Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 25 - adrian hetman
101 Plays2 days ago
riptide & adrian hetman discuss running the triage department at immunefi, how to write the best bug report, using LLMs wisely, how your report is viewed by triagers and the protocol team, why reports get rejected, cleaning your brain's cache to improve your bug hunting, a juicy ALPHA drop, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction and Sponsorship
00:00:00
Speaker
Bounty Hunters. Life on the blockchain.
00:00:06
Speaker
Welcome back to the blockchain bounty hunters. We're here and we're back. And we have, as always, an extra special episode today.
00:00:17
Speaker
But first, our sponsors and we have a new sponsor. We are finally sponsored by ImmuneFi. So the biggest bug bounty platform in Web3. If you're a white hat, this is where you earn real money and make crypto safer.
00:00:33
Speaker
Don't know where to start? Hit the feeling lucky button and let the hunt choose you. Now that is a good promo. I like that. ah We're also sponsored by recon. Getrecon.xyz forward slash Riptide.
00:00:47
Speaker
Get five grand off your invariant testing engagement. and also rare skills go learn some skills to bug hunt go buy a boot camp and uh get in the game get 10 off with rare skills.io forward slash riptide uh here's the issue with immune fi and and my guest today works for immune fight no hate to immune fi but so my links are get recon.xyz forward slash riptide and then rare skills.io forward slash riptide guess what the immune fi link here is
00:01:20
Speaker
It's calendly.com forward slash d forward slash cm5q dash 78j dash four CY. Oh, no. Oh, no. So very easy. So everyone mark that down and and type it into your browser.
Guest Introduction and Role
00:01:35
Speaker
Anyway, um mar god our our guest today is Adrian Hetman, who is head of triaging at ImmuneFi. Welcome, sir. Welcome, welcome. Thank you for having me.
00:01:46
Speaker
And so I want to apologize for this link. I don't know what happened. I wasn't even ah aware that this episode actually is sponsored by Immunify, but oh my God.
00:01:58
Speaker
Yeah, we need to fix that. I have a concern that the company is too big. And I don't know if it's true or not, but I remember talking to Mitchell back in Lisbon and he told me he had like 60 people working, maybe more.
00:02:13
Speaker
And it's, I bet it's only grown since then, but it's like when little things like that, when I'm like, you can't just make me a normal link and it couldn't be done. And I'm like, oh man, that means like there's too much bureaucracy or no one could just load it up and edit it. It has to go through layers of people.
00:02:31
Speaker
So hopefully not the case. No, I mean, ah we have grown, but not so much. I mean, in terms of people, of course, we have like ah right now 70, 80 people.
00:02:41
Speaker
So we we're like not like a couple of hundreds of people company. So and no worries about that. But I truly don't know what happened here. but We'll figure it out. We'll figure it Yeah, we'll figure it out.
The Impact of ImmuneFi's Features
00:02:54
Speaker
But I just want to say regarding what was said in that promo, that lucky battle. Oh my God, that was quick win that changed so many ah lives because many people already managed to find ah bugs and get paid and for those bugs simply because they had anxiety of not knowing what to choose.
00:03:14
Speaker
You know, I've never clicked that button on. i remember when Google had that and I never clicked it and I've never clicked it but it sounds like a good idea. Do a little dice roll and just dive in.
00:03:27
Speaker
I mean, especially for the newcomers and even for the for the leads who don't know what to work on and they just got paid or they just ah finished some mediation and they're like, OK, what do i do next? And you here you have you click a lucky button and yeah.
00:03:48
Speaker
The adventure chose you. many people actually were praising this on Twitter, and we didn't know that it would have such an impact. It was like one day of engineering work to do this.
00:04:00
Speaker
And we're like, OK, yeah, let's see what happens. And people just like, yeah. I mean, how different is it really than what I advocate, like open up a block and just start searching? It's kind of cool. Just dive into a random thing. And I was curious, I you know get these emails from ImmuneFi saying, here's your next bug hunt.
00:04:19
Speaker
And I've never, I don't even know what it is. I think it's referring me to some project or like an I'm feeling yeah lucky. ah does it Does it look at projects that I've had success in and then recommend me off that? Or is this just a random one?
00:04:32
Speaker
ah From what I know, it does look at your profile, where you had actually success, what are your skill sets, um based on the projects that you actually submitted back and get paid.
00:04:44
Speaker
Okay. So it is more like more and personalized accommodation, but this is what I'm thinking it should be happening. uh but again uh we just sent calendar link for a sponsorship so okay cool of course joking but uh yeah i mean it should be more uh personalized from uh what i heard uh when this was launched okay and and so adrian let me let me ask you've been with immunefy for quite some time i think um yeah i think i've seen four years seeing you around and so now you're you're running the whole triage department
00:05:17
Speaker
Kind of maybe give us your
Challenges and Solutions in Bug Bounties
00:05:19
Speaker
scope. Like what's what's kind of your day-to-day and what's involved in that? Okay. Do you want funny answer or serious answer?
00:05:27
Speaker
Whatever you like. Whatever you like, sir. Yeah. I'm basically a fire department. ah There are always like some fires, meaning like some bug reports that is not going that well terms of like there is like a long dispute period and I need to step in.
00:05:45
Speaker
or there are like some new backbundle programs to be launched and I'm actually overseeing those to make sure that they do follow our standard practices and best recommendations ah for Immunify. So it is quite clear for SRs what they can expect ah There's still lots of work to be done on that front, but it's getting better.
