►
Description
We chat with bug bounty hunter Riccardo Padovani about his approach to bug hunting, why he hunts on our platform and which is his favorite vulnerability to hunt.
* See Riccardo on HackerOne: https://hackerone.com/rpadovani
* Read our blog interview with Riccardo: https://about.gitlab.com/blog/2020/11/10/rpadovani-ask-a-hacker/
* See our AMA playlist: https://www.youtube.com/playlist?list=PL05JrBw4t0Kqvvpk9PmRO6fZ0xmnKBp_s
A
All
right,
hello,
everyone
we
are
here
today,
speaking
with
ricardo
padovani,
a
get
lab,
hero
and
hacker
one
ranked
number
seven
hacker
security
researcher,
and
we're
very
excited
to
have
him
today
to
just
talk
about
all
things:
bug,
bounty
research,
talk
about
his
interactions
with
git
lab
and
learn
a
little
bit
about
what
goes
into
being
a
security
researcher
for
gitlab,
so
ricardo
very
nice
to
meet.
You
welcome.
A
Excellent
excellent,
before
we
jump
into
some
questions,
I
wanted
to
to
really
quickly
ask
you
in
your
blog,
you
mentioned
the
first
experience
you
had
with
gitlab
was
far
from
ideal,
but
after
that
first
report
you
started
reporting
more
and
get
lab,
has
significantly
improved
its
program.
Can
you
can
you
tell
us
a
little
bit
about
what
that
looks
like
and
then
we'll
then
we'll
dive
into
the
to
the
agenda.
B
Yeah
well,
then,
the
fact
is,
I've
contributed
to
git
club
for
years,
and
I
think
I
send
it
up
in
january
of
14.
So
a
lot
of
times
ago
and
gitlab
community
has
always
been
very
welcomed
and
you
have
some
open
source
or
advocates
that
help
community
being
up
to
speed
with
github
development
and
a
couple
of
years
ago
I
think
you
started
the
decker
one
program
and
at
the
beginning
and
the
beginning,
I
think
it
wasn't
up
to
the
level
of
the
next
at
the
the
rest
of
kit
club.
B
So
probably
it's
still
the
first
days
there
weren't
there
wasn't
much
communication
with
researchers.
Probably
you
will
be
you
you.
You
were
a
bit
overwhelmed
by
all
the
reports
and
so
on.
A
Excellent,
well,
certainly,
your
efforts
have
helped
us
improve
it
with
the
27
total
reports
that
you've
sent
to
us.
So
thank
you.
Thank
you
very
much
for
that.
We
appreciate
your
efforts
great
well,
let's
jump
right
into
the
to
the
agenda
and
questions
yarn.
You
have
the
the
very
first
one.
C
Yeah
thanks
thanks
ricardo
for
for
doing
this
ama.
So
my
first
question
would
be
when
I,
when
I
had
a
look
at
your
hacker
one
profile
before
this
ama,
I
figured
that
gitlab
is
pretty
much
the
only
bug.
Pointy
program,
you
at
least
publicly
participate
in.
So
how
come
that
and
are
we
such
an
easy
target
to
to
hack.
B
Thanks
for
the
question
that
is
indeed
a
a
very
good
question:
well,
no
you're,
not
an
easy
target.
Definitely
not!
Also,
since
you
have.
It
is
very
good
policy
nowadays
and
the
team
is
has
grown
a
lot.
It
is
becoming
harder
and
harder
finding
something
interesting
on
gitlab.
But
the
point
is
I'm
not
a
security
researcher
full-time,
so
I'm
a
solutions
architect
and
I
love
my
daily
job.
I
do
bug
bounties
in
my
free
time.
B
B
Usually
you
spend
a
lot
of
time
doing
recognition
and
trying
to
understand
how
the
target
works,
and
it's
not
something.
For
me.
I
I'm
I
I
get
bored
really
fast,
trying
to
learn
a
new
new
projects
or
new
programs.
I
do
not
usually
work
with
while
another
end
I've
contributed
to
heath
lab
and
in
my
daily
job
we
use
git
club
almost
every
hour.
So
I
know
git
club
very
well.
I
follow
its
development,
I
follow
the
news
and
so
on.
B
So
when
I
have
some
free
time-
and
I
want
to
do
some
back
bounties-
I
I
already
know
my
target
and
I
can
jump
straight
in
and
trying
to
arc
it.
So
this
is
why
you
see
a
lot
of
vulnerabilities
report
about
gitlab.
I've
also
done
some
reports
outside
gitlab,
but
again,
especially
against
things
I
use
daily.
