►
Description
We chat with bug bounty hunter and security researcher, Alex Chapman about his approach to bug hunting, why he hunts on our platform and about his favorite scene from the movie Hackers.
* See the notes from this AMA: https://docs.google.com/document/d/1YB7h3VQMCAUxfr9rhX1Lg6bwZiw2micKYBaOY-z_I2s/edit?usp=sharing
* See Alex on HackerOne: https://hackerone.com/ajxchapman?type=user
* Read our blog interview with Alex: https://about.gitlab.com/blog/2021/03/04/ajxchapman-ask-a-hacker/
* See our AMA playlist: https://www.youtube.com/playlist?list=PL05JrBw4t0Kqvvpk9PmRO6fZ0xmnKBp_s
A
Hello,
everyone
and
welcome
to
this
edition
of
get
labs.
Ask
a
hacker.
I'm
lawrence
bierner,
director
of
application
security
here
at
getlab,
and
today
we're
chatting
with
alex
chapman
a
security
researcher
who
has
made
significant
contributions
to
the
gitlab
security
program
through
his
ethical
disclosure
of
vulnerabilities,
he's
found
a
contributor
to
many
other
companies
and
organizations
as
well.
Alex
has
been
a
hacker
one
security
researcher,
since
2017.,
with
a
total
of
81
vulnerabilities,
discovered
welcome,
alex
thanks
for
taking
the
time
today
to
chat
with
us.
B
Yeah,
brilliant
thanks
and
thanks
for
having
me
so,
as
you
say,
I'm
a
full-time
bug,
bounty
hunter
which
I've
actually
been
doing
full-time
for
the
past
just
over
two
years
now,
but
before
that
been
a
penetration
tester
as
a
as
an
external
consultant,
I've
been
part
of
internal
red
teams.
I
actually
worked
for
bug
managing
platform
for
just
under
12
months
and
and
then
I
took
to
delete
to
doing
bounty
hunting
full-time
from
there.
A
B
A
Good
for
you
good
for
you,
I
I
think
I
can
speak
for
several,
probably
on
those
calls
we're
we're
a
little
envious
of
you
in
there,
so
that
is.
That
is
awesome
to
hear.
So
you
know
the
sort
of
the
format
here
we're
gonna
go
through
some
of
the
questions
we
have
in
our
document.
I
encourage
everyone
who
has
joined
us
to
add
questions
to
the
doc,
we'll
get
to
them.
C
B
Sure
this
is
obviously
a
very
broad
question,
so
I'll
try
and
try
and
give
it
a
general
answer,
but
so
when
I'm
looking
for
for
vulnerability,
I
prefer
to
look
at
in
software
that
is
either
open
source
or
client-side
applications
where
I
can
either
reverse
engineer
the
application
or
get
some
more
information
than
just
kind
of
your
traditional
web
application,
testing
or
black
box
testing.
This
is
purely
because
it
has
been
a
long
time.
B
Interest
of
mine
and
I've
got
some
quite
good
tooling,
and
build
up
some
good
skills
around
that,
but
in
terms
of
the
sorts
of
issues
I'm
looking
for,
I
I
certainly
have
a
list
of
common
things
I
check
for
so
I
think
early
on,
I
had
a
lot
of
success
with
dns
rebinding
issues
in
certain
client-side
applications.
Actually,
I
think
one
of
my
gitlab
bugs
was
a
was
a
dns
through
binding
one
of
one
of
the
first
ones
where
I
bought
it
to
get
them.
B
So
I
had
quite
a
lot
of
success
with
those
I
certainly
have
a
stock
of
vulnerabilities
I
go
looking
for,
but
I
also
try
and
understand
the
application
and
what
it
does
and
come
at
it
from
what
what
would
be
a
business
logic
issue.
What
would
be,
what
does
this
application
do
and
what
would
be
kind
of
the
worst
case
scenario
if
somebody
was
able
to
to.
B
C
B
So
we
we
have
these
these
companies,
who
have
these
bug
bounty
programs,
but
some
of
them
don't
even
say
what
the
product
is
or
what
the
company
does
and
the
more
a
bug
bounty
program
can
help.
