Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 34 - marco hextor
164 Plays8 days ago
Marco and riptide discuss how difficult it is to get paid hunting bugs, publishing on your terms, getting ghosted for months on end, bear market bounty hunting thoughts, disclosures, BB arbitration, how marco looks like Kain from C&C, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
The Role of Music and Nostalgia
00:00:06
riptide
Oh yeah, ah life on the blockchain.
00:00:10
Marco
ah but that there
00:00:14
riptide
ah
00:00:14
Marco
and know i'm i'm not I know I'm not the first one to to tell this, but yes, the entrance, I mean, it rocks.
00:00:22
riptide
you're you're This is pre-AI entrance music right there. And it's proven that your testosterone spikes by like 50 points right when you hear that bad boy.
00:00:37
riptide
Oh man. ah Dude, do I have you here? What's going on? Are you still there, Marco?
00:00:45
Marco
Yes, yes, I'm here.
00:00:46
riptide
Oh, okay. You were you were in and out. I thought you were on the moon or something.
00:00:48
Marco
Yes.
00:00:49
riptide
Okay, cool. Dude, I gotta say, and this is, if people are not familiar with you, um and if they're as old as me, and I'm gonna get like two laughs in the audience when they listen to this right now, because it's mostly younger guys, but...
00:01:07
riptide
Let's flashback to the 90s. Command and conquer.
00:01:12
Marco
Yes.
00:01:13
riptide
Command and conquer. there's ah There's a villain and is his name his name is Kane.
00:01:17
Marco
Oh,
00:01:20
riptide
And your profile pic looks exactly like
00:01:26
Marco
yeah You know, i think you mentioned this to me in Bulgaria and... I think it was Bugatti, yes, and i and I had to look that up because i I didn't know the character, so yeah.
Balancing Digital and Real Life
00:01:42
riptide
Hey, for the for the picture for this episode, instead of your PFP, I should put the cane face and no one will notice. ah
00:01:53
Marco
Your choice, man. if if If you can also change my voice to Johnny Bravo's voice, please.
00:02:02
riptide
No, man. ah If people don't know Marco, he's he's the king of the blockchain. he just He plays it down. he He doesn't get on Twitter for months at a time just because he's so deep and in all his bug submissions, but he's a real OG out there. So very very nice to have you on the podcast today, sir.
00:02:21
Marco
Thank you, Ben. That's a little bit much, but yes, thank you so much. Yes, I'm flattered. ah And well, I've been months out of Twitter and most of the time I was taking care of your real life things. And sometimes I just go to take care of my farm things and chickens and soil and things like that. So yeah, it I was not so so deep into the bugs, but...
00:02:51
Marco
In a way, um I think that helps me a lot. And i I'm pretty sure every auditor or bug hunter out there kind the kind of has his own rituals, rituals, and in which you are out of the computer, out of anything digital mostly, looking at the beach, doing something cool and just thinking about how could I hack that.
00:03:18
Marco
ah So, yeah. I'm not... I've never... Unfortunately, I'm condemned to this, and I'm not... I'm never always 100% off.
Going Offline for Clarity
00:03:31
Marco
it's It's a curse we have, right?
00:03:31
riptide
No one is. what Once you're in, you're in. You're hooked in for life.
00:03:35
Marco
Yeah.
00:03:37
Marco
Yeah.
00:03:37
riptide
It is, man. I don't know what to do. i love i love what you're saying. Go offline. I think we always preach that. And you get you get some better sense of of what's going on. you just pull away, man. Because i was joking with...
00:03:53
riptide
let's talk to ah I was talking to our our VC on a call and were talking about different things and and i was like, yeah, you know if i as soon as I log onto X,
00:04:04
riptide
within like minutes, I feel like, okay, there's no hope. AI has taken over everything. I'm fucked if I'm not ah a deca millionaire and I have 24 hours to act.
00:04:16
riptide
And if I don't do all these things, then I'm fucked and there's no hope for me.
00:04:20
Marco
Yes, in two weeks cm you you'll be condemned that your whole life to the permanent underclass they are calling it it now.
00:04:21
riptide
And then...
00:04:30
riptide
at permanent yeah I don't have 20 Mac minis running Claude bots or whatever the fuck then um it's like dude this is too much shit man so so go back look at your chickens and just chill out and think about some bugs I like that
00:04:46
Marco
Yes, that's, that's, that's has been working for me, wonder, especially because ah I think, ah I don't know if I'm, if I'm I just, I told you I'm addicted to this and maybe it's an
Bug Hunting: Challenges and Rewards
00:05:04
Marco
addiction really because maybe I'm not even made for this because I get burnt out too easily if I'm always on the digital. I have to do something. I have to go outside. I have to hey have my son's water and everything. And I just can't stay in a only in a computer.
00:05:24
Marco
But at the same time, I love to be in the computer. So it's... it's it's a weird feeling but i love it i love it all and i think pain also helps me with the process i think as as much as i remember there isn't a single worst vulnerability that i I've reported that didn't end up in days of pain when I was, like, days to report it and ah and it was just pain to prove it, to code the POC, and then you will hit a block and you're all, fuck, I'm wrong. And then, oh, no, I'm not wrong. and It's just my POC that's wrong, so yeah.
00:06:13
Marco
I think i think this this really helps me sometimes, but you have to balance, otherwise you kill yourself, right? I could do that, yes.
00:06:22
riptide
Yeah. Oh, it's so easy to do it. Yeah. It's so easy. We're all just dorks at heart and we could just sit in front of the screen and you have to pull yourself away. And you're right. 90% of the bug hunting experience is pain.
00:06:36
Marco
Yeah.
00:06:36
riptide
It's a a rare, a rare time where everything goes as planned. The team's great. The payout's great. And the speed is great. Like that is, that's just becoming a diamond in the rough nowadays, unfortunately.
00:06:50
Marco
Yeah, ive I've never had that. there is always i mean There are great things that I can say, wow, they are very professional and they treated me well, especially ah some things that I contacted directly because they're actually the risks.
00:07:08
Marco
maybe higher sometimes so sometimes not it depends actually but there are some things that they can say yeah respect them but there's always some little thing because when it comes from your side they they When it comes to give you points, there's always nuance and things that, oh, it's understood, it ah didn' doesn't need to be written there.
00:07:42
Marco
But when it comes to give them points, and they are all, oh me i bit I mean, actually it's the opposite. When it comes to give you points, it's all the literally word of law.
00:08:00
Marco
And when it comes to take points out of you, there's nuance and, oh, you should have think of this and that and... ah never it's It's never a totally smooth experience, but i mean I think it comes with the with the job. It's a very adversarial job in insec security, even if you're not bug hunting.
00:08:22
Marco
um I mean, if you're not bug hunting independently. ah even
00:08:27
riptide
Oh, well, hear this, hear this man, because just from a different point of view, right? That I i never normally do. What you're saying is is totally factual because there's always money on the line, right?
00:08:38
Marco
Yes. Yes.
00:08:38
riptide
And on the line, you're gonna have that kind of standoffishness with the the protocol. So recently we had a great, we we submitted five bugs, right?
00:08:49
riptide
We were looking at the under layer of a popular protocol. And there's an underlayer that was basically forgot about. And ill I'll disclose all this soon, once everything's confirmed.
00:09:01
riptide
But ah we ended up running our our tool against these repos that no one's looked at for a while. And we ended up finding some really good bugs. And then, but there's no real bounty program for them because we thought that, you know, the protocols using that under layer, we would be able to expose bugs based upon these under layer findings.
00:09:20
riptide
And, you know, we check on chain, we check everything and like the the exploit's not out there live, unfortunately, like it's too much of an edge case. And so our dealings with the under layer that we disclose to with no bounty program, oh my God was the best, the best ever. Oh, thanks. Thank you so much for disclosing. they Like, because there's no monetary pressure.
00:09:46
riptide
And when you don't have that, like, oh, you're the best.
00:09:47
Marco
Yeah, I got it.
00:09:50
riptide
Thanks man. High five. It's like, ah, you know, oh, what
00:09:53
Marco
Yes, yes. ah ah But I mean, in this case, it's it's actually it's actually pretty positive in a way, right? Because the monetary air pressure, i totally understand. what the The last like to the last thing i like to to have to deal with is that there is also oftentimes there's the pride pressure in which they pay one way, but then they will lower the severity because they don't want a critical on their list for the VCs to see or whatever, the investors or whatever.
00:10:31
riptide
Right.
00:10:32
Marco
ah or there is somebody in the team that doesn't want to...
00:10:32
riptide
Right.
00:10:38
Marco
that has some leverage and doesn't want to admit an error, a mistake. And I mean, this pride thing is what hit hit security guys, even inside inside of the companies they are already working at.
00:10:43
riptide
Mm-hmm.
00:10:52
Marco
So even inside a company, if you find vulnerabilities in the system and you are rather an insider, ah The devs get defensive if you don't approach that right.
Ego and Vulnerability Disclosure
00:11:04
Marco
And this is the, ah for to me, in that in the technical field, this is one of the worst things I i like to i like to deal with, because the monetary pressure, yes, I understand.
00:11:15
Marco
people will do many things to survive, although I don't agree, but the pride, it really hurts the the technical ah the technical development of of things. And it's been a blocker in the in the ecosystem, of oftentimes for all the sides, is not only from the side of projects, but also side the side of the security research.
00:11:41
Marco
um ah Some of us are really proud too, right? Thank you.
00:11:45
riptide
you're You're right. and And I wonder if there's a way to mitigate this. if If you know that, like the way to give criticism to people, one of the effective techniques is you sandwich it in there.
00:11:57
riptide
So you say, hey, you know, X, Y, Z, Marco, hey, you're not doing that great at work. This is not good. ah But however, you know, your last report was this, you're doing really good here. And then, or or is it a the the bad the bad stuff's on the inside, the good stuff's on the outside, something like that.
00:12:15
riptide
but maybe you could do the same thing with reports, but I'm just thinking like how I would word that report. It's kind of hard. Like, obviously you don't send a report saying, oh, these devs are so careless.
00:12:27
riptide
They just left this in here. It's stupid decision.
00:12:30
Marco
Yeah.
00:12:30
riptide
you You make it very mechanical and objective and just kind of state the facts, but I've i've never put in there like, wow, this was an amazing design choice and, You know, it was it was slightly flawed.
00:12:42
Marco
Mm-hmm.
00:12:44
riptide
Unfortunately, I've never like really made it like that, but that could maybe decrease the pushback you get.
00:12:51
Marco
Yes, the to me personally, the only thing that has worked in the past when I when i walk when i was working more with on the cons consultant side, as offensive security researcher, red teamer, was something that in bug bounty is mostly impossible for most of people and would be a waste of time because they are not on paycheck.
00:13:19
Marco
was to have some social relationship with the devs and engineers. And then they see you like a cool guy, not a guy just that only criticizes the project and that criticizes what they are doing. And then when you appear with something, they are more open to to get that. But that's mostly possible with bug bounty hunting. And it would be a waste of time for the researchers, right?
00:13:46
Marco
So that's the only thing that really worked for me was to have all this relationship because when I started with offensive security, I was... am still ETH. still ETH. still i iceq m Yes, I still am.
00:14:04
Marco
but But in a way, I've changed it a bit. I was always too harsh and very, very harsh. like and I liked to make jokes about what the devs did, the mistakes they did.
00:14:20
Marco
And i mean, as a man, you you wont as ah as a real man, or right? Because there are not real men. I mean, as a real man, you will understand that From a martial arts perspective, we like this tension, you know?