00:06:09
Speaker
um Apart from that, just standard managerial things, distribution of tasks, understanding what actually is happening within the team, how we can actually make things more smooth for SRs and also for the projects ah in terms of like mediations time, triaging, what is our hit rate.
00:06:31
Speaker
things like that, expansion of the team, and knowing what we can actually do and where we can be in involved, ah how we can generate help Unify. So there's a lot of stuff where triaging Unify is actually involved with.
00:06:45
Speaker
It's not only triaging. this this is ah I mean, it's a critical function within the company and no doubt you guys have a lot to do. I was thinking about, you know, just just what you said in the beginning there, because someone tagged me recently and it happens often, get tagged on Twitter saying, hey, I was mistreated in a bug bounty program. And then you get their case and valid or not, I'm seeing one side of the story, which of course is in favor who's ever writing it. So you know you don't know what to believe, but then you see you know some guy's story about how he was screwed by either a mutify or a project.
00:07:20
Speaker
And they they they've decided to air their grievances on Twitter. ah You know, obviously, those are never a good look for you guys because it's one sided. You know, you don't know what.
00:07:30
Speaker
Yeah. But how do you kind of how do you think about that on your end? I mean, i always when something like that, I do notice on my Twitter thread, I mean timeline, or somebody actually internally on Slack pings me about that. I, of course, get interested and try to understand if this is something that we actually screwed up or not.
00:07:56
Speaker
What actually is the story here? So ah I, most of those cases, I'm involved myself, ah plus some help from the triage team. to better understand the technical details and then we try to ah either make it right where sometimes we do make mistakes ah but it's not as often as some people may would like people on Twitter to think but most of the time it's just like misunderstanding of the rules of BPP
00:08:27
Speaker
Ah, the rules, yes. Yeah, yeah, the rules of the BPP. Or sometimes it may be just... ah some newcomers or even serial spammers who are complaining about them getting banned but when you look at the reports they're just submitting the same report to uh 20 30 different projects which always a generated without renewable poc i'm just like okay come on man is that is this this uh what what mckenzie was talking about the web two guys transitioning to web three with their spam yeah
00:09:04
Speaker
Yeah, exactly. That's exactly the case. ah I would also imagine that there are like also new people generally in the back bounty space who are just ah trying Web3, not necessarily having experience from Web2, but we don't have a concrete data because uh we cannot interview those guys uh we cannot ask them for feedback uh this is just something that we can uh sometimes just assume what's happening and we can uh also see based on the uh
00:09:41
Speaker
language of the report, what kind of reports they're sending that they're just wanting a quick bug under basically a bug bounty hunters. Right, right. Expecting to get paid for just some BS report they're sending in.
00:09:56
Speaker
Yeah. Yeah. ah I got to ask, who is Andrew?
00:10:03
Speaker
All my bugs apparent since inception get triaged by Andrew. Yeah. Andrew is like ah our pet friendly bot who is just checking basic things regarding bug reports.
00:10:22
Speaker
I figured as much or else or else promote this guy. Yeah.
Automation in Bug Reporting
00:10:27
Speaker
Yeah. I mean, at the beginning we wanted to keep it a secret. That's why we gave it an Andrew name so people can start I mean, ah people react better when they know that, hey, there's maybe some human on the other hand, and that was actually true in the very beginning. But right now, it's our just filtering i ah system.
00:10:48
Speaker
We kept the name because, well, everybody and at this time knows Andrew, and everybody and actually understood that andrew is most likely a bot so i'm not spilling any secrets uh here but yeah and what about like the triagers that yeah how do you assign to a bug report someone submits something do you have do you have certain triagers sticking on certain white hats or is it just a pool and everyone just picks one
00:11:21
Speaker
uh it's a little bit different um we for managed triaging this is where we actually do get assigned based on current availability of a triage because we're having 24 hour per seven ah service for managed triaging so we have different people working different hours on the team the whole team is distributed ah currently we have nine triagers we're hiring for the 10th so the team is expanding and yeah we're working uh monday till sunday every hour
00:12:00
Speaker
and so based on that availability those people get assigned to the incoming bug reports on the mean on the mediation side is a little bit different there we actually ah assign people based on the preference and also their skill sets um we i do see which hackers actually do submit which reports also over the mediation so sometimes i do assign ah the same triage for the same ah white house because they already know and work with with that person and the same case maybe for the projects because some triage may and understand different projects way more deeply than the other other ones
00:12:46
Speaker
so ah But this is mostly for the most most complex projects that we have on our platform. Yeah, so well like what, you know, if if you have a triager picking up a bug report and how long does it usually take them to get up to speed on, i mean, because some of these bug reports can be complex and for me, for anybody, it takes takes a while to kind of see if you see the bug and then even validate it to run the poc set up the testing suite especially for for um dlt bugs uh know and it takes a while do you have like an average timeline you expect a guy to be able to pick up a bug and then assess it and then get a response or a verdict yeah i mean
00:13:33
Speaker
Bogaert, average and i'm talking about the average on time spent actually reading the report understanding the report is like a couple of hours, but of course.
00:13:44
Speaker
Jan Bogaert, We have cases where it takes way, way long because we need to understand so different details and we ask projects for those details ah because.
00:13:55
Speaker
Triagers do understand really well where there are limitations when it comes to understanding a bug report when they're reading a bug report ah for a mediation. because we've done done this thousands of times already.
