking
for
for
vulnerability,
I
prefer
to
look
at
in
software
that
is
either
open
source
or
client-side
applications
where
I
can
either
reverse
engineer
the
application
or
get
some
more
information
than
just
kind
of
your
traditional
web
application,
testing
or
black
box
testing.
This
is
purely
because
it
has
been
a
long
time.
B
Interest
of
mine
and
I've
got
some
quite
good
tooling,
and
build
up
some
good
skills
around
that,
but
in
terms
of
the
sorts
of
issues
I'm
looking
for,
I
I
certainly
have
a
list
of
common
things
I
check
for
so
I
think
early
on,
I
had
a
lot
of
success
with
dns
rebinding
issues
in
certain
client-side
applications.
Actually,
I
think
one
of
my
gitlab
bugs
was
a
was
a
dns
through
binding
one
of
one
of
the
first
ones
where
I
bought
it
to
get
them.
B
So
I
had
quite
a
lot
of
success
with
those
I
certainly
have
a
stock
of
vulnerabilities
I
go
looking
for,
but
I
also
try
and
understand
the
application
and
what
it
does
and
come
at
it
from
what
what
would
be
a
business
logic
issue.
What
would
be,
what
does
this
application
do
and
what
would
be
kind
of
the
worst
case
scenario
if
somebody
was
able
to
to.
B
Logic
of
the
application,
so
that
doesn't
necessarily
lend
itself
to
a
particular
class
of
issues.
It's
more
an
outcome
that
I'm
trying
to
get
to
and
I'll
always
set
an
outcome
as
as
a
goal
for
my
period
of
research
against
a
particular
application.
C
B
Yeah
this
one
had
me
thinking
for
a
while,
because
I
could
go
on
for
a
long
time
on
this
all
or
I
could
boil
it
down
to
the
key
thing,
and
then
I
was
thinking
about
it,
and
one
thing
that
I
think
I've
only
seen
on
one
program
is
education
about
a
product.
B
So
we
we
have
these
these
companies,
who
have
these
bug
bounty
programs,
but
some
of
them
don't
even
say
what
the
product
is
or
what
the
company
does
and
the
more
a
bug
bounty
program
can
help.
The
participants
understand
what
the
product
is,
how
it
works,
how
to
use
it,
what
the
worst
case
outcomes
would
be
and
all
of
the
kind
of
internal
internal
risk
struggles
of
the
product.
All
of
that
information
is
helpful.
B
So
they
can
get
to
learn
exactly
how
users
use
the
products,
and
I
I'm
just
I'm
actually
somewhat
shocked
that
more
programs
aren't
doing
that
because
the
the
more
you
can
help
broadband
hunters
and
hackers
understand
your
your
products
and
your
your
offerings,
the
the
more
value
you're
gonna
be
gonna,
be
getting
out
of
them
and
the
more
the
more
people
will
be
willing.
A
That
is
an
excellent
point
alex
and
something
all
bug,
bounty
programs,
I
think,
can
can
learn
from
there
in
that
answer,.
C
B
Again,
I
was
thinking
on
this
one
for
a
little
while,
unfortunately,
the
one
I
really
want
to
talk
about-
I'm
not
allowed
to
talk
about
because
it's
not
been
not
been
published,
but
I
can.
I
can
talk
about
it
in
generics
because
it's
a
bit
of
an
area
of
it.
B
It
combines
a
lot
of
interests
of
mine,
so
it
was
an
online
game
that
had
a
a
scripting
engine
that
could
be
used
for
custom
game
modes
and
the
the
particular
company
had
done
done
a
lot
of
hardening
of
the
particular
scripting
engine,
but
not
their
bindings
to
it.
So
I
was.
C
B
So
I
was
able
to
develop
a
full
export
chain
for
this
for
this
game,
bypassing
all
the
mitigations
that
are
required.
So
aslr
read,
write
memory,
all
the
rest
of
it
locally
on
on
my
linux
desktop,
and
it
worked
first
time
when
I
flung
against
the
servers
in
the
in
the
cloud-
and
that
was
that's-
never
happened
to
me
before
in
my
life.
B
So
I
was
particularly
happy
about
that
and
it
it
kind
of
felt
like
browser
exploitation,
maybe
seven,
eight
nine
years
ago,
in
terms
of
the
things
that
I
could
do
and
the
and
the
access
that
I
had.