So
I
don't
know
some
cloud
providers
or
rocker
one
itself,
but
they
are
not
public.
Unfortunately,
I
hope
I
respond.
I
replied
fully
to
your
question.
D
Hi
ricardo,
thanks
for
taking
the
time
to
answer
all
of
our
questions.
My
question
is:
is
there
anything
you'd
like
to
see
about
our
see
change
about
our
current
bug,
bounty
program
or
policy.
B
Thanks
for
the
question,
and
thanks
for
having
worked
the
sword
with
sucker
one,
I
think
you
have
replied
to
a
lot
of
my
efforts.
Actually
since
since
the
beginning,
so
I'm
I
really
appreciate
that
the
occurred
one
at
the
gitlab
program
over
hacker
one.
B
Nowadays,
I
think
you
can
have
probably
some
zwag
that
is
branded
by
gitlab
security
or
gitlab
one,
something
like
that
at
least
for
me
like
for
for
some
kind
of
bugs,
since
it's
not
my
main
fun
main
source
of
income,
I
would
be
happier
about
as
some
special
gift
instead
of
just
a
little
amount
of
money,
because
it's
not
so
important
for
me.
B
Of
course,
I
could
understand
that
for
a
lot
of
people
that
do
this
for
work,
that
the
money
revenue
is
more
important,
so
I
would
leave
it
as
an
option
for
for
for
the
researcher
another
small
thing.
I
note
that
nowadays
you
offer
a
gitlab
ultimate
license.
That
is
super,
but
is
only
for
self-hosted
installation,
and
I
don't
find
it
so
useful
because
then
you
have
to
generate
all
the
data
for
yourself.
So
one
thing
I
usually
target.
B
That
I
mean
I,
I
suppose
targeting
gitlab.com
is
a
bit
easier,
because
there
is
already
a
lot
of
data
you
can
adjust
to,
while,
if
you
have
your
own
instance
generating
since
there
are
a
lot
of
features,
it's
super
hard
using
all
of
them
or
generating
real
data
for
all
of
them,
especially
because
I
think
a
lot
of
programs
are
or
a
lot
of
usage
of
the
features
are
about
interaction
between
different
groups
or
different
reports.
B
D
A
lot
of
good
ideas,
thank
you.
Ricardo
next
is
andrew.
C
Hey
ricardo,
it's
nice
to
meet
you!
It's
always
been
great
to
work
with
you
on
hacker
one.
My
question
is:
what
kinds
of
vulnerabilities
do
you
most
enjoy?
Looking
for
in
finding.
B
Yeah,
I'm
really
have
a
lot
of
fun
about
assess,
control
or
in
general,
about
kind
of
vulnerabilities
that
are
where
you
abuse
us
an
existing
system
to
do
something
that
wasn't
thought
about.
So
I
mean
there
are
a
lot
of
vulnerabilities
that
everybody
knows
that
they're
bad
and
like
an
xss
or
sqli
injection,
and
they
are
error
in
the
programmation
or
nowadays
they
are
they're
a
bit
rare
on
github.
Since
you
have
a
very
good
devops
cycle,
so
all
the
automatic
system
cache
them.
B
I
prefer
thinking
about
maybe
logical
errors,
so
you
implemented
a
new
feature
and
there
is
a
side
effect
that
chain
with
another
side.
Effect
of
another
feature
is
exploitable,
and
so
it's
like
hard
riddle
or
a
puzzle,
and
this
is
the
kind
of
issue
I
enjoy
most
looking
for.
A
Dominic
looks
like
you
have
the
the
next
question.
C
Yeah,
hello,
ricardo-
I
was
wondering,
let's
say,
you're
playing
to
hack
gitlab
this
weekend.
You
have
a
free
weekend,
nothing
else
planned.
Well,
how
do
you
start?
What
do
you
do?
How
how
do
you
target
gitlab.
B
That's
an
interesting
question,
so
mainly
there
are
different
things
I
can
do
so
one
thing
usually
is
catching
up
with
all
the
latest
changes
you
have
deployed
or
latest
feature
I've
been
presented
and
for
this
is
very
useful.
Your
blog,
since
the
23
of
the
month,
you
deployed
the
new
version
and
you
have
a
long
blog
post
with
all
the
new
features
you
I
can
play
with
so
like
now,
and
these
last
few
months
I've
took
a
look
to
the
iteration.
B
So
now
you
can
collect
issue
by
iterations
is
a
very
useful
feature,
so
we
already
use
it
during
my
my
job.
