►
Description
We chat with bug bounty hunter Riccardo Padovani about his approach to bug hunting, why he hunts on our platform and which is his favorite vulnerability to hunt.
* See Riccardo on HackerOne: https://hackerone.com/rpadovani
* Read our blog interview with Riccardo: https://about.gitlab.com/blog/2020/11/10/rpadovani-ask-a-hacker/
* See our AMA playlist: https://www.youtube.com/playlist?list=PL05JrBw4t0Kqvvpk9PmRO6fZ0xmnKBp_s
A
All
right,
hello,
everyone
we
are
here
today,
speaking
with
ricardo
padovani,
a
get
lab,
hero
and
hacker
one
ranked
number
seven
hacker
security
researcher,
and
we're
very
excited
to
have
him
today
to
just
talk
about
all
things:
bug,
bounty
research,
talk
about
his
interactions
with
git
lab
and
learn
a
little
bit
about
what
goes
into
being
a
security
researcher
for
gitlab,
so
ricardo
very
nice
to
meet.
You
welcome.
A
Excellent
excellent,
before
we
jump
into
some
questions,
I
wanted
to
to
really
quickly
ask
you
in
your
blog,
you
mentioned
the
first
experience
you
had
with
gitlab
was
far
from
ideal,
but
after
that
first
report
you
started
reporting
more
and
get
lab,
has
significantly
improved
its
program.
Can
you
can
you
tell
us
a
little
bit
about
what
that
looks
like
and
then
we'll
then
we'll
dive
into
the
to
the
agenda.
B
Yeah
well,
then,
the
fact
is,
I've
contributed
to
git
club
for
years,
and
I
think
I
send
it
up
in
january
of
14.
So
a
lot
of
times
ago
and
gitlab
community
has
always
been
very
welcomed
and
you
have
some
open
source
or
advocates
that
help
community
being
up
to
speed
with
github
development
and
a
couple
of
years
ago
I
think
you
started
the
decker
one
program
and
at
the
beginning
and
the
beginning,
I
think
it
wasn't
up
to
the
level
of
the
next
at
the
the
rest
of
kit
club.
B
A
C
Yeah
thanks
thanks
ricardo
for
for
doing
this
ama.
So
my
first
question
would
be
when
I,
when
I
had
a
look
at
your
hacker
one
profile
before
this
ama,
I
figured
that
gitlab
is
pretty
much
the
only
bug.
Pointy
program,
you
at
least
publicly
participate
in.
So
how
come
that
and
are
we
such
an
easy
target
to
to
hack.
B
Thanks
for
the
question
that
is
indeed
a
a
very
good
question:
well,
no
you're,
not
an
easy
target.
Definitely
not!
Also,
since
you
have.
It
is
very
good
policy
nowadays
and
the
team
is
has
grown
a
lot.
It
is
becoming
harder
and
harder
finding
something
interesting
on
gitlab.
But
the
point
is
I'm
not
a
security
researcher
full-time,
so
I'm
a
solutions
architect
and
I
love
my
daily
job.
I
do
bug
bounties
in
my
free
time.
B
B
Usually
you
spend
a
lot
of
time
doing
recognition
and
trying
to
understand
how
the
target
works,
and
it's
not
something.
For
me.
I
I'm
I
I
get
bored
really
fast,
trying
to
learn
a
new
new
projects
or
new
programs.
I
do
not
usually
work
with
while
another
end
I've
contributed
to
heath
lab
and
in
my
daily
job
we
use
git
club
almost
every
hour.
So
I
know
git
club
very
well.
I
follow
its
development,
I
follow
the
news
and
so
on.
B
So
when
I
have
some
free
time-
and
I
want
to
do
some
back
bounties-
I
I
already
know
my
target
and
I
can
jump
straight
in
and
trying
to
arc
it.
So
this
is
why
you
see
a
lot
of
vulnerabilities
report
about
gitlab.
I've
also
done
some
reports
outside
gitlab,
but
again,
especially
against
things
I
use
daily.
So
I
don't
know
some
cloud
providers
or
rocker
one
itself,
but
they
are
not
public.
Unfortunately,
I
hope
I
respond.
I
replied
fully
to
your
question.
D
B
B
Of
course,
I
could
understand
that
for
a
lot
of
people
that
do
this
for
work,
that
the
money
revenue
is
more
important,
so
I
would
leave
it
as
an
option
for
for
for
the
researcher
another
small
thing.
I
note
that
nowadays
you
offer
a
gitlab
ultimate
license.
That
is
super,
but
is
only
for
self-hosted
installation,
and
I
don't
find
it
so
useful
because
then
you
have
to
generate
all
the
data
for
yourself.
So
one
thing
I
usually
target.
B
C
B
Yeah,
I'm
really
have
a
lot
of
fun
about
assess,
control
or
in
general,
about
kind
of
vulnerabilities
that
are
where
you
abuse
us
an
existing
system
to
do
something
that
wasn't
thought
about.