So
it
was
really
fun
thing
to
to
pull
apart.
I
was
quite
into
gaming
at
the
time,
so
it
kind
of
brought
up
and
brought
up
that
passion
as
well,
but
I'm
I'm
petitioning
to
get
some
of
those
issues
published
so
hopefully,
at
some
point.
B
Thank
you
for
this
one.
I,
whilst
I've
only
been
a
bug,
hunt
or
bug
bounty
hunter
for
three
or
four
years,
I
have
been
submitting
bugs
to
to
come
third-party
companies
for
the
best
part
of
a
decade,
and
I've
had
had
some
very
interesting
experiences.
I
don't
know
name
and
shame
anyone,
but
there
was
a
particular
iot
vendor
who
found
out
about
a
bug
on.
I
think
it
was
a
friday
afternoon.
Their
lawyers
contacted
my
boss
about
an
hour
later,
and
it
was.
B
It
was
a
holiday
weekend
in
the
uk
which
my
boss
had
to
entirely
forfeit
speaking
to
their
lawyers
for,
for
the
best
part,
three
or
four
days
over
over
a
vulnerability
report.
That
was
my
responsibility,
so
that
was
probably
the
the
scariest
that
I've
had.
I
also
have
vendors
completely
misunderstand
the
reason
I'm
getting
in
contact
with
them.
So
there
was
one
particular
vendor
who
ended
up
putting
me
in
contact
with
their
sales
team
and
managed.
B
A
sales
call
with
their
one
of
their
one
of
their
sales
team,
who
was
convinced
I
wanted
to
buy
their
products,
and
that
was
a
particular
waste
of
time
for,
for
all
of
us,
ranging
through
to
there
was
a
particular
very
popular
vpn
provider
who
just
outright
denied.
B
What
I
was
saying
was
was
a
bug
and
it
was
a
situation
where
we
could
man
in
the
middle
all
vpn
traffic,
going
through
that
vpn,
which
to
me
seemed
like
a
really
big
deal,
but
they
they
decided,
it
wasn't
their
problem.
It
was
actually
down
to
the
operating
system
and
they
were
just
going
to
have
nothing
to
do
with
it.
So
that
was
a
particularly
frustrating
frustrating
experience.
B
So
I've
got
a
large
number
of
bad
experiences
over
my
ears,
but,
more
recently
with
bug
bench
programs
and
having
dedicated
teams
to
to
report
to
they've
been
fewer
and
fewer
and
fewer,
which
is
which
is
fantastic.
B
I
did
have
to
rewatch
the
movie
to
to
think
on
this
one.
It's
definitely
the
the
phone
box,
hacking
scene,
where
they're
all
there,
the
music's
flaring
they're
all
in
their
individual
phone
boxes,
but
working
together
as
a
team
completely
unrealistic
with
the
visuals,
but
it's
just
fantastic.
The
camaraderie
and
the
teamwork
that
going
on
in
that
and
the
music
tying
it
all
together
is
is
iconic.
Certainly.
A
Honestly
alex
that
is,
that
is
exactly
what
what
I
my
career
have
previously
pictured
in
my
mind
when
I've
been
doing
penetration
tests
or
or
ethical
hacking.
Yes,.
B
Certainly
the
closest
I've
come
to.
It
would
have
been
a
live
hacking
event
working
with
with
some
other
researchers,
but
we
didn't
have
the
phone
boxes
or
the
or
the
cool
little
pac-man
going
across
the
screen.
Unfortunately,
so
one
day.
B
Sure
this
is
this
is
a
bit
of
a
difficult
question
for
me.
Unfortunately,
it's
kind
of
based
in
tragedy,
my
my
wife
and
I
lost
our
first
daughter
a
few
years
back.
I
was
working
at
a
hacker
one
at
the
time
and
took
some
time
off
from
from
work.
They
were
very
generous
and
gave
me
as
long.
C
B
Needed
off
aft
after
that,
and
I
I
came
back
to
start
of
the
the
next
year
and
first
day
in
the
office,
I
just
knew.
I
wasn't
ready
to
come
back
to
work
and
I
didn't
want
to
leave
them
hanging.
B
Obviously
they
were
keeping
a
position
open
for
me,
but
so
I
I
handed
him
my
notice
there
and
kind
of
took
a
few
more
months
to
recover,
with
my
wife
and
and
think
about
what
was
important
to
me,
and
it
was
then
that
I
kind
of
realized
I
wasn't
ready
for
full-time
commitment,
but
was
very
passionate
about
security
and
bug
hunting.