00:14:10
Speaker
And we have experience and also the luxury of being able to ask project for additional questions. The same thing for the White House, because we see, okay, for us to fully evaluate this objectively, because we are talking about objective truth here as much as it is possible in a bug report, also in the context of the rules of a bug bounty program.
00:14:35
Speaker
Then We see okay for us to fully understand if this is, for example, a full drain, what are the limitations that project are talking about, then we dive into documentation if documentation doesn't answer that question or the code doesn't answer the question, then we ask the questions and in those cases.
00:14:54
Speaker
i Actually, most of the cases this actually prolongs the mediations. most Some of the mediations are quite simple and easy to understand ah because we still need to evaluate the bug report and not only on the technical merit but ah the policies in questions because and the same bug that may be valid on one program on another program that may be very similar in terms of technology, they may have a different rules and they won't accept that bug because they don't care about that.
Mediation in Bug Bounty Programs
00:15:26
Speaker
And we need to take that into consideration. And when you say most mediations are fairly simple to resolve, do you mean simple to close out or simple to kind of like in a positive way for the bug hunter or that they're kind of you know requesting a follow up or an appeal on something that's unappealable?
00:15:45
Speaker
I mean, both actually. a Of course, still most, let's say like 20% the mediation that we're dealing with i are difficult mediations and by difficult mediations I mean they're more complex and we need to ah gather more evidence to actually resolve them.
00:16:05
Speaker
And the rest, I would say, are um simple in a terms that there is like a clear bug bounty program rule, or there is like a clear POC, and we and then we're pushing project for a payment.
00:16:19
Speaker
There are both sides to this. Or simply, there is a white hat whom's report got closed, He doesn't agree with the closure reason.
00:16:31
Speaker
We go in, check that. Yeah, everything checks out. Or maybe yes, it was actually a known issue. We verified that and with the project. or now what you're saying is actually not true and closing that those are relatively easy to do and because we check every kind of a mediation and because mediations are open for anyone anyone can call them no matter the level of the white hat So ah it's not like we always always getting the most interesting cases. I wish that that was the case.
00:17:07
Speaker
ah But we also are dealing with lower quality bug reports. um Also, we do a ah have higher quality bug reports and those bug reports are mostly not the mediations on those are mostly the case for policy questions, not necessarily on the technical details.
00:17:29
Speaker
Yeah, and I brought this up to McKenzie, if you heard that, where I said one improvement you could make was some sort of delay or or messaging side thing or something where, you know,
00:17:41
Speaker
ah this you could prevent things from going to mediation for for simple things that could be resolved because a project loves being able to say, boom, closed, out of scope or whatever it is.
00:17:51
Speaker
And then there could be one piece of information that the White Hat needs to give them that maybe you know they the contested and they have to open up the mediation. And then right now, I think mediation, the delay is, it's substantial. i mean, would you say a week, two weeks right now, you'd have to wait?
00:18:10
Speaker
Yeah, I would say yeah that and that's true. i And the reason for that and something that we're definitely going to talk about are LLMs.
00:18:22
Speaker
i Because people and do use GPT or other AI tools ah to help them with writing the bug reports and even searching for bugs for them.
00:18:36
Speaker
And we still need to check those because you never know. Because we had cases where, for example, something did look like GPT generated, but was actually a valid bug.
00:18:47
Speaker
And we needed to check that and verify that, even though and the report was really, really large, ah like three pages long, but we needed to verify that. yeah yeah yeah i understand that and and my yeah my idea here and it seems so simple why not charge a dollar why not charge ah just a small hurdle to submit things for the obvious spam ones yeah i mean believe me uh we had those dogs uh internally for many many years now and
00:19:22
Speaker
probably we're going introduce something I'm not saying that this is a promise there's something that we're actually more actively discussing right now as a potential spam prevention because it's getting out of hand ah because AI is of course has on a positive utilities in bug bounty hunting, ah but its it became more and more convincing at trying to sound like valid when actually it isn't valid.
00:19:58
Speaker
And this is hard to distinguish. It's not about only like, hey, I run this code base for GPT and here are like 10 bugs that are critical. We get those, by the way, as well.
00:20:10
Speaker
And those are quite easy to dismiss and do mediation zone as well. But there are ah cases where somebody also uses different tools, AI tools to write POC that may be runable.
00:20:23
Speaker
or not but we need to of course check that and they're really great at convincing you that something actually is true where it isn't and it's harder and harder to actually check those this is absolutely a confirmed critical that's that's the the best ones and then and then if you prompt the llm you say you know i don't think it is they say oh you know you're right this is total bullit I love it. I also want to ask something about you have you have like two tiers, right? You have all your bug programs and it has normal kind of triaging that you guys
Understanding and Improving Bug Bounty Practices
00:20:59
Speaker
do. I think you check a valid POC, you know, look at the bug report. But then you have this triage by immune fight kind of thing that I guess protocols pay extra for.
00:21:08
Speaker
And like, what is that? Do the guys have to get up to speed on the docs, the protocol, and then they function as ah the proxy for the protocol? And then like only when they're like, hey, this is really legit you know protocol, you need to pay this, or does the protocol still kind of do the same amount of review anyway?
00:21:27
Speaker
How does that work? um Okay, so those two levels of triaging. So let me clarify. I mean, and the first one, I mean, we do only run our automated filtering on those.
00:21:40
Speaker
ah So our friend Andrew and does all the work and projects ah do the rest of the triaging. ah On those ah projects, I mean, as for everything, mediations are free and everyone can request that.
00:21:54
Speaker
And so no matter the project, ah SRs can still ask for help of Nufianna will come in and do full technical evaluation and side with you if you're correct or side with project if project is correct because we need to be neutral here.
00:22:12
Speaker
With managed triaging, this is a paid triaging, this is where we actually do filtering ourselves. We get the bug reports first.
00:22:22
Speaker
Then we decide if this is actually valid just looking at The initial bug rep report, the POC, technical details, documentation, and of course bug bounty program rules.
00:22:34
Speaker
And then we either escalate or close. You still can, of course, ah um ah ask for remediation ah in both of those cases, ah especially when it got escalated and got closed by the project, because there may be some misunderstanding on the project side.
00:22:50
Speaker
ah but ah generally we need to get up to speed with majority of the customers that we're hunting on the paid site. That doesn't mean that we are experts in those projects, but we understand them enough ah to be able to triage the bug reports, to be able to to say like, hey, this like we're like 95% sure that this is this is valid. please Please take a look at that.
00:23:17
Speaker
And after escalation, you just like a normal ah backflow, meaning projects take a look and they decide um whether this is true or not.
00:23:29
Speaker
for the But if there is a disagreement, and for example, project says, like yeah, this is valid, but it's not high, it's maybe a medium, then please, please, if you don't agree with that and if you have like a strong technical reasons reasons to believe that you actually were right in claiming that this is like a high impact, then ask for a mediation. Then we'll come in and still actually provide full technical details based on all the new information that came out i and we'll dispute everything that was said in know terms of like, hey, here's immunify evaluation.
00:24:08
Speaker
Here's how we think should ah should have happened here. ah Some of the projects are paying are paying for the highest tier of managed triaging where actually we do provide mediation-like service already at the very beginning.
00:24:26
Speaker
but not many people, um not and projects are actually choosing that and managed triage. Okay. I think it's a pretty cool package that's offered because I can see the advantage. You know, client just says, hey, I mean, if I just handle the whole thing and because if if you're getting spammed left and right, I mean, you got to have a guy on staff to handle all that kind of, all that submissions coming through on your project team. so So would you say people are pretty satisfied about how you guys are running that?
00:24:55
Speaker
yeah Yeah, I mean, they still have the final say, don't get me wrong, but they're quite satisfied with managed triaging and how we've been handling things.
00:25:08
Speaker
Of course, on the other side, on the White Hat side, there may be some dissatisfaction. um uh because more reports are for example being closed than escalated uh compared to other programs but i mean we need to do our job well we need to check those rules of bug bounty programs and i will be referring to the rules of bug bounty programs because they are super crucial uh because one mistake that i see uh different white hazard making uh is looking only at the scope
00:25:42
Speaker
oh of the program, like what are the assets? And they're just hunting. Not necessarily reading what actually project will accept because they may find like some lows or mediums or they're thinking, hey, this high looks interesting, but project actually already knows about this issue because we try to list all the known issues or previous out of this.
00:26:08
Speaker
of a project on a bug bounty program. And then they're surprised that maybe something already is unknown or maybe a duplicate because it was already was reported previously and there's like a write-up already for that.
00:26:24
Speaker
So one thing that I would encourage everyone to do is read bug bounty program rules. because it would make ah lives of everyone so much easier because then there are at least some clear rules and expectations, the basic expectations of what somebody could expect when they click submit on that bug report.
00:26:48
Speaker
Yeah, I think the more clear we can make it to everyone, it just saves save all this hassle. I'll give you an example with one, and I'm sure there's plenty. ah with a protocol that's currently in mediation is an asset was in scope, right?
00:27:04
Speaker
And then they're, they reject, they closed me out and they said, oh, you the bug's valid, okay, but oh, we're not using it right now. And it's like, well, from my perspective, if I read your program and you have the asset in scope, then it's in scope for your bounty.
00:27:22
Speaker
I try to look at things and say, okay, is this deployed on chain? Are there transactions going to it? That's all part of it. I agree. However, you put it on your assets and scope list as, and you're you're signaling to any bug hunter, spend your time and resources to audit this and find bugs in it.
00:27:43
Speaker
So that way, when we do begin to use it, okay, great. So I agree, it's not like max critical, you know, because it's actively used, but hey, it's in scope you're planning on using it your the code's finalized that's why you've listed it in scope so to close it out and say oh and you know we're not going to pay you found it uh thanks that's that's bullshit and that's just getting a free bug and doing what a lot of projects like to do with that i think it's unacceptable oh yeah i do agree this is unacceptable and
00:28:15
Speaker
What we usually do in such situations, um we do verify and check if it is actually not used. We ask proof from projects to actually and prove to us, hey, are you actually using that or not? If it is deployed on chain, it's much easier because then we can check when it was deployed, if there's like any transactions to it, if any anybody actually is using that.
00:28:39
Speaker
Or maybe the last transaction was 400 days ago. i was like Yeah, it doesn't seem right that previously it was like many transactions in a day, but the last one was like 400 days ago.
00:28:51
Speaker
Yeah, the project forgot to update the asset in scope. That also happens. But we also need to look at the impact. If somebody would actually ah try to exploit that, would actually impact the project.
00:29:09
Speaker
Exactly. Yeah, because yeah if the answer is yes, then yeah, we will try to get things right. And we also had situation on the mediations where something was i not deployed, but the code was frozen.
00:29:25
Speaker
and They an announced it everywhere that, hey, in like X days, we will actually launch this. And they made a change in that code. and somebody found a bug in that code that was supposed to go live. and It was like a blockchain DLT bug and it was a critical, like the highest critical that that you can find.
00:29:47
Speaker
And they could use the excuse of of like, hey, there's no impact right now because ah was that was right. and That code wasn't yet deployed, but we treated it ah already deployed because everything looked like it was already going to be deployed as it is. And the hacker got paid the max critical for that.
00:30:11
Speaker
and we have cases like that that's why in such situations and and you will also hear me throughout this interview a lot request a mediation when you feel like something is going wrong especially in cases like that because there's maybe some reward after you actually ask for a mediation it of course depends on the cases It is not something that we or anyone can actually promise you that will happen.
00:30:40
Speaker
But if an asset is in scope and if it is actually used or has been used at least in recent times or there's like big indication that it will be used soon and everyone um everything is pointing towards that and there is like a clear impact what will happen after ah it gets deployed then yeah it's a valid bug.
00:31:03
Speaker
yeah agree there's there's so many and there's so so much nuance that a project can use yes i mean there's good actors and there's bad actors and no one wants to pay out big bounties and projects love to say oh we would have got that you know what we we would have seen we would have got it we would have seen that we what are you talking about us we're god devs okay don't miss anything yeah i mean I mean, oh my God, I've dealt with such mediations as well and with such projects.
00:31:33
Speaker
Luckily, in most cases, ah we are able to convince them otherwise ah because we have different rules, different ah articles that also Mackenzie was mentioning on the previous episode.
00:31:47
Speaker
ah And we can use those. Of course, if a project is not willing to ah collaborate uh I mean cooperate with us uh and with the white hat then we uh do from time to time uh pause the project and remove them from our platform but we never uh know what actually which project will behave correctly and which uh uh want but there's still some uh some things that we as Minify can do uh of I do agree that this is always uh
00:32:27
Speaker
anxious and nervous situations and stressful situations to be in because you submitted something that is quite clear, of course, to you and also to us, but the project is not seeing this.
00:32:39
Speaker
But then you need to trust Immunify. because we've seen many of cases like that and we also had successful cases ah in such situations. And I have a question for you just thinking about this because I realized that there's also the other tab on ImmuneFi where you can not do smart contracts and you can do websites applications.
Insights on Bug Report Submissions
00:33:01
Speaker
do you I mean you triage for those as well, right? yes what is Yes. What is that pipeline look? Is that completely different than the smart contract pipeline as far as submissions, spam? Like how does that differ?
00:33:14
Speaker
It's a little bit different, we maybe not be getting as much spam on those simply because the highest rewards are for smart contracts and blockchain so people and serial spammers are focusing on the on those. so But we do have some i quite successful stories of paid reports on Web and App, where, for example, the whole application could be taken down, or there there was like an RCE, or somebody would be able to mint tokens through the frontend.
00:33:49
Speaker
We had a situation like that. So um it's always recommend I do always recommend to ah customers to always, ah if you're a DeFi protocol, if you're a blockchain and you have any web component, ah please add that in scope because you never know. The broader your scope is, the more protected ah you are because you're communicating to the rest of security community that, hey, I'm interested in catching everything.
00:34:18
Speaker
And ah people are not, i mean, we get less volume on Web and App. And I would like to change that because I believe we do have, mean, we do have and the same great, ah I mean, on some of the projects, updated standards.
00:34:35
Speaker
ah for how we're going to evaluate Web and App back reports. And we have some White House who are solely focusing on that and they're quite successful.
00:34:46
Speaker
um But yeah, not and not so many people are yet actually hunting on Web and App assets. It's interesting. So any any guys looking for less competition and you you're good on that side, go for it.
00:35:00
Speaker
ah So i want I want to drop some alpha here. You know our alpha drop, and and I didn't prep you for any of this. I try not to prep guests for anything, to be honest. Just like ah like a non-interview, but just to have a chat, and they should be knowledgeable about their there subjects and everything, and I know you are.
00:35:16
Speaker
So ah let's do an alpha drop. I'll do one from my side, and I'll let you think ah for a minute on your side. I want to ask you alpha for the bug hunters on what what they could do to make their bug report, their submission get approved. Like what,
00:35:33
Speaker
common things maybe people are doing wrong, ah lacking key details or more quantifiable metrics or something like that. So think on that for a sec and I'm gonna drop a little alpha here and this is on something we found recently.
00:35:47
Speaker
And that would be just to look, and it's a simple one, like like all bugs in hindsight, but it's when you have a raw call and you have a ah yeah a vector there where,
00:36:01
Speaker
you know the raw call is is a subcolonial function and you can use less gas to maybe hit that call and then it reverts and it doesn't bubble up uh down the line and you never know what kind of interesting behavior will result in that and we have a a high sev and i say we because i'm working with a humble chat and we're we're we're bringing some new new cool stuff to to light.
00:36:30
Speaker
We'll reveal more details further, but yeah we have a high pending for for a big protocol based upon this bug and um I'm very confident we'll get approved, but simple bugs just like that can can give you some interesting findings. So Adrian hit me, what do you got for the alpha drop?
00:36:49
Speaker
Yeah. um Not sure if this is going be alpha because this is obvious to many people, but you will be surprised how i many people are are actually executing on this.
00:37:02
Speaker
Not so many. Focusing on proof of concept and making sure that you get your details right. Question your assumptions on every way when you're actually looking for bugs and you think you actually got something.
00:37:16
Speaker
Test that. Because ah we I've seen many cases where ah some WhiteHals were really close of actually getting a bug right, but they missed on something. Because instead of relying on real systems, like just using a main network to test the real deployed contracts, they use local deployment. And the GitHub code for the same smart contracts was a little bit different.
00:37:42
Speaker
Or they mocked something because they thought, hey, it should be working like that. never assume anything when you're writing POCs and looking for bugs.
00:37:52
Speaker
Test everything. If you know that, hey, I spent like five, 10 iterations on a POC and I feel like I have it right right now, submit it. And then if and if anything, i ask for remediation, but that POC part and ah working and question your own assumptions ah is a key and not many people are actually doing that because ah right now.
00:38:19
Speaker
uh people are writing a poc they may be using uh some ai tooling to help help them with that nothing wrong with this uh but uh people are trying to get bugs as fast uh as possible and onto the platform which I also understand ah in terms of mentality here and psychological factor.
00:38:44
Speaker
But if you spend more time on doing deeper research into the bug, either you will invalidate your bug yourself, which is still a very great and cool learning experience, and you may actually better understand the protocol, and that actually can lead you to a better, bigger bugs.
00:39:02
Speaker
Very good alpha drop. I just wanna add a couple things. I totally agree. If you want the gold standard, do a mainnet fork and run your bug against live contracts and show like, boom, look, I can do it right now versus the protocol test suite because it just gives less reason for it to be rejected.
00:39:22
Speaker
And also secondly is do not get confirmation bias on your bug. Do not be like LLM. This is absolutely correct because if you see it's not correct, hey, nice try.
00:39:34
Speaker
Go find something else. But don't submit just because, oh yeah, you know it's it's i just ah I mocked up. Oh yeah, now i'm that now I'm the admin and I just happen to call this function. It's never been called before to shut down the protocol. This is what would happen.
00:39:48
Speaker
You can't do that. You can't make crazy assumptions like that. It just won't fly. Exactly. All right. On to the questions. So you had some questions from the discord.
00:39:59
Speaker
So we had one from K 42. He says, what do you do as a triage or to understand protocols code and get the knowledge to counter reports with the correct technical specific specificity best this yes to know what's what?
00:40:16
Speaker
I'm looking at the question. So yeah. Okay. So, um,
00:40:22
Speaker
The first thing that we're doing is actually seeing what the report is talking about. What's that one particular section of the code base of the functionality of the protocol, of the business logic that this report is actually trying to attack?
00:40:40
Speaker
And we try to understand that. we don't need to always have the full knowledge of the whole protocol. You need to really understand and focus on the details on that one particular case.
00:40:53
Speaker
And with that, it's not necessarily easier, but faster to actually try to see if the bug is valid or not. Of course, the POC does help a lot, especially as we can see what actually ah we which steps are actually being taken.
00:41:10
Speaker
But just reading the documentation regarding that specific functionality, reading the code for that specific section that bugrepper is currently attacking,
00:41:21
Speaker
ah seeing what backhunter is saying and making our decision based on that.
00:41:29
Speaker
Okay. And the next question is from Teoslav1 and he's asking directly to you, what made you go into triaging instead of auditing or bounty hunting full
Adrian Hetman's Career Path
00:41:40
Speaker
time? How the heck did you end up where you are?
00:41:42
Speaker
ah Okay, so that's a fun story. um So generally, my story in crypto started in 2016. I I'll tell you before that, of course, i learned about Bitcoin. Yeah, I ah ah got interested in Bitcoin, what crypto was all about, but quickly realized that, okay, Bitcoin is cool, but what's really cool is actually the blockchain.
00:42:13
Speaker
Bitcoin is just like a first implementation of the blockchain. So started reading about that. And I did some tinkering at the work at the time because I was working on the BAE systems.
00:42:25
Speaker
Then I was able to do some internal project regarding Bitcoin. Later, ah I had some different, I feel like cool ideas how we can utilize blockchain technology ah internally.
00:42:40
Speaker
for just tracking of some documentations of different i vehicles, things like that, that needed to be constantly repaired. That would like speed up things and quite a lot.
00:42:54
Speaker
ah But that idea failed because somebody didn't understood everything. So i at that time, like, OK, let me go look for something else where i can actually look into blockchain full-time that's where that was during icu ico boom so i was uh that uh going into the solidity side of things ah writing ico contracts top a year c20 contracts uh for different uh projects uh working at a uh software house um but after that i wanted to do more than just ico contracts because you can
00:43:32
Speaker
What can you do really with those? Not much. But I still ah got my first experience with Solidity there. And I was looking at many rack pools at the time. was like, OK, I start to be more conscious regarding security side of things. I was always interested in security. I mean, as a kid, I loved just ah hacking my consoles. I remember just getting my PlayStation Portable and and knowing and getting to know how I can install Homebrew on that.
00:44:04
Speaker
Luckily, at the time, I had i ah Grand Theft Auto Liberty City Stories that was needed to actually hack the console because they had a bug in how the game was loading and you could actually take over that. And it was really cool stuff. So I was always interested in tinkering with stuff.