We
use
for
planning
sprints,
so
I've
taken
a
look
if,
for
any
reason,
the
feature
itself
or
the
api
behind
it
like
graphql
or
rest
if
they
leak
some
data.
I
haven't
found
anything
so
far,
but
I
suppose
that
is
because
it
has
been
implemented
similar
to
the
milestone,
so
nothing
very
new.
B
Then
sometimes
I
take
a
look
to
the
source
code,
so
maybe
I
search
the
most
recent
merged,
merge
requests
or
just
going
around
to
some
modules
in
the
gitlab
code
base
and
the
other
thing.
I
have
a
list
of
small
issues
that
are
not
like
real
vulnerabilities,
just
some
issues
or
some
strange
behavior,
and
I
try
to
change
them
together
or
see.
If
I
can
chain
to
something
else,
to
find
an
explore.
C
C
B
The
feature
that
I
use
most
like
I've,
seen
that
some
some
reports
we
have
published
is
the.
There
are
some
issue
I
don't
know
in
the
package
repository,
but
I
don't
use
it
so
much
so
I've
never
took
the
time
to
go
to
to
try
to
arch
it.
So
again
is
more
is
more
about
what
I
already
know,
so
I
can
think
about
way
to
break
it.
C
A
Thank
you.
Dominic
next
question
is
from
d
raj.
Do
we
have
dhiraj
on
the
on?
The
call
today
doesn't
look.
Okay
question
is
among
all
the
bugs
you
found.
What
is
your
favorite
or
most
interesting
one.
B
So
well
I
I
had
a
lot
of
fun
last
year
with
the
elasticsearch
integration
issues.
I
think
I
reported
six
six
issues
in
one
month
and
they
were
high
in
medium
severity.
B
So
that
was
fun,
but
I
think
my
favorite
one
was
about
having
access
to
to
some
stub
resource
of
a
group
after
you've
been
removed
from
the
group
so
again,
a
kind
of
issue
that
is
triggered
by
well-known
behavior,
but
you
have
a
some
side
effect
that
you,
you
are
not
aware
of
like
if
you
move
a
group,
a
project
from
one
group
to
another
group.
This
project
was
able
to
achieve
some
private
information
that
it
shouldn't
because
it
inherited
some
of
the
permission
from
the
previous
group.
B
A
Excellent,
that's
a
cool
one!
That's
a
good
one!
Theoraj
has
a
couple
more
questions
next
one
here.
Do
you
familiarize
yourself
with
the
code
base
before
and
during
the
hunt.
B
Sometimes
sometimes
because
well,
the
gitlab
base
is
huge.
I
mean
loading
it
already
like.
I
use
ruby
mine
loading
it
on
my
pc.
That
is
a
good
pc.
It
still
takes
two
three
minutes
and
then
jumping
around
takes
a
lot
of
time,
but
sometimes
it's
useful.
I
actually
there
is
one
issue
that
I
found
just
looking
around.
B
That
could
be
easy
because
I'll
find
one
issue
it
was
confirmed,
and
then
I
took
the
time
to
understand
what
caused
the
issue
and
everything
that
the
function
that
was
problematic
was
called
was
called
for
from
also
other
part
of
the
code
basis,
and
so
I
was
able
to
to
to
find
this
new
issue
that
wasn't
duplicated,
because
the
fix
you
made
wasn't
like
in
the
real
problem,
but
was
a
bit
upper,
so
I
was
able
to
call
the
same
function
from
another
point
of
the
code
base
and
reproduce
the
same
issue
again.
A
Excellent,
surely
our
code
base
is
very,
very
complicated
and,
and
that
would
be
time
consuming,
but
but
certainly
useful
for
the
hunt
and
one
more
question
from
dhiraj.
Can
you
expand
on
the
tools
that
you
use
during
your
process.
B
Yeah
indeed,
we
haven't
talked
about
this.
Yet
so
I'm
not
a
pro.
I've
tried
some
of
the
tools
that
are
suggested
by
the
community.
Probably
the
most
known
is
the
barb
suite,
but
I
didn't
click
with
it,
of
course,
is
a
complex
project.
So
you
need
to
take
your
time
to
learn
it,
I'm
a
bit
lazy,
so
I
jump
at
it.
B
I
usually
use
firefox
because
the
developer
console
of
firefox
is
very
powerful,
especially
the
network
tab.
So
you
can
edit
your
request
on
the
flight.
You
can
copy
it
as
a
cool.
You
can
repeat
them,
so
I
use
the
console
of
firefox
a
lot
and
then
I
use
bash
or
so
cool,
especially
for
trying
to
reproduce
the
issue
outside
the
browser.