So
having
worked
with
bug
hunters
and
doing
doing
a
little
bit
of
bug,
bounty
work,
kind
of
part
time.
B
In
my
own
time
I
felt
I
was
at
a
stage
where
I
could
actually
break
out
and
try
and
try
and
do
this
as
well,
first
to
cover
the
bills,
and
it
very
did
very
well
in
that
first
year
and
just
kind
of
kept
going
from
there.
It
was
started
off
as
a
bit
of
a
an
experiment
and
it
kind
of
kept
it
going
to
this
day
so
been
very
fortunate
in
that
respect.
C
B
I
don't
normally
talk
about
money
for
individual
bugs
that
I
that
I
submit
some
and
do
get
either
publicly
disclosed
through
through
the
public
platforms
or
bug
bounty
marketing
teams
get
involved,
because
because
they
are
talking
about
quite
high
amounts,
I
think
biggest
public
issue
that
I've
been
awarded
would
have
been
actually
the
end
of
last
year,
working
with
the
atlassian
bitbucket
team
and
they
were
putting
together
new
infrastructure
around
their
ci
cd
pipeline
and
using
cats
containers
to
try
and
isolate
their
ci.
B
Build
jobs
and
I
was
able
to
find
a
way
to
break
out
of
the
containerized
environment
and
affect
the
the
underlying
kubernetes
hosts.
So
they
were
very
generous
in
that
and
they
they
awarded
a
20
000
bounty
on
on
that
particular
bug
and
kind
of
full
full
export
chain.
C
B
Okay,
that's
yeah
very
good
question
there,
so
I
I
certainly
when
I'm
when
I'm
trying
to
hit
my
targets
with
bug
hunting.
Obviously
I
do
this
as
a
job,
so
I
set
a
monthly
target
of
how
much
money
I
want
to
make.
I
do
excuse
me,
do
focus
on
books
that
I'm
familiar
with
and
targets
that
I'm
familiar
with,
so
I
certainly
have
several
programs
that
I
know
I
can
reliably
hunt
for
bugs
on
and
find
issues
on,
and
I
tend
to.
A
B
Not
straight
too
far
from
there,
so
there'll
be
kind
of
classic
web
bugs,
although
I
am
a
terrible
web
app
tester
or
things
like
I
mentioned
before,
dns
rebinding
or
other
issues
that
I
know
how
to
quickly
look
for
and
quickly
exploit.
C
So
interesting,
you're,
like
your
own,
like
business
owner.
B
B
So
I've
been
learned
or
teaching
myself
go
again
over
the
past
12
months,
primarily
because
containerized
container
software
seems
to
be
written
to
go
and
that's
helped
me
learn
and
understand,
docker
and
kubernetes
projects
and
to
hunt
for
bugs
in
those
projects,
but
in
terms
of
actual
resources
other
than
getting
online
and
reading
through
the
source
code.
I
will
I'll
swing
back
to
that.
One.
C
C
If
they're
not,
please
go
ahead
to
number
ten,
that's
me
making
a
mistake.
Oh
no
worries
so
any
recommended
strategy
for
for
a
bug
hunter
starting
out
with
lots
of
time
to
learn
and
practice,
and
we
need
ctf
versus
recreating
exploits
for
public
cves
versus
bug,
bounty,
directly,
learning
development,
yeah.
B
Again,
a
very
broad
question-
and
I
know
a
lot
of
other
bug
hunters-
have
kind
of
approached
this
and
and
put
out
their
own
ways
of
doing
this.
Personally,
I
I
wouldn't
necessarily
recommend
starting
with
bug
bounty
if
you're,
if
you're
brand
new
to
security,
it's
learning.
C
B
Basics
of
programming
or
networking,
or
or
even
in
hacking,
but
on
targets
on
test
systems.
B
I
know,
for
example,
tom
nom
nom
on
twitter
has
just
put
out
a
an
introduction
to
networking
for
for
people
wanting
to
to
learn
to
hack,
which
I
think
might
have
only
gone
out
yesterday,
which
is
a
fantastic
resource,
and
it,
I
think,
having
an
initial
goal
of
learning.
Tech
is
very
admirable,
but
I
kind
of
think
that
should
be
an
end
goal
and
there's
a
lot
of
technologies
and
learning
technologies.
That
has
certainly
helped
me
in
in
this
process.
As
I
say,
I'm
13
nearly
14
years
through
this.
B
This
learning
process
and
I
feel
like
I'm
still
relatively
inexperienced
in
a
in
a
lot
of
areas.
B
So
it's
doing
ctfs
is
really
good,
but
then
does
teach
some
bad
bad
habits
that
there's
always
a
way
in
in
a
ctf
where
that's
not
necessarily
the
case
on
a
bug,
bounty
target,
an
important
skill
in
bug.
Bounty
is
actually
knowing
when
to
move
on
and
knowing
when
to
give
up
on
a
target
doesn't
mean
you'll
give
up
on
it
forever,
but
moving
on
from
it
to
focus.
B
Else
so
ctf.
C
B
C
B
Line
a
little
bit,
but
there
are
a
lot
of
good
online
resources,
certainly
for
getting
started
in
bug
bounty
as
well,
that
I
am
happy
to
link
to
after
this.
After
this
event,.
C
Wonderful
and
then
yes,
we
are
we're
at
the
51
minute
mark,
so
we'll
see
what
we
can
get
through
in
the
next
few
minutes.
The
next
question
is:
what
do
you
think
about
recon
automation?
Do
you
use
it
or
prefer
manual
tests
on
main
apps.
B
I'm
I'm
not
a
particular
fan
of
automated
recon.
I
I
like
to
go
kind
of
what
I
would
say
deep
on
a
target
rather
than
wide
across
all
targets.
B
My
my
main
interest
in
automated
recon
is
on
the
development
side
of
it.
I
I
sometimes
develop
side
projects
that
could
be
used
in
automation,
but
I
generally
do
that
as
a
as
a
fun
side
project,
rather
than
actually
putting
into
into
production.
I
don't
like
the
race
aspect
of
automated
bug,
hunting
and
recon.
B
It
feels
like
you're
racing
a
lot
of
other
hackers
out
there
to
try
and
find
the
same
bugs,
whereas
I
prefer
to
get
to
know
atari
in
a
much
more
deeper,
deeper
way
to
try
and
find
bugs
that
no
other
hacker
is
either
looking
for
or
could
find.
C
B
Yeah
badly
very
badly
so
before
before
my
second
daughter
came
along,
I
was
I
was
able
to
spend
hours
and
hours
in
front
of
the
keyboard
with
it
without
too
many
other
responsibilities.
B
Since,
since
my
second
daughter
came
along
well
eleven
months
ago
now,
I've
been
having
to
balance
my
time
a
lot
more
and
fitting
bug
hunting
in
around
child
care
and
all
the
rest
of
it.
So
some
of
the
biggest
things
and
revelations
for
me
were
note-taking.
I
was
terrible
at
note-taking
and
now
I
kind
of
write,
absolutely
everything
down
that
I
can,
even
if
I
don't
think
it's
particularly
useful
at
the
time,
it
can
sometimes
spark
something
several
days
later
and
I
can
go
back
and
find
those
notes.
B
So
I
do
actually
use
git
lab
issue
reporting
for
all
of
my
my
bug,
hunting
notes
so
I'll.
B
If
I
get
a
bug
or
two
out
of
it,
I'll
I'll
link
those
to
new
issues
and
and
write
reports
in
these
new
issues
and
at
the
end
of
each
session,
I
always
make
sure
I
take
five
ten
minutes
to
write
down
any
outstanding
thoughts
and
just
really
try
and
keep
on
top
of
my
thoughts.
I
find
get
love
issues
very
useful
as
well,
because
I
can,
when
I
wake
up
in
the
middle
of
the
night.
With
this
work
of
inspiration,
I
can
just
jump
on
my
phone.
B
C
I'm
going
to
share
that
with
our
team,
who
does
all
the
issues?
They'll
love
hearing
that
feedback
all
right,
so
the
next
one
is
from
someone
who's
a
full-time
pen,
tester
at
a
consultancy.
I
want
to
spend
more
time
doing
bug
bounties,
but
I
don't
want
to
quit
my
job.
Do
you
think
part-time
employment,
part-time
bounty
approach
can
work
combining
some
guaranteed
salary
with
the
flexibility
of
bug,
bounties.
