Episode 167: Stealing Bugs with Valeriy Shevchenko

Title: Transcript - Thu, 26 Mar 2026 16:36:49 GMT
Date: Thu, 26 Mar 2026 16:36:49 GMT, Duration: [00:51:42.92]
[00:00:00.83] - Joseph Thacker
The words were also like, I did this research.

[00:00:04.11] - Valeriy Shevchenko
Yes.

[00:00:04.40] - Joseph Thacker
Not only was this person stealing your report, but they were also claiming to do research they didn't do.

[00:00:09.17] - Valeriy Shevchenko
That's hilarious. 

[00:00:31.03] - Justin Gardner
All right, y'all, we've talked about ThreatLocker Ring Fencing a lot. We know how it allows you to set ACLs and policies for exactly what an application is allowed to do in your network. But today I'm gonna tell you how it does that, okay? Three technologies: mini-filter drivers, Window Filtering Platform, and EXVersion kernel notification routines. Mini-filter drivers are essentially a hook or callback for I/O requests, okay? So when you're trying to write or read from a file. You can create a hook with those and approve or deny based off of the ThreatLocker ACL. Windows Filtering Platform, similar situation but for connect-bind requests, right? You can say, "Okay, hey, is this process allowed to talk to port 443 over there on the internet? Yes or no? Approve or deny." Lastly, you've got EX version kernel notification routines. The EX version's important because it allows you to approve or deny versus just getting a notification from the kernel. And this is specific for, hooking various native API calls like NTCreateUserProcess, which is what you would use to like spin up PowerShell.exe or something like that. Okay, so those three are very useful to ThreatLocker's ring-fencing core technology. Hope you enjoyed learning how this is implemented. Check out ThreatLocker if you think your work could benefit from something like that. All right, let's go back to the show. What's up, hackers? We got the This Week in Bug Bounty segment where we do rapid-fire news. This week we've got two entries. One is the Bug Bounty Maturity Framework from HackerOne, which is not the Bug Bounty Maturity Framework we mentioned last week, which is from Steve Hernandez. So don't get those two confused. There's been a lot of chatter in the world right now about quantifying where you are if you're a bug bounty program manager and where your program is at, how it's performing. And this is another tool for that. So HackerOne breaks this up into three maturity tiers, baseline, competitive, exemplary. And they put this together with feedback from HackerOne's advisory board and technical advisory board. Hacker Advisory Board and Technical Advisory Board. So really good to see. Hopefully we'll see programs starting to look at these frameworks and getting clear steps for improving their program, whether they use the HackerOne maturity framework or the Bug Bounty Maturity Framework that we mentioned last week. Next up is a job posting actually on our job site. You can find that at jobs.ctbb.show. And this is a posting for a product security analyst by Intigriti. So if you're looking to hop in with the platform, it's fully, you know, remote friendly. So that's great to see. And it's a great way for you to get integrated with the community at large if you're looking for a position. All right. That's it. Let's go to the show.

[00:03:08.68] - Joseph Thacker
Hey, what's up, everyone? Today I'm here with our guest, Valerie. We've got a couple of cool things to talk about, but he is a longtime hacker and I'm going to make him jump straight into a bug before I introduce him. But yeah. So what bug did you bring us?