The
participants
understand
what
the
product
is,
how
it
works,
how
to
use
it,
what
the
worst
case
outcomes
would
be
and
all
of
the
kind
of
internal
internal
risk
struggles
of
the
product.
All
of
that
information
is
helpful.
C
B
B
C
B
So
I
was
able
to
develop
a
full
export
chain
for
this
for
this
game,
bypassing
all
the
mitigations
that
are
required.
So
aslr
read,
write
memory,
all
the
rest
of
it
locally
on
on
my
linux
desktop,
and
it
worked
first
time
when
I
flung
against
the
servers
in
the
in
the
cloud-
and
that
was
that's-
never
happened
to
me
before
in
my
life.
B
So
I
was
particularly
happy
about
that
and
it
it
kind
of
felt
like
browser
exploitation,
maybe
seven,
eight
nine
years
ago,
in
terms
of
the
things
that
I
could
do
and
the
and
the
access
that
I
had.
So
it
was
really
fun
thing
to
to
pull
apart.
I
was
quite
into
gaming
at
the
time,
so
it
kind
of
brought
up
and
brought
up
that
passion
as
well,
but
I'm
I'm
petitioning
to
get
some
of
those
issues
published
so
hopefully,
at
some
point.
B
Thank
you
for
this
one.
I,
whilst
I've
only
been
a
bug,
hunt
or
bug
bounty
hunter
for
three
or
four
years,
I
have
been
submitting
bugs
to
to
come
third-party
companies
for
the
best
part
of
a
decade,
and
I've
had
had
some
very
interesting
experiences.
I
don't
know
name
and
shame
anyone,
but
there
was
a
particular
iot
vendor
who
found
out
about
a
bug
on.
I
think
it
was
a
friday
afternoon.
Their
lawyers
contacted
my
boss
about
an
hour
later,
and
it
was.
B
It
was
a
holiday
weekend
in
the
uk
which
my
boss
had
to
entirely
forfeit
speaking
to
their
lawyers
for,
for
the
best
part,
three
or
four
days
over
over
a
vulnerability
report.
That
was
my
responsibility,
so
that
was
probably
the
the
scariest
that
I've
had.
I
also
have
vendors
completely
misunderstand
the
reason
I'm
getting
in
contact
with
them.
So
there
was
one
particular
vendor
who
ended
up
putting
me
in
contact
with
their
sales
team
and
managed.
B
What
I
was
saying
was
was
a
bug
and
it
was
a
situation
where
we
could
man
in
the
middle
all
vpn
traffic,
going
through
that
vpn,
which
to
me
seemed
like
a
really
big
deal,
but
they
they
decided,
it
wasn't
their
problem.
It
was
actually
down
to
the
operating
system
and
they
were
just
going
to
have
nothing
to
do
with
it.
So
that
was
a
particularly
frustrating
frustrating
experience.
B
I
did
have
to
rewatch
the
movie
to
to
think
on
this
one.
It's
definitely
the
the
phone
box,
hacking
scene,
where
they're
all
there,
the
music's
flaring
they're
all
in
their
individual
phone
boxes,
but
working
together
as
a
team
completely
unrealistic
with
the
visuals,
but
it's
just
fantastic.
The
camaraderie
and
the
teamwork
that
going
on
in
that
and
the
music
tying
it
all
together
is
is
iconic.
Certainly.
A
B
B
C
B
B
Obviously
they
were
keeping
a
position
open
for
me,
but
so
I
I
handed
him
my
notice
there
and
kind
of
took
a
few
more
months
to
recover,
with
my
wife
and
and
think
about
what
was
important
to
me,
and
it
was
then
that
I
kind
of
realized
I
wasn't
ready
for
full-time
commitment,
but
was
very
passionate
about
security
and
bug
hunting.
So
having
worked
with
bug
hunters
and
doing
doing
a
little
bit
of
bug,
bounty
work,
kind
of
part
time.