00:14:36
Marco
We just say some jokes about the shit they did and they and they threw another one to us, like, oh, you can't hack this, you're dumb.
00:14:44
riptide
No, I disagree. No way.
00:14:46
Marco
But...
00:14:47
riptide
No one's going to like that, man. No one's going to like that. No way. These guys, you got a picture like these guys have significant amount of ah probably their net worth in whatever protocol there're they're with, vesting, this and that.
00:14:59
Marco
Yeah.
00:15:02
riptide
So they put so much time into this. This is their baby. And you're going to come by and be like, you fucking missed this.
00:15:05
Marco
yeah Yes, yes, yes, yes. So, so, so, so, it's ah but yeah that's when i was getting with this with that exactly that's something that i seen a lot a lot from my younger ear because i started with this approach because to me it was natural it was what we did on judo or but anything anything anything we did park or that ah i used to do and
00:15:26
riptide
Mm-hmm.
00:15:32
Marco
in We had distention and it was good, this competition, but when I started to see that people, yeah, they have it like their baby, but it's not only that too, it's that people see their net worth.
00:15:48
Marco
and they think that should mean they're infallible. it's To me, it's like a doctor who goes 10 years to ah to ah to a school and then and and then he thinks that he cannot make a mistake or or at least he cannot be judged by a patient.
00:16:06
riptide
Mm-hmm.
00:16:10
Marco
And ah I think it's similar. You get people see their network and think, oh, it's it's not like like you're seeing you can't be doing you can't be seeing that this way it's wrong because I did so much money you are probably wrong or at least it's not that that bad so yeah I think it's a very important part of of the of our market to establish that relationship because we are all humans, right? So both sides we and people in the protocol, hopefully they don't want to be hacked.
00:16:46
Marco
And it's, but at the same time, I i don't have, ah and I think nobody has really a solution to this relationship to issue we have right now.
00:16:59
Marco
It's very difficult.
00:17:01
riptide
Yeah, it reminds me of if you've heard of confirmation bias with academics is you put like your PhD thesis is built upon this research that you did for years or if you did a study that just took so much time and so much of your life and then you get to the results and you find that um that it's wrong, that your whole thesis is incorrect.
00:17:24
Marco
Yeah, yeah, imagine that.
00:17:26
riptide
And the confirmation bias yes is you're you're not going to listen to anybody. You're going say, well, what did I just waste seven years on? like ah I'll just modify it to make it work.
00:17:33
Marco
Yeah, yeah, exactly, yes.
00:17:37
riptide
What was that book that came out, The China Study, where was talking about vegetarians and veganism. And then it got debunked like it was, the whole thing was bullshit.
00:17:47
riptide
And this was the same same example of confirmation bias. But I see it, man. I mean, you put yourself in those shoes and you're like, well, what do I have to show for it after five to seven years?
00:17:55
Marco
yeah
00:17:57
riptide
Just like you build the DeFi protocol and then you know it's very popular. And then this guy discloses this thing that makes you pay out a bounty of like, A million bucks, 10 million bucks, and you're probably going to get it.
00:18:11
riptide
don't want to say reprimanded on the inside, but maybe that money comes out of like future compensation to you. And so I could see the pushback.
00:18:19
Marco
Yes, yes, yes.
00:18:21
riptide
Yeah.
00:18:21
Marco
and and And when you see that KYC, it's a 13 year old on the other side of the world.
00:18:27
riptide
shit.
00:18:30
riptide
shit
00:18:30
Marco
That probably lot. that's probably hurts a lot yes
00:18:34
riptide
A 13 year old. You know, all right, the best the best strategy though is you have to suck up your ego as as a founder, protocol, dev, whatever, and just say, listen, look, obviously I'm not flawless, okay? Audits, doesn't matter, man. Found a bug, pay the guy, be transparent with your investors, your users,
00:18:56
riptide
put a bug report out there, show you fixed it, show how you responded. That's the best, man, the best case scenario.
00:19:02
Marco
Yeah.
00:19:02
riptide
I cannot stand this this kind of thing that seems to be more common of just like, of these, they have on their bug bounty programs with say ImmuneFi, right?
00:19:14
riptide
They have a this responsible disclosure policy, like the maximum restriction. Okay, you can't say anything even when we,
00:19:21
Marco
Oh, yes, I have so much to talk about that.
Flaws in Disclosure Policies
00:19:24
Marco
Yes.
00:19:24
riptide
Right. Even when we deny the bug, right? Even if you submit a ah bug and then we say, okay, we're not going to fix it.
00:19:28
Marco
yes
00:19:32
riptide
You still can't talk about this bug, even though you're not going to fix it.
00:19:36
Marco
Yes, I've
00:19:36
riptide
What kind of bullshit is this?
00:19:38
Marco
yes i've i've made i've mentioned sure that that before on Twitter hacks, and i think that's one of the biggest mistakes that got into production in Immunify is the responsible policy, especially and specifically because of this. I understand that if you If I find something and we disagree on severity, okay, it's a thing. and There's mediation for that.
00:20:08
Marco
But when I find something and you tell me is a duplicate, okay, there is a risk. So I agree that. If you don't want that disclosed or you want a disclosure timeline, that's up to you, okay.
00:20:23
Marco
But if I find something you and you tell me that it's invalid, won't fix, ah Okay, I know the projects can do whatever they want if they're BBB terms, but Immunify, in unify my opinion, shouldn't ever had put that as one of the standard policies because it's completely crazy, especially because won't fix is the one dirty trick that some bad projects use.
00:20:54
Marco
in a way that what they do is like you sub submit ah a vulnerability to them. That's actually that's one of the reasons why I've been having some some success reporting vulnerabilities directly to some projects that were on RP3, because if I send them an email,
00:21:09
riptide
Mm-hmm. Mm-hmm.
