We recently chatted with Thanh "yeuchimse" Nguyen because of his success in Twilio's bounty program. Thanh is ranked 132nd on Bugcrowd's all time Hall of Fame, with a 100% bug acceptance rate and an average priority rating of 2.95 over 43 bugs.
Follow Thanh on Twitter: @yeuchimse
Follow Thanh on Twitter: @yeuchimse
Take us back to your early days, what got you started with technology?
One time I brought my computer to a repair shop and afterwards I found out they changed one of my RAM sticks. I started learning IT since this time.
How did you get started in security research?
I participated in a Reverse-Engineering online forum since 2006 just because of curiosity, thereafter some of my friends asked me to join their CTF team. I love everything about technology in general and I want to challenge myself in many fields as possible. If I find myself fitted in a field then I will follow it for long.
How long have you been doing bug bounty work?
I have been doing bug bounty work seriously for half of a year from now, not regularly though. Before I was doing penetration testing for fun without any goals and I was not confident much.
Why do you hack on bug bounties?
Basically, I like doing this same as I like playing CTFs. One interesting thing with bug bounties is that someone will pay for what I am doing. Some CTF events bring you prizes and awards if you are playing for top teams, however it is not easy. There are more opportunities in bug bounties though: experts focus on serious vulnerabilities meanwhile beginners start with basic security holes.
Before participating in bug bounty programs (BBP), I thought CTF is just some theoretical problems which never happens in the real world. I recognized I was wrong. Bug bounties bring me chances to apply practical problems I’ve learned from CTFs and online write-ups as well as new attack ideas. Moreover, in bug bounties you deal with a real target so that I have a clear vision of software security which I am working on in my daily life. There is no absolute security and even big corporations have basic security holes.
Do you have a specific security focus or specialty that you tend to spend your time on?
Even though I report every bug I find, I often focus on vulnerabilities which have dangerously effects and an adversary would be able to exploit with high impact. For instance logical bugs, IDOR or read/write/execution vulnerabilities.
What motivates you to do what you do? What keeps you going?
My job is information security and bug bounty helps me very much. I learned many new techniques and summarized usual weak problems in applications. And it’s awesome that I can earn some extra money. Besides, some company responses make me feel they respect my work, and it pushes me to contribute more to the community.
Any tips or suggestions that you would give to other bounty hunters?
I used to think that there are no vulnerabilities left when I participated in bug bounty late. You know, many experts have been attending for years, and if there is something left for a beginner like me to hunt then why not others?
Even so, I still tried and actually found two bugs. Unfortunately, none of them are eligible. The first one is marked as Duplicate (with a bug reported 6 months ago), while the other is marked as Won't Fix along with the comment: "This is a very obscure attack path". Afterall, I really just wanted to give up.
However, one day when I found some P1 / P2 bugs in Twilio BPP, I think that I should change my mind. Day by day, a lot of new code are written and many new features are added in every software, all these changes can have bugs. That could be an advantage for you since other researchers have gone to newer programs. Moreover, if you regularly read the news, you would know that there are many software vulnerabilities have existed for decades and only recently discovered. So the chance you found a bug not only depends on who come earlier, it also depends on the ability and the luck of each researcher. So be confident and try your best.
Where do you think bug bounties are going in the future?
In my opinion, if you are developing a serious product, the cost of running a BBP always cheaper than what you lose when your product is hacked. So, I think there will be more and more companies participate in bug bounty, as well as more and more people get involved in bug hunting. This is definitely a win-win game for everyone.
I also think that the bug bounty platform such as Bugcrowd, Hackerone, Cobalt... will prevail, since many companies do not have much experience in running a BBP, and their self-management programs are potentially risky and might lead to unprofessional decisions. It's better for everyone to do what they do best.
Where do you hope to be two years from now?
I do not have a big goal for my career, just follow what I like with the hope that my work will be useful to the community a bit. Two years from now, what I want most is to become the father of a lovely girl, and have more time for my family.