B
In
my
own
time
I
felt
I
was
at
a
stage
where
I
could
actually
break
out
and
try
and
try
and
do
this
as
well,
first
to
cover
the
bills,
and
it
very
did
very
well
in
that
first
year
and
just
kind
of
kept
going
from
there.
It
was
started
off
as
a
bit
of
a
an
experiment
and
it
kind
of
kept
it
going
to
this
day
so
been
very
fortunate
in
that
respect.
C
B
C
B
Okay,
that's
yeah
very
good
question
there,
so
I
I
certainly
when
I'm
when
I'm
trying
to
hit
my
targets
with
bug
hunting.
Obviously
I
do
this
as
a
job,
so
I
set
a
monthly
target
of
how
much
money
I
want
to
make.
I
do
excuse
me,
do
focus
on
books
that
I'm
familiar
with
and
targets
that
I'm
familiar
with,
so
I
certainly
have
several
programs
that
I
know
I
can
reliably
hunt
for
bugs
on
and
find
issues
on,
and
I
tend
to.
A
B
B
So
I've
been
learned
or
teaching
myself
go
again
over
the
past
12
months,
primarily
because
containerized
container
software
seems
to
be
written
to
go
and
that's
helped
me
learn
and
understand,
docker
and
kubernetes
projects
and
to
hunt
for
bugs
in
those
projects,
but
in
terms
of
actual
resources
other
than
getting
online
and
reading
through
the
source
code.
I
will
I'll
swing
back
to
that.
One.
C
C
If
they're
not,
please
go
ahead
to
number
ten,
that's
me
making
a
mistake.
Oh
no
worries
so
any
recommended
strategy
for
for
a
bug
hunter
starting
out
with
lots
of
time
to
learn
and
practice,
and
we
need
ctf
versus
recreating
exploits
for
public
cves
versus
bug,
bounty,
directly,
learning
development,
yeah.
B
C
B
I
know,
for
example,
tom
nom
nom
on
twitter
has
just
put
out
a
an
introduction
to
networking
for
for
people
wanting
to
to
learn
to
hack,
which
I
think
might
have
only
gone
out
yesterday,
which
is
a
fantastic
resource,
and
it,
I
think,
having
an
initial
goal
of
learning.
Tech
is
very
admirable,
but
I
kind
of
think
that
should
be
an
end
goal
and
there's
a
lot
of
technologies
and
learning
technologies.
That
has
certainly
helped
me
in
in
this
process.
As
I
say,
I'm
13
nearly
14
years
through
this.
B
So
it's
doing
ctfs
is
really
good,
but
then
does
teach
some
bad
bad
habits
that
there's
always
a
way
in
in
a
ctf
where
that's
not
necessarily
the
case
on
a
bug,
bounty
target,
an
important
skill
in
bug.
Bounty
is
actually
knowing
when
to
move
on
and
knowing
when
to
give
up
on
a
target
doesn't
mean
you'll
give
up
on
it
forever,
but
moving
on
from
it
to
focus.
C
B
C
B
C
B
B
My
my
main
interest
in
automated
recon
is
on
the
development
side
of
it.
I
I
sometimes
develop
side
projects
that
could
be
used
in
automation,
but
I
generally
do
that
as
a
as
a
fun
side
project,
rather
than
actually
putting
into
into
production.
I
don't
like
the
race
aspect
of
automated
bug,
hunting
and
recon.
C
B
Since,
since
my
second
daughter
came
along
well
eleven
months
ago
now,
I've
been
having
to
balance
my
time
a
lot
more
and
fitting
bug
hunting
in
around
child
care
and
all
the
rest
of
it.
So
some
of
the
biggest
things
and
revelations
for
me
were
note-taking.
I
was
terrible
at
note-taking
and
now
I
kind
of
write,
absolutely
everything
down
that
I
can,
even
if
I
don't
think
it's
particularly
useful
at
the
time,
it
can
sometimes
spark
something
several
days
later
and
I
can
go
back
and
find
those
notes.
B
If
I
get
a
bug
or
two
out
of
it,
I'll
I'll
link
those
to
new
issues
and
and
write
reports
in
these
new
issues
and
at
the
end
of
each
session,
I
always
make
sure
I
take
five
ten
minutes
to
write
down
any
outstanding
thoughts
and
just
really
try
and
keep
on
top
of
my
thoughts.
I
find
get
love
issues
very
useful
as
well,
because
I
can,
when
I
wake
up
in
the
middle
of
the
night.
With
this
work
of
inspiration,
I
can
just
jump
on
my
phone.
B
C
I'm
going
to
share
that
with
our
team,
who
does
all
the
issues?
They'll
love
hearing
that
feedback
all
right,
so
the
next
one
is
from
someone
who's
a
full-time
pen,
tester
at
a
consultancy.
I
want
to
spend
more
time
doing
bug
bounties,
but
I
don't
want
to
quit
my
job.
Do
you
think
part-time
employment,
part-time
bounty
approach
can
work
combining
some
guaranteed
salary
with
the
flexibility
of
bug,
bounties.
B
Sure
it
can
definitely
work
depending
on
levels
of
skill
and
levels
of
drive.
I
think
I
was
very
I'm
very
cautious,
recommending
people
take
up
bug
bounty
full
time.
I
I
said
I've
published
a
blog
about
when
I
did
it
a
couple
years
ago,
and
I
was
very
careful
to
say
that
I
I
went
into
this
with
money
in
the
bank
and
my
wife
working
a
a
a
good
job,
so
I
was
very
low
risk
in
starting,
but
bounty
has
a
full-time
career.
B
If
it
had
gone
wrong,
I
would
have
been
fine.
I
wouldn't
have
lost
the
house
or
put
myself
on
financial
hardship
and
that's
that's
the
biggest
thing
I
want
to
say
to
anybody's
interest
in
getting
into
bug
bounty
full
time
as
a
career.
It's
it's
great
while
it's
going
great,
but
it
can
be
really
difficult
if
you're
not
meeting
your
targets
or
not
earning
money.
That
being
said,
it's
very
difficult
to
do.
B
On
top
of
a
day
job,
I
tried
that
for
a
little
while
as
well,
it
becomes
real
grind
doing
your
your
day
job
and
then
in
the
evenings
trying
to
trying
to
find
bugs.
So
it's
about
getting
a
balance
there
if
and
going
part
time
to
do
bug,
bounty
hunting
would
be
a
valid
way
to,
as
the
question
says,
to
kind
of
mitigate
some
of
those
risks.
C
B
First,
learn
ruby.
I
I
am
very
disappointed
that
get
loves
written
in
ruby,
I'm
not
a
fan,
I
have
to
say
I
I
had
to
re-teach
myself,
ruby
I've
written
in
python
for
best
part
of
seven
eight
nine
years
and
more
recently,
as
I
said,
go
get
does
have
some
go
components.
I
have
been
focusing
heavily
on
those
as
well,
but
read
the
source.
It's
all
there
read
the
issues
you
can
see.
B
What's
going
on,
you
can
see
what's
going
on
in
the
you
know,
the
considerations
of
how
issues
are
fixed.
All
of
the
fixed
security
issues
are
also
published
on
the
git
level
issues
tracker
read
through
them
see
what
other
people
have
been
submitting
see
how
they've
been
issues
have
been
fixed
and
yeah.
It's
all
that.
That's
one
of
the
things
I
really
like
about
the
getter
program
is,
it
is
all
there.
It's
all
open,
even
the
the
documentation
and
a
lot
of
the
internal
employee.
B
C
B
A
Sure,
thanks
christy,
so
alex.
We
really
really
appreciate
your
time
today.
Thank
you
so
much
for
taking
time
out
of
your
your
really
your
entire
personal
day,
contributing
to
other
bug,
bounty
programs,
time
with
your
family,
to
spend
chatting
with
us.
Thank
you
for
all
you
do
for
git
lab.
Please
continue
hunting
on
our
platform
using
our
platform,
we
enjoy
your
bugs
your
feedback
and
and
really
appreciate
everything
you're
doing
for
us.
Thank
you.
Thank
you
very
much
and
thank
you
for
everyone.