Bugcrowd Blog

Bugcrowd Security Researcher Interview - Phani

Posted by Bugcrowd on Apr 1, 2014 1:13:31 PM

Bugcrowd had the chance to interview Achanta Sathya Phani BapiRaju, one of our friendly security researchers who is currently ranked 43rd on the top 100 leaderboard!

Screenshot 2014-05-20 14.50.41

Interested in joining Bugcrowd as a security researcher and participating in our bug bounties? Sign up and start hacking!

Want to learn more about how the top 100 and our security researchers can secure your app? Take our quick tour today.

How did you end up in the bug hunting business?
I entered into the world of bug hunting to test and improve my security skills. My first bug bounty was with Bugcrowd. I love finding the bugs... it could be a functional or logical or security bug. Doesn't matter which. But finding bugs is my passion.


What's the most memorable bug you've discovered?
My most memorable Bugs are SQL Injection, XSS( Stored XSS & Client side XSS) and TLS CRIME Vulnerability. In a *confidential* application I reported XSS bugs in multiple areas. I enjoyed that hunt :). Subsequently I have found bugs in three web apps which before I reported them, made them vulnerable to cyber crimes.


What do you like about bug bounties?
I love Bug Bounties, and the reason is very simple - we are appreciated, can receive bounties, and we get publicity in Hall of Fames!

Appreciated: This encourages me to find more bugs.
Bounties (Money): This gives me extra income.
Hall Of Fame: When we get listed in a Hall of Fame our resumes become more substantial and it makes us stand out as experts.

Bug Bounty Programs enhance my bug finding techniques. Want to test your skills? then take part in bug bounty programs. It will tell you where you stand currently and it will also help in improving your skillset.

Lastly, it is important that unknown exploits i.e. Zero day exploits do not end up being used by cyber criminals. This is what makes good programmers and computer experts. As you come across unique problems you have to find new solutions and add them to your skills.


There are a lot of bug bounties out there… If there was one thing you could suggest to improve the way bug bounties are run, what would it be?
If we look at it from a tester/researcher's side, it's frustrating and a disappointment when we submit a duplicate. When I reported a security bug for one well-reputable web application they said "Someone else reported this issue earlier". If the fix takes that long then I wonder why they don't provide a temporary solution for it.

I feel Bugcrowd does a great job. *For all Duplicate Bugs, Bugcrowd gives "Kudos Points" as a token of appreciation. Which I really like. Thank you! :) It boosts your profile points, and shows the world you are a good security professional submitting valid bugs.


What methodology do you use when participating in a bug bounty?
Usually I follow the OWASP testing Methodology (OWASP TOP 10 ) in my daily work.
By the time Bugcrowd Bounties kick off we will not have much time to follow any specific testing methodology and moreover we are not alone testing the target - other researcher across the Globe will test it. So create your own check list including the OWASP Top 10 and SANS Top 25 and find the low-hanging fruit in the list. Reason is simple: Any Bug Bounty program will follow this rule "FCFS" i.e First Come First Serve.


Thank you Phani for being interviewed for the blog! :D
Researcher Profiles

Written by Bugcrowd