00:21:14
Marco
without terms and I say here's the vulnerability, I'm disclosing in X and no terms, of course, otherwise some projects will scream blackmail or some bullshit and now you have the terms. If if they they say it's invalid, okay, so it's invalid, I can publish, it's safe to publish, right, let's go, that's it.
00:21:36
Marco
But in the case of RP3, You send them something, for example, they want to, if if it's a bad project, most projects that are good, of course, want to do this. But a dirty trick you can do is like, you deny the vulnerability because maybe it's a vulnerability you can monitor.
00:21:55
Marco
and you can accept the risk. So you monitor, it's ah something that you could accept the risk for three months or monitor to have some um mitigation for that.
00:22:08
Marco
That is not obvious. And then in five months, you are already changing the architecture so much that that vulnerability is not exploitable anymore.
00:22:21
Marco
But nobody can, for certain point, and establish the causality that you did that to fix the bug in ah in an indirect way.
00:22:28
riptide
Mm-hmm.
00:22:32
Marco
Because projects, especially because projects in this ecosystem are changing so much It's very easy to get a vulnerability, accept the risk, monitor, do some other thing to but take care of that that. You can do a risk management assessment even with some help of AI, right?
00:22:52
Marco
To establish that, oh, that there is... X percent of that being found out in the wild for now. And we also have these mitigation in place to monitor and do some live mitigation.
00:23:04
Marco
And then you wait for some months and you architect you change your architecture enough that that bug is inexploitable now. So if the the white hat won't be able to to point that and say,
00:23:15
Marco
they fixed because they didn't fix it, they just changed the architecture, right? It's the right. So, yes, RP3 to me is totally crazy to be a standard the policy there. It probably came from pressure from projects, for sure.
00:23:32
riptide
Yeah, yeah. or Or they fix it under your nose and they just hope you're not going watch or they just sneak it in
00:23:37
Marco
Oh, I...
00:23:38
riptide
There's a lot of weird behaviors.
00:23:41
Marco
I have one of these right now. no right right now
00:23:50
Marco
There's one project that I i i i i mean and i have my time to go to arbitration. I still have time for that, so i I'm pretty comfortable in doing everything right because arbitration.
00:24:06
Marco
is not the is not the golden dream that people may
Arbitration and Dispute Resolution
00:24:10
Marco
imagine. You have to be very careful with that because main projects for many projects, the arbitration won't be worth it, really.
00:24:20
Marco
Because you see, you have two steps on ah the arbitration process, which is the London Chamber ah arbitration of the MUNIFI.
00:24:31
Marco
You have two steps. You can get the award. which means you you are correct and the arbitrator said you are correct, okay. But now you have to do, if the project won't pay for the free will, some projects will, to not have that on there or their accounts or the VCs or whatever.
00:24:54
Marco
ah But if the project doesn't do that or the progress vanishes, ah In the case of vanishing, it's pretty hard to get your money, but if they vanish their legal entity or whatever, but if you want to enforce that, you have now two enforce that in their jurisdiction and if it's new york okay it's so most almost automatic and they will have their accounts the account the accounts with the money uh subtracted from it if if you if the need comes to that and that's it but if they are in curacao or whatever the fuck the the legal entity for that financial money is it gets harder and more expensive it's
00:25:35
riptide
Thank you.
00:25:40
Marco
it's possible in some of these of this fish got some of these havens, but it gets more expensive. It's not just, oh, you get the arbitration and then you won and now the money is in the account. No, it it doesn't work like that. So you have to really check the situation you are in, which which is the product what the project is.
00:26:07
Marco
And in my case, it too It's not even huge amount of money. Of course, I won't disclose anything, it not even values, because lawyer wouldn't like me to say anything.
00:26:20
riptide
But are you going to arbitration? Are you going to be the first guy that goes to it?
00:26:24
Marco
ah for a For now, I'm pretty sure I will. I still have time. Of course, my plans my plans can change if if something... If I see something, for example, if I see that I won't get what I want with ah the entity because it may be unenforceable, that that they can I can win this on the arbitration. I'm...
00:26:49
Marco
100% you cannot say because minds of arbitrators and judges may may may may may may be different, but I'm 80% sure
00:26:54
riptide
Jesus.
00:27:00
Marco
heated for saint shi if ah that I win this arbitration because it's a so easy case. It's exactly like this. The project, ah I reported the vulnerability in March.
00:27:17
Marco
In March, yes, March of the last year.
00:27:20
riptide
jesus
00:27:20
Marco
And yeah, and
00:27:22
riptide
This is longer than mine. I thought I had the record.
00:27:25
Marco
and so And they closed it, ah saying that it was invalid. And they gave an argument, why an economical argument of why it was invalid.
00:27:38
Marco
And then I and spent my time proving that ah it was not invalid. i had the I had all the numbers accounted, all the public numbers, everything. It's perfect.
00:27:53
Marco
Mediation stood by my side. as a critical. And the projects just stayed there silent to me, saying nothing for seven months.
00:28:04
Marco
Yeah, that was seven months. they sent an argument. the First, they tried some arguments that I don't remember all arguments right now, but useless because mediation didn't change to their position.
00:28:23
Marco
uh until like oh 10 months in the in the issue in the problem they remembered that they had some google docs uh some documents in from from some time i won't say specific times too because we never know we have some some young young guys there that can find find exactly what product is if you say too much but
00:28:52
riptide
Yeah. Yeah. yeah
00:28:53
Marco
They had some documents there in which they said this document proved that it was a non-vulnerability that they would fix.
00:29:07
Marco
But, well, the document isn't identifying anything as a non-vulnerability or as ah an accepted risk. And two, ah so they they they they they don't have the the proof that they would change that in any way.
00:29:28
Marco
And two, if they had that, why would they have closed it as invalid months ago, months before that? They just remember 10 months in the game. And...
