David Sopas joined the Cobalt.io platform as a security researcher approximately 6 months back. Since then he has quickly gained traction, which recently resulted in the no. 1 spot on the Cobalt Hall of Fame. We interviewed David, to get more insight to his background, his view on bug bounty programs, as well as his future goals.
What is your background, and how did you get into security? My background is in programming. I started coding at a very young age, reading books on Basic b and C language. These were my first coding languages. At school I started on Pascal, C++, and Visual Basic. On my free time I joined some programming and OS groups, where I started playing with Linux and Python language.
Security appeared as a natural development with my programming career. To code you need to make it secure. I started joining IRC channels in US and Portugal, as well as started playing the game — this was in 1999. After a while I was writing my own security tools and writing security advisories in Bugtraq and Secunia. Now I have more than 10 years of professional security experience, and I hope to keep it going.
How did you get interested in bug bounty programs? I think it was because I wanted to improve my security skills. In this field, you need to be constantly learning. I remember my first bounty — $200 and I was very happy that day. I thought I could make good bucks and also learn from it. It’s a win-win situation.
What is the coolest vulnerability you have found (and can publicly talk about)? I would say a vulnerability I found on RunKeeper website. Combining a CSRF and a persistent XSS I was able to demonstrate how a malicious user could run a XSS worm — like Samy Kamkar did in MySpace — and infect millions of RunKeeper users. It was a pretty cool finding. It was fixed very fast. Also the latest Reflected Filename Download on eBay and Desk were also a challenge. Finding this type of vulnerability on these top sites is also important to protect users and test how big companies deal with security.
What do you expect from a business running a bug bounty for you to participate? Respect, understanding, and a moderated fixing timeline — max 60 days. A security researcher participating in a bug bounty spend a lot of time and effort, and sometimes businesses take too long to reply or even fix a vulnerability that can cause millions in losses for the company.
Do you have any advice for researchers considering getting into bug bounty programs? Yes of course. Think outside the box. Look where others don’t look. Most of my current success comes from vulnerabilities where sometimes I get replies like — “How do you do that?” or “We thought it was patched…”.
Also, you can learn a lot from other researchers. Don’t be afraid to ask. Sometimes you might get flamed or trolled, but there are always good guys that can give you nice tips and indicate the right path to follow.
You recently became no. 1 on the Cobalt hall of fame, congrats. What is your next goal? Thanks! It wasn’t easy you know? My next goal is to reach 1000 points and to stay at the Top 3. It will not be easy because there are many strong researchers at Cobalt, but I’ll do my best.
2 days after this interview David reached the 1000 rep point goal and when he was asked about his new target his answer was: “I guess 2000 ☺ right?”
For more info on David check out: www.davidsopas.com