00:44:26
Speaker
and with smart contracts and how many how much money was at stake. I got curious about that. Before I actually managed to um start as an auditor because i had i was working as an auditor for over a year i was working on one defy protocol working on one blockchain protocol just dipping my toes into different aspects of blockchain technologies but after mean when i was working as an auditor at certic by the way
00:45:01
Speaker
ah I started to i write more on my blog, really, because I had a challenge of writing daily for 100 days, and I managed to do that.
00:45:13
Speaker
ah And in the process of that, I was looking at the current hacks that were happening because I also wanted to learn more for my for my own sake so I can become a better auditor.
00:45:24
Speaker
And at the time, and Mitchell noticed me on Twitter and asked me like, hey, maybe I can only get on a call. And I did.
00:45:35
Speaker
And rest is history. here I am. I started as a triazer and I a currently running the team and I really couldn't couldn't be happier.
00:45:48
Speaker
And you've revealed something that people might view positively or negatively when you said the word surtic. I know. i know. I was prepared for that. But they listen, Certi, it's a company. It has its flaws, whatever. But I will say that that the early reports are very good.
00:46:08
Speaker
They're very good. it's not I don't believe it's a scam on from this and that. They may have changed their strategy to something different, but in the beginning, at least, I've read a lot of Certik reports, and therere they're very in-depth. They're very good. so yeah There is a chance that you probably read some of my reports. I mean, right now, something that...
00:46:26
Speaker
ah hurts me still is and they remove the names from the reports to be more unified as coming from Certiq, not particular auditors, but yeah.
00:46:38
Speaker
That's not cool because if you want to do something else, it's good to show that body of work that, hey, look, I did this, this, this. Yeah. and i But i I learned a lot at Certiq. I mean, without Certiq, I wouldn't be here. So I can, ah I know what's the,
00:46:57
Speaker
view of Certiq right now. And I knew how Certiq was viewed back in the days. I mean, like 2020, 2021, when I was working there, it was much better than it is right now. And I feel like Certiq is changing some things and they're more listening to the community, which is great.
00:47:16
Speaker
i But I had a great team back then. I learned a lot from them and I truly wouldn't be here if it wasn't for Certiq. So there you go salute to old school sirtik yeah i i liked your blog too because i'm i'm doing writing now with my sub stack and just putting some security stuff out there and i took a look at yours and um i liked a couple years you had one was called the weight of an open tab and the other one you have when your mind stays in the office.
Balancing Work and Wellbeing
00:47:48
Speaker
And man, how relevant is that? Basically you were you were saying that just these things that kind of stick around in your mind that you don't realize they're in your mind and you're trying to do things offline, trying to be in real life and you're still thinking about them, tasks you have to do.
00:48:07
Speaker
And it's, you don't think about how it affects you. And this could be in in any role, security researcher, you know, doing what you're doing, any job, but you don't think about it until you really think about it.
00:48:18
Speaker
And then you take that off your mind and you just get a ah wave of relief. Oh, I, I agree. I mean, I change the way I have a write because and there are so many more skilled technical writers that than I am.
00:48:36
Speaker
And right now with ah one kid and second one coming, I don't have that much time. And also like to
00:48:47
Speaker
just get away from socials and any technology in my free time, just enjoy a book. And I noticed how ah big of a difference that actually made. Also positive positive on my current work.
00:48:58
Speaker
And I thought like, hey, I mean, secret researchers are doing exactly, and needing to hear exactly the same things because I've been talking to different people, some close friends, some SRs who have been DMing me on Twitter and helping them out.
00:49:15
Speaker
And yeah, I want to be more universal ah right now with those different articles because it will also affect ah how you find bugs if you're constantly thinking about uh back hunting about some protocols i mean for some it it works so good for them but everyone needs a break everyone needs to actually declutter their mind ah because the most deep thinking the interesting thinking happens when you're not doing work that's why we have all those aha moments when for example we are taking a shower or doing something else walking with the dog going to the forest or just enjoying the nature because
00:50:00
Speaker
The mind is constantly working. It may not be working actively ah on the issue that you may be having, but it will work in the background without you even noticing.
00:50:13
Speaker
And that is where the magic happens. and And given that my audience is the majority is 18 to 24, you're going to get a lot of guys rolling their eyes right now. Like, I don't need a break. It's puffing on that vape, sucking down a monster. I don't need a break.
00:50:30
Speaker
I can work 16 hours a day, sleep, wake up, do it again. and hey, I've been there. I get it. But you don't know until you know, like take a break.
00:50:41
Speaker
And ah all I'm saying is like, You know, i I have a couple of kids and a family and I like to do other things outside of just live on the fucking blockchain. And so like ah I just who tweeted this, I swapped my phone for one of the e-ink phones.
00:50:57
Speaker
So it's really boring. So I don't reach for it. There's no X on there. there's <unk>s i don't have social media whatever. There's no real reason to use it. And then I have an Apple watch ah strictly because it has a 4G antenna in there.
00:51:10
Speaker
So I use it when I go run and everything. But then yeah I'll just take that as like my quasi phone. So I go out, it's on airplane mode, whatever. But then, hey, if I need to make a call to my wife, whatever, boom, I throw it on 4G, talk to turn it off.
00:51:25
Speaker
and then I don't have some stupid brick that I'm pulling out just social anxiety like every reason people pull the fucking phone out it's like I love just having that boredom and you're able to think and you're back in the 90s man that's that's where it's at oh I mean that that's great to hear I mean ah I've been writing a lot on my blog about journaling because Right now, I'm at the stage where I'd rather pick my field notes and write something there or think about, ruminate about anything that may be happening.
00:52:00
Speaker
either in live or at work than grabbing my phone. Of course, I'm still not perfect at that. and But and yeah, I've been actually considering ah buying one of those A-Ink's phones and doing that.
00:52:13
Speaker
I actually so swapped my Apple Watch for a me mechanical watch because I was tired of constant pings. That's what airplane votes for, turn off all notifications. Yeah. Yeah, but I'm aize i i mean and being romantic about analog things and having an analog watch and just looking at it and knowing that it's only telling time.
00:52:36
Speaker
class is like ah nicely done, it has like a mechanical heart, then I know that it was made by humans. And with everything right now i being ah AI, AI generated, it's like going back to those things that are actually made us human and were made by humans is something that I do truly enjoy. I totally agree. I have a nice Breitling mechanical watch.
00:53:01
Speaker
i like I like to just pull that out sometimes. And I like going totally offline. You know, if you go to a place, say I'm traveling, go to hotel, give me a whiskey neat.
00:53:12
Speaker
And just you have ah an analog watch on and there's you're not glancing at anything. but You're striking up conversations or with a bartender whatever. And and just living like that is is great, man. Leave the phone in the hotel.
00:53:26
Speaker
ah love it. Oh yeah, yeah. I mean, one of the books that I recently finished is Digital Minimalism by Carl Newport. And for anyone listening, especially those 18 to 24, give it a read.
00:53:40
Speaker
give it a it might change how you think about technology and your relationship with technology second i'm not saying you got to put it in a youtube short form though or they're not gonna hurt they don't read it's problem yeah but i mean uh technology i mean is of course important and and that's why i got into blockchain in the first place because i got uh truly amazed by what you can do with crypto, with blockchain technology, democratizing everything.
00:54:12
Speaker
We kind of went sideways with that, but that's like another topic. But there are still some OGs out there who actually are fighting for that battle. ah But also the use of social media, especially X in terms of crypto. I mean,
00:54:29
Speaker
What I noticed and why I mostly stopped using ah Twitter was I got anxious about, oh my God, all those different people are doing all those ah cool stuff. They're finding those cool bugs, which also see at work. And Fear of missing out.
00:54:46
Speaker
yeah Yeah, you're not missing out. Just do your thing, do at your own pace. It's cool to hear sometimes stories that somebody was working 16, 20 hours a day and and they came from nothing and within six months or nine months, they just ah found a bag just using their phone, which is like a true story, Jesus.
00:55:13
Speaker
ah And like, Oh my God, cool. It's amazing. I'm happy for you. But the question that you also need to ask yourself when thinking about such stuff, when you're romanticizing about, okay, I want to do this again, but are you actually willing to swap lives with that person with every ups and downs, not only looking at uh all the achievements but also all the struggles that that person had that actually led them to be able to push so hard to actually get this yeah yeah and don't compare yourself against other guys especially not on the internet which is worldwide you're never going to be at the top
00:55:54
Speaker
But just compare against your prior self last month, last year. How are you doing now financially, knowledge wise? And use that as your baseline, because like I'll tell you, like seeing White Mage come out with like these massive seven figure bounties.
00:56:10
Speaker
Everyone's like, oh, fuck. You know, everyone's like, man, I wish it was me. But at the same time, you're like, all you could do is congratulate because like, hey, man, the guy worked hard, a little luck thrown in. But hey, he did it.
00:56:21
Speaker
Awesome. That's all you could do. it's like It's like when you transition from the mentality of someone's getting richer than me to, well, that doesn't really affect my earning potential at all. So who cares? Good for this guy.
00:56:34
Speaker
And just look at it like that. As soon as you change your mindset and just kind of focus on your past self and where you are now, you don't stress about it because the the a recipe for disaster is a double espresso and maybe some nicotine. And then you get on X and you start scrolling through and you see people's trays, people's wins, this and that. And you just think there's no way I'm keeping up.
00:56:57
Speaker
And you'll just burn out with exhaustion. Yeah. True. Yeah. I mean, one thing that you said that I fully agree with is like, ah always compare yourself to i where you were a month ago, a week ago, a year ago.
00:57:16
Speaker
and because then you will see some growth and always focus on improving yourself and not comparing yourself to others. And the same goes with every bug report that also got rejected.
00:57:28
Speaker
if it got rejected because it was a duplicate. I mean, good for you. Man, you found something that was actually found by other people and got reported because it was a valid vulnerability. I mean, ah you wish you actually found a valid vulnerability like ah six months ago.
00:57:43
Speaker
Now you're on that path. Now try to find something that actually is quite unique, but you're on a good path. There are all those different signals that and everything is telling you that you're currently doing great.
00:57:56
Speaker
ah You may not be getting paid yet for that, but actually you're having already the skill sets to find some life vulnerabilities. Let's dig more into that. And it's all about that mindset.
00:58:08
Speaker
Skill sets is one thing. Some people are more talented than the others, but it's also all about the hard work and the mindset. and And the proper hard work.
00:58:19
Speaker
and That's it, man. Hard work. And we have to bounce now because as someone actually booked a podcast directly after this. I'd have to start in a few minutes. But Adrian, thank you for coming on. And everyone, we will see you next time on the blockchain.