00:29:41
Marco
and and In one of my messages, the causality is so ridiculous. In one of my messages to mediation, mediation because mediation failed on this process they spent some time without doing anything too they they told me there was uh an internal issue and they they they they left that too on the fridge so there it happened this this happened too but when mediation pinged them with the the fix the fix proof that i sent to mediation because they fixed the vulnerability to the mother focus
00:30:21
Marco
hey Right right right right wing when when they pinged, they started to come come up with the set skills. But more importantly, when the before this, the worst causalities before this, when the mediation came back to ping them, that they would have to answer to me, and this happened before fixing it I actually believe they forgot about the vulnerability or they whoever to took care of that didn't really think it was that bad, maybe. but So it's this part is it's possible.
00:31:06
Marco
But Mediation sided with me and then they pinged the project. And right when they pinged the project, four months in, the fix came out in three days, four days, something like that.
00:31:21
Marco
and
00:31:21
riptide
Mm-hmm.
00:31:22
Marco
before the fix they published they they theyve They committed, they pushed it to the to the repo, the exact tests to test my my vulnerability, and then they fixed it.
00:31:36
Marco
And then their their excuse was was that, yes, they were testing for my vulnerability. This they didn't deny, but the fix was just just happened to be a UX fix.
00:31:51
Marco
Can you believe that, man?
00:31:53
riptide
Oh, I believe it. That's very believable, actually.
00:31:56
riptide
and and And the fact that you're taking so much time to do this. I think I posted something today or yesterday about, like, I was waiting six months now on a bug that the project confirmed and it was a severity dispute.
00:31:56
Marco
Ha ha ha.
00:32:11
riptide
And it's like, it's in mediation. no one responds. I just fucking sit here. And I'm like, what is the time value of money? Like, I think back to to old finance classes and I'm like what like, what's the fucking incentive for this project to ever respond?
00:32:28
riptide
There's zero.
00:32:28
Marco
Yeah.
00:32:29
riptide
There's fucking zero. And it's like, if you have, and I like to give, I always like to give the benefit of the doubt.
00:32:31
Marco
Yes.
00:32:35
riptide
Like, I know I'm not the only game in town with bugs. I know the project has fucking a whole project to run. There's all kinds of things going on. Okay, but six months is egregious. There's no excuse.
00:32:48
riptide
And so what ImmuneFi could do, the the simplest thing, and I think maybe this is what their vaults were supposed to do. is like if you're going to put up a mill for a bounty right and i'm going to say and let's just say you have immune fi triaging this your submission so i submit a critical and and i'm like hey this is a max impact and immune fi triaging should say okay as part of the submission look if it's validated by us and it's going to the project we're going custody one mill from the project
00:33:22
riptide
in the vault or whatever. And that way, until this is resolved, that project no longer has access to those funds, it's escrowed. So it's you're in the same boat, you and them.
00:33:32
Marco
Yeah.
00:33:34
riptide
And it's, there has to be some, trait this is so fucking stupid. I've always argued that you give away all your power when you give up the bug. And so now you're hoping for the the other party to act responsibly.
00:33:42
Marco
Yes. Do this.
00:33:45
riptide
And now there's this new shit because we've been submitting a lot of bugs recently with our our AI platform. And so I've noticed some, here's some feedback on the bug platform or the bug the bug universe right now.
00:33:59
riptide
Is that projects, it's a bear market, right? Projects are going bankrupt. I get it. There are projects that are not as well. And they have big treasuries and they still have big bounties that the fucking Dow approved. All the terms have been approved. Okay. I didn't make the terms. You did just abide by them.
00:34:16
riptide
And they're they're not paying bounties for shit that is minimal. Like they just don't care about it. So you could have anything, man. And I've been submitting, testing this with many different teams, man, in Telegram chats and through the bounty programs.
00:34:33
riptide
And I'm finding teams are just like, eh, you know, ah, the user loses some funds, eh, like a lot of it's just like, eh, like they don't give a shit.
00:34:42
Marco
Yes.
00:34:42
riptide
And so it's it's made us focus more on just like, you know what, let's just focus on straight up criticals that are going to do objective impact on a target, user, whatever, and like something you can't ignore.
00:34:57
riptide
And I think that's the real strategy at this point in time, because it's just being people tightening up their belts and, and just, I think they use this, this mediation with the immune file, honestly, to delay.
00:35:03
Marco
yes
00:35:10
riptide
Like we had a protocol recently, I i think do this to us where they offered us half of what the minimum payment was on their fucking bug bounty.
00:35:13
Marco
Yes, yes.
00:35:21
riptide
And I'm just like, I like, this is stupid. I know what you're doing. You're acting in bad faith and you just want to prolong this. Okay. Well, like what option do I have here as the, as the bug hunter?
00:35:29
Marco
yes yes
00:35:32
riptide
And it's really sad to see. It's really sad to see.
00:35:35
Marco
Yes, it it is. and And, well, I think that's possibly a ah great idea that should be tested. But also another another thing that that could work here is um eventually some some pressure on on the
Transparency in Negotiations
00:35:54
Marco
reputation. Like imagine that ah the mediation side with you ah instead of the monetary part.
00:36:02
Marco
they would have they would have in their in their profile, like, they have, like, this project has X criticals that they are not paying or or that are mediated against them and not resolved, and something like that, some stats like that could be cool too, because These people respond a lot to the to the investors and to VCs and anything.
00:36:28
Marco
Anyone who has a money on them or can give them money eventually. And that's one way. Another way, ah and on mediation, sometimes delaying things. Yes, I've i've seen that pattern. That's why and in the last year, i I sent some bugs, I started to try out, let's see what happens, sending bugs to the projects themselves, and I saw that, well, sometimes, well, I mean, oftentimes they lowball me, but at least it gets solved quickly.
