Menu Icon
< back to main
 • 4 min read

Interview with David Sopas (Dsopas)

Interview with David Sopas (Dsopas)
Julie Kuhrt
Julie Kuhrt

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

David Sopas David Sopas joined the Cobalt.io platform as a security researcher approximately 6 months back. Since then he has quickly gained traction, which recently resulted in the no. 1 spot on the Cobalt Hall of Fame. We interviewed David, to get more insight to his background, his view on bug bounty programs, as well as his future goals.

What is your background, and how did you get into security? My background is in programming. I started coding at a very young age, reading books on Basic b and C language. These were my first coding languages. At school I started on Pascal, C++, and Visual Basic. On my free time I joined some programming and OS groups, where I started playing with Linux and Python language.

Security appeared as a natural development with my programming career. To code you need to make it secure. I started joining IRC channels in US and Portugal, as well as started playing the game — this was in 1999. After a while I was writing my own security tools and writing security advisories in Bugtraq and Secunia. Now I have more than 10 years of professional security experience, and I hope to keep it going.

How did you get interested in bug bounty programs? I think it was because I wanted to improve my security skills. In this field, you need to be constantly learning. I remember my first bounty — $200 and I was very happy that day. I thought I could make good bucks and also learn from it. It’s a win-win situation.

What is the coolest vulnerability you have found (and can publicly talk about)? I would say a vulnerability I found on RunKeeper website. Combining a CSRF and a persistent XSS I was able to demonstrate how a malicious user could run a XSS worm — like Samy Kamkar did in MySpace — and infect millions of RunKeeper users. It was a pretty cool finding. It was fixed very fast. Also the latest Reflected Filename Download on eBay and Desk were also a challenge. Finding this type of vulnerability on these top sites is also important to protect users and test how big companies deal with security.

What do you expect from a business running a bug bounty for you to participate? Respect, understanding, and a moderated fixing timeline — max 60 days. A security researcher participating in a bug bounty spend a lot of time and effort, and sometimes businesses take too long to reply or even fix a vulnerability that can cause millions in losses for the company.

Do you have any advice for researchers considering getting into bug bounty programs? Yes of course. Think outside the box. Look where others don’t look. Most of my current success comes from vulnerabilities where sometimes I get replies like — “How do you do that?” or “We thought it was patched…”.

Also, you can learn a lot from other researchers. Don’t be afraid to ask. Sometimes you might get flamed or trolled, but there are always good guys that can give you nice tips and indicate the right path to follow.

You recently became no. 1 on the Cobalt hall of fame, congrats. What is your next goal? Thanks! It wasn’t easy you know? My next goal is to reach 1000 points and to stay at the Top 3. It will not be easy because there are many strong researchers at Cobalt, but I’ll do my best.

2 days after this interview David reached the 1000 rep point goal and when he was asked about his new target his answer was: “I guess 2000 ☺ right?”

For more info on David check out: www.davidsopas.com

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens