Bug bounty-hunter David Schütz recently made news when he raked in a $70,000 reward from Google after finding that anyone with physical access and a SIM card could bypass the lock screen on all Pixel phones and possibly some Android models.
It’s the biggest bounty Schütz has earned, but by no means the first—he’s previously hunted down flaws in Google’s common JavaScript library and uncovered multiple ways to steal private YouTube videos (including by pretending to be a TV). Google initially classified the Pixel bug as a duplicate, but eventually gave Schütz the $70k reward because his report actually spurred a November 5 patch.
Schütz took the time to talk to IT Brew from Hungary to discuss his bug discovery process, competing for bounties, and his advice for aspiring bounty hunters.
This interview has been edited for length and clarity.
As you mentioned in your blog post, a bug bounty going from valuable to worthless is actually pretty common. How often does that happen?
Well, not that often. But it happens because duplicates sometimes get indicated in bug bounties. Especially if you’re reporting something that other people can more easily find, some sort of low-hanging thing. Also, sometimes the program doesn’t really accept it because they say that it’s not a vulnerability, or it’s intended or something like that, or it’s out of scope.
For example, Google is one of the best programs out there—they are pretty professional. If you go deep enough into a Google product, and you find a vulnerability there that is complex, there is a very low chance of it being duplicated by somebody else. But on some other platforms, like HackerOne and Bugcrowd, there are sometimes private programs [where] a new company joins in, and then a bunch of people go to the new program because it’s brand new and it usually has a lot more vulnerabilities [that are] more easy to find. And then people go at it, and you can get duped in minutes.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Can you describe your process?
I think you have to get familiar with the rules of how the systems usually work. Like, if you’re testing web applications, then you are familiar with how their applications work, what is the environment that they are inside of, and what sort of vulnerabilities there are—common web vulnerabilities. And if you have all of these in your head, then you can just start exploring…Once you understand it in a deep way, then you could basically naturally think about hacking it.
What kind of advice do you have for aspiring bug bounty hunters?
What I usually [say] when talking about this Android bug is just the actual possibility of doing bug bounty. Because that’s something that’s such a rare opportunity to have a place where, without any requirements or any sort of formal education, and [not] knowing anybody really, you can send in a bug, no matter who you are, and can get paid and can get something fixed in a scale of like billion-user products.
Get familiar with the rules of the game, with the rules of the systems that you’re trying to hack. It all comes down to understanding. Snowden said it, I think, best in his book...hacking is basically just understanding the systems better than the people who created it. And exploiting the distance that you gained. —You understand it more than the developers, and then that way, you can make it do stuff the developers didn’t expect it to do. And that’s hacking.—TM
Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.