So
I
mean
there
are
a
lot
of
vulnerabilities
that
everybody
knows
that
they're
bad
and
like
an
xss
or
sqli
injection,
and
they
are
error
in
the
programmation
or
nowadays
they
are
they're
a
bit
rare
on
github.
Since
you
have
a
very
good
devops
cycle,
so
all
the
automatic
system
cache
them.
B
C
B
That's
an
interesting
question,
so
mainly
there
are
different
things
I
can
do
so
one
thing
usually
is
catching
up
with
all
the
latest
changes
you
have
deployed
or
latest
feature
I've
been
presented
and
for
this
is
very
useful.
Your
blog,
since
the
23
of
the
month,
you
deployed
the
new
version
and
you
have
a
long
blog
post
with
all
the
new
features
you
I
can
play
with
so
like
now,
and
these
last
few
months
I've
took
a
look
to
the
iteration.
B
So
now
you
can
collect
issue
by
iterations
is
a
very
useful
feature,
so
we
already
use
it
during
my
my
job.
We
use
for
planning
sprints,
so
I've
taken
a
look
if,
for
any
reason,
the
feature
itself
or
the
api
behind
it
like
graphql
or
rest
if
they
leak
some
data.
I
haven't
found
anything
so
far,
but
I
suppose
that
is
because
it
has
been
implemented
similar
to
the
milestone,
so
nothing
very
new.
B
Then
sometimes
I
take
a
look
to
the
source
code,
so
maybe
I
search
the
most
recent
merged,
merge
requests
or
just
going
around
to
some
modules
in
the
gitlab
code
base
and
the
other
thing.
I
have
a
list
of
small
issues
that
are
not
like
real
vulnerabilities,
just
some
issues
or
some
strange
behavior,
and
I
try
to
change
them
together
or
see.
If
I
can
chain
to
something
else,
to
find
an
explore.
C
C
B
The
feature
that
I
use
most
like
I've,
seen
that
some
some
reports
we
have
published
is
the.
There
are
some
issue
I
don't
know
in
the
package
repository,
but
I
don't
use
it
so
much
so
I've
never
took
the
time
to
go
to
to
try
to
arch
it.
So
again
is
more
is
more
about
what
I
already
know,
so
I
can
think
about
way
to
break
it.
A
B
B
So
that
was
fun,
but
I
think
my
favorite
one
was
about
having
access
to
to
some
stub
resource
of
a
group
after
you've
been
removed
from
the
group
so
again,
a
kind
of
issue
that
is
triggered
by
well-known
behavior,
but
you
have
a
some
side
effect
that
you,
you
are
not
aware
of
like
if
you
move
a
group,
a
project
from
one
group
to
another
group.
This
project
was
able
to
achieve
some
private
information
that
it
shouldn't
because
it
inherited
some
of
the
permission
from
the
previous
group.
B
A
B
Sometimes
sometimes
because
well,
the
gitlab
base
is
huge.
I
mean
loading
it
already
like.
I
use
ruby
mine
loading
it
on
my
pc.
That
is
a
good
pc.
It
still
takes
two
three
minutes
and
then
jumping
around
takes
a
lot
of
time,
but
sometimes
it's
useful.
I
actually
there
is
one
issue
that
I
found
just
looking
around.
A
B
Yeah
indeed,
we
haven't
talked
about
this.
Yet
so
I'm
not
a
pro.
I've
tried
some
of
the
tools
that
are
suggested
by
the
community.
Probably
the
most
known
is
the
barb
suite,
but
I
didn't
click
with
it,
of
course,
is
a
complex
project.
So
you
need
to
take
your
time
to
learn
it,
I'm
a
bit
lazy,
so
I
jump
at
it.
B
I
usually
use
firefox
because
the
developer
console
of
firefox
is
very
powerful,
especially
the
network
tab.
So
you
can
edit
your
request
on
the
flight.
You
can
copy
it
as
a
cool.
You
can
repeat
them,
so
I
use
the
console
of
firefox
a
lot
and
then
I
use
bash
or
so
cool,
especially
for
trying
to
reproduce
the
issue
outside
the
browser.
B
So
it's
easier
to
to,
indeed,
for
you
guys
to
reproduce
it
and
for
me
to
understand,
if
is
really
an
issue
or
is
something
that
that
has
been
triggered
by
some
strange
cache
or
something
on
the
browser
that
is
yeah.
That
is
like
not
a
proper
issue.
It's
just
something
that
has
been
cached
in
some
strange
ways.
A
Good
deal
I
that's
interesting
to
take
on
on
burp
suite.
I
I
I
don't
use
burp
suite
on
a
daily
basis
and
it
does
seem
that
every
time
I
open
it
and
spin
it
up,
it's
a
brand
new
application
and
I
have
to
go
through
the
whole
process
of
relearning
again.
So
I
understand
that
next
question
is
mine.
What
advice
would
you
give
to
someone
who's
looking
to
get
started
in
participating
in
a
formal
bug,
bounty
program.
B
I
I
think
that,
especially
if
you
read
on
twitter,
it
seems
that
everyone
finds
super
huge
vulnerabilities,
super
well
paid
and
so
on,
but
as
usual
who
talks
is
like
the
top
one
percent.