00:37:07
Marco
a even i mean i don't have all the leverage if i want the money but you have one leverage when you say when you send uh directly to them is that you can publish you can just sell okay whatever uh
00:37:21
riptide
Mm-hmm. Mm-hmm.
00:37:24
Marco
You can't ever, of course, publish it because you didn't get the money, no. But you can just send an email and tell you are going to follow an ethical disclosure timeline and that you're publishing it anyway.
00:37:39
Marco
So yeah that's one way. And you may think, well, but where are the benefits then if they for them to pay you? And that's the point.
00:37:50
Marco
the If the project then themselves, if they propose to you that they prefer to wait and not to disclose that and there are yeah they are ready to to to... They want to establish it. I mean, their financial incentive, they they want to pay you, but that payment comes with a condition from them.
00:38:10
Marco
It's a condition from them. So it's not, it's not, this doesn't fit in blackmail. This doesn't fit in of this, but in a way you also have to do this very honestly and sincerely.
00:38:25
Marco
So that's this. This situation that we have right now is actually why I i want to try out an idea.
00:38:37
Marco
so that I was waiting for this podcast to to throw this ah idea out there because I know um i know i know some white i know some white hats come.
00:38:45
riptide
what do What do you got? Tell us.
00:38:51
Marco
to tell me what they think about this and I really want to to know is that first, it's it's a very personal thing. I can only do this when I'm having fun.
00:39:01
Marco
I like yeah even the disagreements, but I hate the ghosting. The ghosting is terrible, it's disrespectful and it breaks the game.
00:39:08
riptide
Yeah.
00:39:10
Marco
So my idea is like I had, for example, some a couple couple a fair share of vulnerabilities that i I'm sitting on them because either they economically not so not so easy to to to to exploit, okay, that's fair, or because they are mediums, okay, i don't I don't usually report mediums unless I see there is there may be some more immediate risk.
00:39:38
Marco
And or if the vulnerability is out of scope, I have a vulnerability right now in a RP3 project in Immunify that is at least a high, but maybe depending ah on what they think about this.
00:39:55
Marco
It could be critical. high I think it's critical, but I'm biased, of course. and But it's in one of their out-of-scope code bases. So if I publish it to them via ImmuneFi, I lose my writes right away.
00:40:05
riptide
Yep. Yep.
00:40:11
Marco
So i was having I was having this idea, withive
00:40:17
Marco
I'd like just to try not for monetary reasons, because I really don't depend them on bug hunting. So what I think would be fun, I would very much like to try it, and I probably will, is to find a vulnerabilit vulnerability, report to the product email, and say, I published it in 90 days, 8 or 30 days, or whatever. In our market, I think 30 days is is better because I come from standard cybersecurity and usually it's 90 days, 90 days plus 30, but it's a totally different market because you you have software that's on other people's computer and you have you need time to make them update, patch and guarantee. Most companies have have been informed and patched our field.
00:41:07
Marco
They just have to they just had to migrate to their own contracts or something like that, and it's quicker. So I think 30 days is more than enough for fixing any vulnerability in an ethical way.
00:41:21
Marco
So my idea is just to make some speedrun, a speedrun getting vulnerabilities, especially critical highs, something with more impact, more monetary impact, and just send to the project and say, okay, I'm publishing in three days. And whatever, I'm publishing. Oh, they want to pay? Okay, I'm publishing anyway. But...
00:41:42
Marco
try to gain more with the fun of publishing the vulnerabilities to other white hats to to to establish this hacker scene back to our field because in this last especially this last year, I felt projects are closing everything and nothing more can be published and nothing more can be talked about. And to me personally, that's so boring because, yeah, I want to make a three million vulnerability, three million report, whatever.
00:42:18
Marco
But of course, I'd take the three million and don't publish anything about it that and be happy, of course. But I also like this public ah this public discussion of we being able to publish it to other white hats, discussing about the vulnerability, the projects and being more public and transparent about this. And I think we are losing that. We are losing that to a level.
00:42:43
Marco
that there are some security people, I'm not sure they are security people or if they are marketing or manager people, I'm not really sure, that even even recommending projects to go closed stores, and I mean, that's that's totally they're stupid in ah in a way that is almost unimaginable.
00:43:07
Marco
So I think we we really need this open source transfer, because when I came to Web3, the One of the sole reasons i I came back Web3, because I'm in crypto since 2013, and I went to standard cybersecurity, offensive security, and the only reason I came back to this was, one, because there was now a market established, of course,
00:43:34
Marco
It didn't exist before and i wasn't involved with didn't exist. There was nothing to be involved with on this. And I wanted to get better in standard cybersecurity. It was a personal thing, but I came back especially because of this openness.
00:43:53
Marco
because I was tired of working only on private projects, on things that I cannot disclose, and all these all all these banking, banking ah private deals, and the government, to things that you cannot to talk about. and I like this thing of with coming people publishing, talking about the the issues, and you being criticized, you being proved wrong you even.
00:44:24
Marco
But then suddenly maybe the bear market hit. Yeah. the projects are now closing everything, nothing more is talked about. So to summarize, my idea is that I i really want to try and and take advantage of my position right now, that I'm not desperate for bug bounty money and spend like six months, I think six months is the minimum,
00:44:52
Marco
and getting these vulnerabilities and saying, here, you have 30 days to fix. I'm publishing on Y. And then if the product wants to pay me anyway, cool for them. They want their diversities of paying, but I'm publishing anyway. And that's my my work of art.
00:45:11
Marco
I want to to to bring joy back to this to this thing. It's getting so boring right now, in my opinion, at least.
00:45:19
riptide
I'm with you. It's because it's getting more professionalized, which is just getting lamer, right? We need to take back this whole Web3 ethos, this whole crypto ecosystem where it's it should all be open.
00:45:27
Marco
Yeah.
00:45:33
riptide
And now it's it's flipped it, like what you're talking about. All these terms, all these rules. It's like this is not what we wanted. And this is we all agree that this is not where we want to go.