B
Sure
it
can
definitely
work
depending
on
levels
of
skill
and
levels
of
drive.
I
think
I
was
very
I'm
very
cautious,
recommending
people
take
up
bug
bounty
full
time.
I
I
said
I've
published
a
blog
about
when
I
did
it
a
couple
years
ago,
and
I
was
very
careful
to
say
that
I
I
went
into
this
with
money
in
the
bank
and
my
wife
working
a
a
a
good
job,
so
I
was
very
low
risk
in
starting,
but
bounty
has
a
full-time
career.
B
If
it
had
gone
wrong,
I
would
have
been
fine.
I
wouldn't
have
lost
the
house
or
put
myself
on
financial
hardship
and
that's
that's
the
biggest
thing
I
want
to
say
to
anybody's
interest
in
getting
into
bug
bounty
full
time
as
a
career.
It's
it's
great
while
it's
going
great,
but
it
can
be
really
difficult
if
you're
not
meeting
your
targets
or
not
earning
money.
That
being
said,
it's
very
difficult
to
do.
B
On
top
of
a
day
job,
I
tried
that
for
a
little
while
as
well,
it
becomes
real
grind
doing
your
your
day
job
and
then
in
the
evenings
trying
to
trying
to
find
bugs.
So
it's
about
getting
a
balance
there
if
and
going
part
time
to
do
bug,
bounty
hunting
would
be
a
valid
way
to,
as
the
question
says,
to
kind
of
mitigate
some
of
those
risks.
B
All
I
can
say
is
if,
if
you
feel
like
you're
at
that
that
point-
and
you
have
the
the
financial
backing
that
that
you
could
do
that,
and
your
current
company
would
be
willing
to
let
you
do
that-
I
I
would
say
yes,
it
is
viable
but
make
sure
everything's
in
place
and
and
you're
financially
stable
enough
to
do
it.
C
B
First,
learn
ruby.
I
I
am
very
disappointed
that
get
loves
written
in
ruby,
I'm
not
a
fan,
I
have
to
say
I
I
had
to
re-teach
myself,
ruby
I've
written
in
python
for
best
part
of
seven
eight
nine
years
and
more
recently,
as
I
said,
go
get
does
have
some
go
components.
I
have
been
focusing
heavily
on
those
as
well,
but
read
the
source.
It's
all
there
read
the
issues
you
can
see.
B
What's
going
on,
you
can
see
what's
going
on
in
the
you
know,
the
considerations
of
how
issues
are
fixed.
All
of
the
fixed
security
issues
are
also
published
on
the
git
level
issues
tracker
read
through
them
see
what
other
people
have
been
submitting
see
how
they've
been
issues
have
been
fixed
and
yeah.
It's
all
that.
That's
one
of
the
things
I
really
like
about
the
getter
program
is,
it
is
all
there.
It's
all
open,
even
the
the
documentation
and
a
lot
of
the
internal
employee.
B
C
B
Question
fine,
the
most,
unfortunately,
is
probably
things
like
cross-site
scripting,
which
are
bugs
that
I
don't
particularly
enjoy
finding
or
enjoy
reporting,
but
there
are
still
a
lot
of
them
out
there.
B
I
I
I'm
astounded,
we're
still
seeing
it,
but
I
think
it
was
probably
the
first
bug
I
found
in
my
first
security
job
14
years
ago,
and
I
still
I
found
one
yesterday,
which
is
which
is
horrendous,
that
we've
we
we
haven't,
made
a
progress
in
in
15
years,
but
unfortunately
it
probably
is
that.
A
Sure,
thanks
christy,
so
alex.
We
really
really
appreciate
your
time
today.
Thank
you
so
much
for
taking
time
out
of
your
your
really
your
entire
personal
day,
contributing
to
other
bug,
bounty
programs,
time
with
your
family,
to
spend
chatting
with
us.
Thank
you
for
all
you
do
for
git
lab.
Please
continue
hunting
on
our
platform
using
our
platform,
we
enjoy
your
bugs
your
feedback
and
and
really
appreciate
everything
you're
doing
for
us.
Thank
you.
Thank
you
very
much
and
thank
you
for
everyone.
A
Who's
joined
us
today
and
thank
you
for
all
the
questions.
This
is
a
great
discussion
and
we
hope
to
see
everyone
next
time
on
our
next
edition
of
ask
a
hacker.
Thank
you.