So
there
is
another
99
that
does
a
lot
of
work
and
obtains
less
or
not
so
much
so
per
server.
Go
on
continue
on
your
on
on
your
way,
of
course,
I
I
could
suggest
to
do
not
leave
your
daily
job
until
you
are
very,
very
good
at
doing
this,
because
it's
not
that
you
leave
your
job
and
bum.
A
D
B
B
B
I'm
not
really
sure
I
I'm
trying
to
thinking
if
there
is
something
I
do
outside
of
gitlab
yeah.
Well,
yeah
yeah,
the
the
to
do.
The
to-do
list
could
be
improved.
That
thing
at
the
moment.
You
can
only
add
to
those
from
some
of
the
elements
and
then
you
can
yeah.
I
don't
know
I
I
don't
use
the
to-do
list
so
much
because
I
feel
it
is
a
lot
of
noise
and
not
very
configurable,
but
I'm
not
really
sure
how
to
improve
it.
So
not
a
useful
feedback.
B
B
I
have
a
lot
of
colleagues
that
are
mathematicians
or
physicists,
so
very
smart
people
not
very
good,
maybe
with
computer
and
with
gitlab,
I'm
able
to
automatize
their
workflows,
so
they're
they're
able
to
work
on
the
black
magic
math
and
being
able
to
see
the
results
in
an
automatic
way.
I
really
like
that.
Gitlab
helps
me
a
lot
enabling
my
colleagues
to
do
their
work
as
they
should.
D
B
B
I
don't
know
if
it
has
been
already
enabled,
but
some
it
would
be
cool,
so
people
do
not
use
passwords
that
have
been
already
exposed
and
then
it
depends
on.
Where
do
you
deploy?
I
mean?
Keeping
something
secure
over
ws
is
something
totally
different
of
keeping
your
on-premise
application
secure.
So
a
lot
of
suggestions
are
also
about
how
you
manage.
I
don't
know
your
aim
role
over
aws
or
how
you
properly
backup
your
your
things.
If
they're
provisioned
locally
in
your
office.
D
E
B
E
Great
sounds
awesome,
so
my
question
for
you,
then,
is
for
the
second
time
I'm
only
going
to
ask
one
of
the
two,
but
what
I'm
most
interested
in
is
what
do
you
do
to
stay?
On
top
of
your
field
like
how
do
you
say,
educated
on,
like
the
latest
techniques
and
tactics
around
you
know,
pen,
testing,
red,
teaming
application
security,
those
types
of
things.
B
Well,
I'm
not
very
good
at
that.
To
be
honest,
since
it's
not
my
mainly
my
main
job,
I
usually
just
read
the
public
records
on
akira
one.
So
sometimes
I
have
five
free
time.
I
got
on
the
on
page
of
one
and
just
read
the
reports
to
see
maybe
new
techniques
or
to
understand
a
new
kind
of
attacks.
That
is
quite
useful
also
for
my
daily
job,
because
again
you
have
to
keep
your
infrastructure
safe.
B
So
last
year
there
were,
there
were
a
lot
of
talking
about
the
http
smuggling
with
the
the
sync
of
proxy.
So
if
you
had
a
load
balancer
in
front
of
your
proxy,
you
can
desync
request.
That
was
very
interesting
and
I
learned
about
it
on
aker1
when
they
first
published
the
first
report
and
paper
around
it,
then
I
use
a
bit
of
twitter.
B
There
are
a
lot
of
interesting
people
over
there,
a
bit
too
much
drama.
So
don't
follow
me
on
twitter.
I
don't
tweet
much.
I
don't
like
the
community
very
much
on
twitter,
but
there
are
some
people
that
are
very
interesting
and
reading
occur.
News
again,
don't
comment.
I
don't
comment
much,
but
I
think
there
are
a
lot
of
interesting
takes
if
you
can
stand
all
the
all
the
not
politics
but
all
the
trolling
around
and
on
the
empty
discussion.
B
B
So
my
very
first,
for
just
me,
was
a
denisperian
6000.
So
is
that
the
laptop
that
you
see
a
lot
around
in
all
the
movies,
the
tv
series
and
and
so
on,
is
a
great
deal
with
two
white
strips,
but
before
that
my
father
had
some
del
attitude
back
in
the
90s,
but
I've
not
been
a
magic
kid
with
species.
I've
started
picking
up
only
at
the
beginning
of
high
school,
actually.
D
B
A
Excellent
ricardo.
Thank
you
so
much
for
your
time
today.
We
really
appreciate
you
spending
this
time
chatting
with
us.
We
really
appreciate
your
efforts
to
help
us
secure
gitlab.
Certainly
you
are
making
a
big
impact
here
at
gitlab
and
we
appreciate
that
also
for
everyone
else.
Listening
and
watching
check
out
ricardo's
gitlab
profile.
He
has
some
really
interesting
projects
going
on
in
there
if,
if
some
time
allows
at
a
future
point
ricardo,
I'd
love
to
hear
about
some
of
these
as
well.