00:45:42
Marco
Yeah. And it,
00:45:46
Marco
Yeah, and I mean, you are working, I think, you did and the biggest issue issue here is you are working in a framework that one is is at least to pretend be decentralized, right?
Openness vs. Secrecy in Crypto
00:46:04
Marco
And you are dealing with other people's money in a setup that in a setup that's law enforcement cannot get back this money easily.
00:46:14
Marco
So you really have the most liquid money out there.
00:46:15
riptide
Mm-hmm.
00:46:18
Marco
It's not in a bank. It cannot reversed. And then you putting roadblocks in people discussing about the the vulnerabilities that that To me, that makes zero sense into the market. it's ah It's a very sure way to suicide for for for a market. It won't happen. I think the pressures we won't allow that to happen because there are real pressures of being disclosed.
00:46:49
Marco
this disclosure right now, but yes, right now the projects are thinking that the professionalization is ah is an issue, of course, but also the way they think they should professionalize.
00:47:01
Marco
So they think hiding things ah is is better because, oh, the the VCs won't like to to to know about this or to pay for that.
00:47:12
Marco
and the investor or the investors won't won't like this or my competitors will fud about this. and But if you see the long term, ah this is a sure way to to get our market to to to shit and give even more incentives for the black hats. Because the black hats, the best black hats, or at least most of the best black hats out there, they are on a paycheck.
00:47:42
Marco
yeah They aren't just and starving to find bugs or things like that. Of course, you have some long guy out there. Sure. Okay. But that's that's not most black hats.
00:47:54
Marco
Most black hats, they are on on a paycheck. They have the incentive to reverse to reverse your silly binary. They have the incentive to find out they can even more than that.
00:48:02
riptide
Mm-hmm. Mm-hmm.
00:48:06
Marco
They have the incentive to be inside your company so in some way. They have the incentive to bribe your employee to release source code. So from whom are you hiding? You are hiding from the good guys, from the white hats.
00:48:22
Marco
who who who who won't bribe your employee for soft codes, who won't try to get insider information, who will follow the law. That's from from from from from whom you you you are hiding. So that's plain stupid.
00:48:39
riptide
I agree, but unfortunately, it's yeah, it's not gonna it's not going to change unless there's some sort of framework built around it to force people to change.
00:48:39
Marco
That's why it's disclosed.
00:48:47
riptide
Because this is like all human behavior with anything. um I'm going to make some money here and I'm not going to report it because tax authorities won't see it. Or, you know, I'm going to do this yeah because this won't happen. So X, y Z. it's It's like this is just how humans behave.
00:49:07
riptide
It's like, why am I gonna pay the white hat when it's like, oh yeah, I've already got the bug. Now I'm gonna negotiate him down. Manager's telling me to, you know, i would we would have caught it.
00:49:18
Marco
Yeah.
00:49:19
riptide
My favorite line, we would have caught it.
00:49:21
Marco
ah Yeah, this one exists.
00:49:21
riptide
alec We would have caught it, all right? We're all knowing.
00:49:25
Marco
Yeah.
00:49:25
riptide
So we would have caught it, man. That's a big fuck you, basically. We would have caught it, man. Thanks, Marco, but no thanks.
00:49:32
Marco
it
00:49:33
riptide
We would have caught it, okay?
00:49:35
Marco
No, man, the did me me from the other universe, he actually caught it. yes so yes Yeah.
00:49:43
riptide
Yeah, it's it's been caught.
00:49:44
Marco
Yeah. And as ridiculous as it may sound to some newcomers, this really exists, yes. I would have caught it so the value is near zero.
00:49:56
Marco
Yeah.
00:49:56
riptide
ah Oh man, my I think my latest that i didn't I don't like in bug hunting is the likelihood thing. The old likelihood where, yeah, okay, it's an impact of this. And then we're just gonna just going to look at the likelihood just so we can downgrade you. So let's come up with a creative likelihood argument. Okay, it doesn't exist on chain yet.
00:50:19
riptide
Oh, well, low likelihood because it hasn't been exploited.
00:50:22
Marco
Yes, and then
00:50:23
riptide
Okay, what does that mean?
00:50:25
Marco
a yes and that that in that likelihood the argument, they know it's bad. They usually know it's bad because they used it against the white hats too. I reported a vulnerability that was that could essentially...
00:50:43
Marco
essentially allow anyone to gain their consensus and end up slashing a lot ah lot to ah lot of of people unrolling, a lot of validators.
00:50:55
Marco
And it could be used to gain their consensus. and Right, rightful argument. I agree, rightful. Okay, bug hunting we have to be cold and we can't really deal with possibilities.
00:51:11
Marco
ah there i had to I knew that, ah so I published it as fast as I could because I wanted to get the the bounty and not wait for it to be more exploitable.
Fairness in Bug Bounty Programs
00:51:24
Marco
So I didn't wait for it to be really more exploitable in the version they they would be the the most and the most harmed for that. And yeah, they paid me... they they didn't pay me millions, they paid me a lot less because it was a potential that was not realized yet. And I knew that, I agree that. But...
00:51:48
Marco
You can't use that ah in in any way you want. like they use they They sometimes use that for telling, oh, I would have cut that, or the likelihood would be low, or something that cannot be proven.
00:52:05
Marco
But they know that argument is bad because they use against white hats. When a white hat publishes something that is not yet realized on mainnet, they write for and that's correct. I think that's correct.
00:52:16
Marco
They don't pay it in full like it was there right now. So it's the instant instant economic damage that's paid. And all right, yes, but you can't you can't you can't use it for what one side and not for the other side and that's why i usually tell ah white hats so to be a fucking lawyer be a fucking lawyer know the terms yes and unfortunately that's um you see most of these discussions about bug hunting end up coming up to the human side because yes that's all there is finding the vulnerability
00:52:40
riptide
Yeah. Unfortunately. yeah
00:52:55
Marco
If you are persistent enough, fits it's the it's a very easy part. Of course, there are some outliers out there of inconsistence or in creativity, or right I think there are, but most of the times it's not the hardest part.