B
So
it's
easier
to
to,
indeed,
for
you
guys
to
reproduce
it
and
for
me
to
understand,
if
is
really
an
issue
or
is
something
that
that
has
been
triggered
by
some
strange
cache
or
something
on
the
browser
that
is
yeah.
That
is
like
not
a
proper
issue.
It's
just
something
that
has
been
cached
in
some
strange
ways.
A
Good
deal
I
that's
interesting
to
take
on
on
burp
suite.
I
I
I
don't
use
burp
suite
on
a
daily
basis
and
it
does
seem
that
every
time
I
open
it
and
spin
it
up,
it's
a
brand
new
application
and
I
have
to
go
through
the
whole
process
of
relearning
again.
So
I
understand
that
next
question
is
mine.
What
advice
would
you
give
to
someone
who's
looking
to
get
started
in
participating
in
a
formal
bug,
bounty
program.
B
B
I
think
it's
very
important
to
have
some
place
where
you
can
just
go
and
read
what
have
you
already
done,
or
some
interesting
found
that
you've
done
previously
seen
previously,
since
you
do
not
work
or
you
do
not
talk
altogether,
but
usually
you
go
over
days
or
different
nights
or
maybe
one
month
later
you
go
back
to
a
target,
it's
important
to
having
well-written
well-ordered
notes
and
yeah,
and
it's
not
easy.
B
So
don't
don't
feel
bad
if
you
don't
find
anything
at
the
beginning,
it
takes
time
it
takes
a
bit
of
luck
as
well.
B
I
I
think
that,
especially
if
you
read
on
twitter,
it
seems
that
everyone
finds
super
huge
vulnerabilities,
super
well
paid
and
so
on,
but
as
usual
who
talks
is
like
the
top
one
percent.
So
there
is
another
99
that
does
a
lot
of
work
and
obtains
less
or
not
so
much
so
per
server.
Go
on
continue
on
your
on
on
your
way,
of
course,
I
I
could
suggest
to
do
not
leave
your
daily
job
until
you
are
very,
very
good
at
doing
this,
because
it's
not
that
you
leave
your
job
and
bum.
A
That's
that
is
great
advice,
especially
the
the
latter
bit
of
that.
Thank
you
for
that
ethan.
You
have
the
next
question.
D
B
B
I
like
also
the
wiki
that
especially
the
fact
that
the
week
itself
of
a
project
is
a
git
repository
itself.
So
it's
easy
to
clone
the
wiki
and
work
offline
on
the
weekend
and
push
it
again.
That's
a
great
feature.
I
I
use
it
quite
often
which
features
I
would
like
to
have.
That
is
missing.
B
I'm
not
really
sure
I
I'm
trying
to
thinking
if
there
is
something
I
do
outside
of
gitlab
yeah.
Well,
yeah
yeah,
the
the
to
do.
The
to-do
list
could
be
improved.
That
thing
at
the
moment.
You
can
only
add
to
those
from
some
of
the
elements
and
then
you
can
yeah.
I
don't
know
I
I
don't
use
the
to-do
list
so
much
because
I
feel
it
is
a
lot
of
noise
and
not
very
configurable,
but
I'm
not
really
sure
how
to
improve
it.
So
not
a
useful
feedback.
B
I
and
I
really
like
the
the
things
that
you're
moving
a
lot
of
the
devops
cycle
inside
the
gitlab.
So
now
you
have
this
terraform
image
for
managing
terraform
and
you
can
store
the
terraform
state
inside
github.
That,
for
me,
is
amazing,
so
we
are
data
science
company.
B
I
have
a
lot
of
colleagues
that
are
mathematicians
or
physicists,
so
very
smart
people
not
very
good,
maybe
with
computer
and
with
gitlab,
I'm
able
to
automatize
their
workflows,
so
they're
they're
able
to
work
on
the
black
magic
math
and
being
able
to
see
the
results
in
an
automatic
way.
I
really
like
that.
Gitlab
helps
me
a
lot
enabling
my
colleagues
to
do
their
work
as
they
should.
D
B
B
B
B
I
don't
know
if
it
has
been
already
enabled,
but
some
it
would
be
cool,
so
people
do
not
use
passwords
that
have
been
already
exposed
and
then
it
depends
on.
Where
do
you
deploy?
I
mean?
Keeping
something
secure
over
ws
is
something
totally
different
of
keeping
your
on-premise
application
secure.
So
a
lot
of
suggestions
are
also
about
how
you
manage.
