In his quest of getting to know the hacking community, Chris van ‘t Hof decides to interview a number of hackers. Jorik Berkepas is the third bug hunter in this series.
Jorik Berkepas studied Computer Science at the university of applied sciences, is a certified Scrum Master and has been working as a developer for Embrace Social Business Software. When his employer started a bug bounty program with Zerocopter, Jorik saw how hackers found all sorts of errors in their software. He decided that he was also capable of doing just that and registered at the chamber of commerce as self-employed security researcher and started bug hunting next to his day job. Not only for Zerocopter, but also for other platforms. In the meantime he has a considerable number of reports to his credit: 200 via Zerocopter, 35 via Belgian Intigriti platform and a number of reports via HackerOne and French platform Yogosha. Does he see differences between Dutch and Belgian bug bounty programs? The Netherlands are after all front runners as far as responsible disclosure is concerned. Jorik: “Not at all. Belgians perform just as well, if not better. A lot of thought goes into following up on reports and they understand that man power is necessary to do so.”
In daily practice he sees that reports are not always dealt with properly. Jorik: “Bug hunting is not very motivating as far as your faith in humanity is concerned, but it does work wonders for your self-confidence. There are so many small mistakes out there. For example XSS. Easy to solve but there’s always one that slips through. When that happens you can enter the JAVA script code on the website, take over the user’s side and execute the code as another user. Depending on the time and creativity you have at your disposal, there’s a lot you can do with that.
The severity of the vulnerability depends on its location. Each time is different and that’s also why you keep learning new things. It’s all about targeted research. Most companies use pen tests to discover issues and then solve them in two spots whilst leaving the other twenty. There are others who just hope you’ll find nothing, because they are not set up to fix anything. Which means that six months down the line, you’ll still see the same bug.”
What’s your favorite hacking technique?
“First you start with the common vulnerabilities that have the highest bounties. Not the 50 Euro ones, but those of 1.000 Euros. Many sites contain an IDOR (Insecure Direct Object Reference). If you change for example one number in the URL of your invoice, you get to the one of your neighbors. Which means that all of a sudden sensitive data is out on the street. Often I dive into the JAVA script code that a site sends along to see if I can find anything interesting. My advantage is that I read code every day which makes it more likely for me to find stuff.”
Can you combine bug hunting with your job as developer?
“Well, my girlfriend isn’t happy with it. Starting at 8pm thinking I’ve almost discovered the bug and before you know it it’s 12pm. But it does pay well. Findings range from 50 to 1.000 Euros. The highest I had so far was 2.500 Euros for half an hour’s work. That’s nice. But you can also spend a day on a program and not find anything. Or report a bug that has just been found by someone else. Once I was able to trace identity papers of passengers on the site of an airline. That meant a big bounty. Unfortunately, just before I reported this, someone else did. Two days of work for nothing.” Hâck the Hague 2019 was another instance where he won prizes: third prize in the Most Impactful Hack category (500 Euros) and second in Most Sophisticated Hack (1.000 Euros).
The biggest reward, however, is that bug hunting teaches Jorik a lot for his work as developer. “Being active in bug bounties has considerably increased my sense of security in software development. This allows me to discover security issues in new parts of the software almost immediately. It also works the other way. Being a developer means that I can look at parts of code, reason which problems might arise, find these issues and prevent them from happening. It also helps to keep my colleagues focused. So if you are a software developer, do get into bug bounty.”