00:53:12
Marco
and But then you have to deal with all this human part and being a lawyer,
00:53:13
riptide
Yeah.
00:53:19
Marco
knowing the terms, right? Knowing how to use them, knowing what leverage you have is very, very important. I think some great vulnerabilities that could pay an important sum of money for some white hats are often lost because they don't they are not their own lawyers. They just accept whatever the product is frozen at them. And that's not that's not a ah very good start for a white hat, for sure.
00:53:48
riptide
Yeah, it's a changing world, man. And I hope it starts changing for the better. Just right now, I think it's bear market vibes as well that just kind of makes people do weird things.
00:54:00
riptide
This price affects a lot of people, whether they think so or not.
00:54:02
Marco
Yes.
00:54:04
riptide
And I think it'll change, man. i think I think this reverts. I think this will get back to a better security stance. But I also think we need to think about changing the way these things are handled.
00:54:16
riptide
we we'
00:54:16
Marco
Yes, for sure.
00:54:18
riptide
Like I'm thinking internally about about changing the way bug bounties are are actually designed and set up.
00:54:19
Marco
Yes.
00:54:24
riptide
maybe I think there might be a better model that we might we might be implementing.
00:54:27
Marco
yes Yes, and that's why to to make it into the record. That's why i like to I like to point at things I disagree, especially with the Minify.
00:54:42
Marco
it's not It's exactly because I like them and I believe and i believe they they can fix many things in our market. But many things. They in a perfect position. they They have good people there. And I think if the the incentives are well applied,
00:54:58
Marco
they they can really fix things that the competitors, from what I've heard, most of their competitors are maybe even worse in some ways. I won't extend on this, but I really think Munify has a great position and a great responsibility, and and many people there know that.
00:55:20
Marco
And another thing is that it's too easy to criticize, and I know that, that's why I love criticizing. It's very easy, but solving this bug ah bug bounty hunting market is one of the hardest problems you know ah in in our markets. My little little toy i play that I want to i want to do of this just reporting, publish, reporting, publish, it's more like
00:55:49
Marco
same a way to make some things move. But it doesn't fix anything. So maybe it's takes it fixed some engagement metrics to me, I don't know. Let's see.
00:55:59
Marco
But it really fixes something you have to, you need ah an organization like Immunify and that doesn't come in in six months. You don't gain that trust in six months.
00:56:12
Marco
So yes, of course, I...
00:56:13
riptide
Right. Yeah.
00:56:16
Marco
so to to i want to make this very clear um i just talk about immunify because i believe i believe in diana i really like them and that's that that's been what what i've been saying people uh in in all the places and another thing about the bear market i mean it was it was another another subject that we are talking about so i don't know if we still have time but um
00:56:30
riptide
Yeah.
00:56:44
riptide
Go ahead, go ahead.
00:56:45
Marco
Yes, i'm I'm also in the bear market. I'm very mindful that in the last year, I reported some worse, some more economic damaging vulnerabilities directly to the projects.
00:57:00
Marco
And they had more i had more quicker success with them, not just because the email process is better. No, in part, it was also because I've left the hard-test vulnerabilities for the project to accept to immunify because I trust the remediation.
00:57:22
Marco
oh And these hard-test ones were exactly the ones they they they usually hate hate more to pay, which is, for example, Chainholt.
00:57:36
Marco
I think hold most of the projects they hate to pay this because they believe it's not it's survivable, it's not a real economic damage to them.
00:57:46
riptide
Because no one's using the chain.
00:57:46
Marco
And there's one more thing on this, is that
00:57:49
riptide
ah
00:57:53
Marco
These projects are usually not so decentralized as their marketing team says, so it is obvious. So they know it's like they call they they call Johnny, hey, Johnny, let's restock the chain. And yeah, that's it.
00:58:08
Marco
so yeah ah goes But my point is, why why make the marketing that you are paying for something that you don't want to pay that's ridiculous. So yeah.
00:58:18
riptide
yeah
00:58:19
Marco
but but in a bear market ah but in a bear market it's exactly this lots of funds lots of funds lots of funds uh you'll be low bald but at least you'll be paid yes
00:58:29
riptide
Yeah. Yeah. That's so funny, man. ah Hey, ah we're we're coming up on the hour. I want to ask you, since you're also in in Europe here, are you going to France for ECC next month?
00:58:42
Marco
um still sit I'm still serious considering, but i I think I won't. And I have a very good reason to not. Because in the finishing line of the of my wife's pregnancy for my third child.
00:58:59
riptide
Oh, man. Yeah.
00:59:00
Marco
and
00:59:01
riptide
Oh, hey, wild man. All right. we'll we'll ah I'll be with you there in in spirit, but um it's too bad. I understand that. No, that's cool. It takes priority over anything.
00:59:12
Marco
Yes, I want i won't i won to be traveling with them at this time, of course.
00:59:12
riptide
No doubt.
00:59:16
riptide
Yeah, yeah.
00:59:18
Marco
won't be traveling alone to at this time for obvious reasons. results And yeah, it's it's great. My my third third child. and Is this the episode 34?
00:59:30
riptide
ah i think I think this is 34. Yes.
00:59:34
Marco
Yes, I mean, i mean if if it's on sequence, it will be 34, yes. So, yes, I'm 34 years oh
00:59:42
riptide
Congratulations, man.
00:59:43
Marco
yeah here Here you are, man.
00:59:44
riptide
That's fantastic news.
00:59:45
Marco
It's it's the it's made to be.
00:59:48
riptide
ah All right, man. Marco, always good talking with you, man. Thanks for coming on. And we will see everyone next time on the blockchain.