I
don't
know
your
aim
role
over
aws
or
how
you
properly
backup
your
your
things.
If
they're
provisioned
locally
in
your
office.
D
E
My
turn:
hey
ricardo,
thanks
for
being
here
appreciate
it
been.
I've
been
excited
about
you
about
about
having
you
on
on
this
ama
with
us
before
we
before.
I
ask
my
question.
I
wanna
I
wanna
know:
what
do
you
do
when
you're
not
breaking
gitlab?
What
do
you
do
for
fun.
B
Okay,
so
I
live
in
germany
and
having
beer
with
friends.
Is
the
national
sport
here
so
yeah,
that's
one
I
like
hiking,
so
I
live
in
munich
is
near
the
alps.
I
like
going
on
the
lakes
and
hiking
yeah
friends
and
free
time
is
yeah
some
something
not
too
complicated.
Just
hiking
climbing
sounds.
E
Great
sounds
awesome,
so
my
question
for
you,
then,
is
for
the
second
time
I'm
only
going
to
ask
one
of
the
two,
but
what
I'm
most
interested
in
is
what
do
you
do
to
stay?
On
top
of
your
field
like
how
do
you
say,
educated
on,
like
the
latest
techniques
and
tactics
around
you
know,
pen,
testing,
red,
teaming
application
security,
those
types
of
things.
B
Well,
I'm
not
very
good
at
that.
To
be
honest,
since
it's
not
my
mainly
my
main
job,
I
usually
just
read
the
public
records
on
akira
one.
So
sometimes
I
have
five
free
time.
I
got
on
the
on
page
of
one
and
just
read
the
reports
to
see
maybe
new
techniques
or
to
understand
a
new
kind
of
attacks.
That
is
quite
useful
also
for
my
daily
job,
because
again
you
have
to
keep
your
infrastructure
safe.
B
So
last
year
there
were,
there
were
a
lot
of
talking
about
the
http
smuggling
with
the
the
sync
of
proxy.
So
if
you
had
a
load
balancer
in
front
of
your
proxy,
you
can
desync
request.
That
was
very
interesting
and
I
learned
about
it
on
aker1
when
they
first
published
the
first
report
and
paper
around
it,
then
I
use
a
bit
of
twitter.
B
There
are
a
lot
of
interesting
people
over
there,
a
bit
too
much
drama.
So
don't
follow
me
on
twitter.
I
don't
tweet
much.
I
don't
like
the
community
very
much
on
twitter,
but
there
are
some
people
that
are
very
interesting
and
reading
occur.
News
again,
don't
comment.
I
don't
comment
much,
but
I
think
there
are
a
lot
of
interesting
takes
if
you
can
stand
all
the
all
the
not
politics
but
all
the
trolling
around
and
on
the
empty
discussion.
B
E
I
love
it.
Thanks
ricardo
heather
you're
up.
B
So
my
very
first,
for
just
me,
was
a
denisperian
6000.
So
is
that
the
laptop
that
you
see
a
lot
around
in
all
the
movies,
the
tv
series
and
and
so
on,
is
a
great
deal
with
two
white
strips,
but
before
that
my
father
had
some
del
attitude
back
in
the
90s,
but
I've
not
been
a
magic
kid
with
species.
I've
started
picking
up
only
at
the
beginning
of
high
school,
actually.
D
Fantastic,
I
think
we're
good.
I
added
one
other
question
in
there
about
if
you
had
any
questions
for
our
team,
but
I
know
that
we
are
we're
at
the
top
of
our
our
time
here.
B
Well,
thanks
for
your
time,
I
hope
you
enjoy
running
the
acker
one
program.
Also,
if
I
can
imagine
there
are,
I
don't
know
there
are
a
lot
of
low-quality
reports
or
the
the
participant
of
zacker.
One
program
are
high
quality.
A
Excellent
ricardo.
Thank
you
so
much
for
your
time
today.
We
really
appreciate
you
spending
this
time
chatting
with
us.
We
really
appreciate
your
efforts
to
help
us
secure
gitlab.
Certainly
you
are
making
a
big
impact
here
at
gitlab
and
we
appreciate
that
also
for
everyone
else.
Listening
and
watching
check
out
ricardo's
gitlab
profile.
He
has
some
really
interesting
projects
going
on
in
there
if,
if
some
time
allows
at
a
future
point
ricardo,
I'd
love
to
hear
about
some
of
these
as
well.
B
A
Great
again,
thank
you
so
much
for
your
time.
We
really
appreciate
it
have
a
good
rest
of
your
your
day.