[00:03:25.21] - Valeriy Shevchenko
Actually, when you mentioned that I need to bring something, I was like really like shocked because that came to my desk 30 minutes before the podcast almost. And I was like, okay, like what can I share? Like I have tons of things and usually it's like really interesting things. I don't waste my time on average like findings like medium. I usually do something really extreme exciting and yeah, that cannot be duplicated from somebody. So the first thing that came to my mind was the issue when I discovered that the company. So that's the field of the acquisition, when the company have the wide scope range and they're okay if you hack them through the acquired assets. And there is a few programs in Hackathon especially where you can do these things. In other places you might be really in trouble, I would say. Um, so yeah, think twice before making this. And so I did the, the kind of the recon. I did the investigation of what the company is planning to acquire, and I did kind of the preparation of that possible acquisition. So I discovered the company itself wasn't acquired yet, and it was announced in the news, but the legal part of the acquisition, like, wasn't happened before. So I did the preparation and accidentally discovered an issue with the Node.js path traversal to the server, like, information. And I was like, okay, like, that's interesting. I cannot submit this right now. And it's kind of like not really exciting finding because I cannot escalate it to something critical. And I was like, I just waited with my, like, notes for the final part of the acquisition process. And when it happened before the, before the day of the finals, they— I checked the bug. The bug was legit. It worked well. And I did the screenshots and I was like, in the way of making the screenshots, I was like, what if I can escalate it to something? Because somebody can ask me like, what if, like, what does it mean for us? Like, what does it mean for us as a business? Like, what is the risk? And I usually like to expose the risk immediately, like without arguing. That's like, you know, that's a server side. It should be like legit. It should be rated as a high or even critical. I didn't like to play this game. I just straightforward with the business risks. So I checked the environment variables, self in the rerun and other files where the environment variables could be placed. And I discovered one place where it was some AWS credentials and other interesting stuff. So the next day the acquisition happened and I was like, okay, let me report this finally because it's kind of prepared, it's working well. And when I did the replication of the steps, I realized that the server doesn't work at all. Like it's completely shut down. I was like, damn, like, and the possible bounty of that story was from $10,000 to $12,000. I was like, damn, like the issue just burned to ashes. Like, what can I do with this? But I was like kind of lucky and smart at the same time. I checked the screenshot that I made and I checked the credentials that I took from the screenshots and from the screenshot with this heavily long like AWS credentials, I replicate to my CLI and validate those credentials. And the credentials was legit. And it was like, okay, they weren't, they weren't expired yet. They wasn't expired. They wasn't rotated. Even it was like the server was like shut down. It was the credentials for the core system that was most probably acquired from the company itself. And it worked like to the access to the database, to the AWS, etc. I was like, okay, like as Jason Haddix says, like there is no places where just the finding could be like legit for a very long period of time. It could be legit as like as a short term as well. So that was like the brilliant example when you can find something. It was like, like really working well for a few seconds. Maybe you did the screenshot and the rest is like, is like nothing happened extra later. So I did the validation part, I did the screenshots, and the triager asked me like, dude, like, it doesn't work. Like, and I was like, you know, but the part of the credential still working, and it's still like important to investigate that story fully because that was exposed, that was the evidence of the exposure, the credentials work well, it is still working, I have still access to the database, like you need to do something with this, right? So They acknowledged that fact, I would say. And yeah, the issue was accepted and paid well, like $12,000 or maybe $10,500. Yeah. And I was like really amazed of that. And I use this as great evidence. If somebody asking me like, you know, it doesn't work right now, but if it was legit before and if the credentials was legit, if the exposure was legit, Like, it doesn't matter, I would say. And I even did the article on Medium and it became viral, I would say. And I just, I used this like very, very like hype words in the title saying like 10K for the vulnerability that doesn't exist. Yeah, so that was the story. And another, yeah, yeah.

[00:08:50.86] - Joseph Thacker
I think that, well, I just love that that's such a like, a key example of why you really have to document everything. I try to tell new hunters all the time because a lot of people get frustrated with triage not being able to replicate things or, you know, things going down. Because right now especially, there's like some really long triage times. Oh, and even if there is fast triage, by the time it gets to the program, it feels like it's a lot longer. I think AI is impacting that a little bit, but a video POC is just like the best thing you can do because one, you can prove it was working 2, you can obviously pause it frame by frame for any like thing that's exposed or any data that you've exposed. You know, you, you still have usually the requests and responses inside of Kaido or inside of Burp. And so yeah, I think it's like really important that you document your findings because like you said, those credentials were active and exposed and they have no idea until they go and do the actual incident response or, you know, look into who accessed it and how, you know, whether they need to rotate it or not.

[00:09:48.95] - Valeriy Shevchenko
Let me add something to that story. I think the newbies that is coming to this field, they don't know how the process should look like from the company perspective. And as a security engineer on my full-time work, I understand this and I learned that's like attack surface, the investigation part, what should be investigated and when and how. And like I use this knowledge against other companies, I would say, as a bug hunter because I knew, okay, that was critical, that was exposure. You need to investigate this. You can't deny on this. So yeah.

[00:10:21.22] - Joseph Thacker
Yeah, that's true. And honestly, I mean, you can actually legitimately even just say that in your reports, like, hey, I manage other programs. I know how this works. You all need to dig into this and do an incident or do a response into figure out, you know, was this accessed by external entities? How many people had access? How long was it exposed? Like that sort of thing. Yeah. So I know that you— I told— whenever I mentioned this, you said you had several that came to mind. Do you want to mention one more bug before we move on?

[00:10:50.62] - Valeriy Shevchenko
Yeah. Yeah. The second one is also, like, nice. And I can even reference the previous guests from the podcast. Matthias Karlsson was on the podcast some years ago, I think. Right. He just came back from his retirement and he was in the podcast and he shared kind of cool stuff that is underrated, I would say. So he, he said when you open the Burp and when you work with the scope items, everything that is in your Burp history might be the scope items as well, even if it's not really listed well in the scope surface and the scope list. And if the company itself, if the program itself is kind of okay-ish to have like interesting parts discovered here and there, you might work with this broad, really, attack surface to discover very just, just, just the full and interesting parts and stuff. So the story happened pretty much the same with me. I did the investigation, I did the research for one of the companies from the Hackathon platform, and I, I was familiar with the platform, with the program. I really recognized that they really appreciate my effort. By bringing attention to the critical things. And I was like, okay, like, let me go deeper. Like, what if I'll do something extra? So I did, like, I processed— I don't want to expose the name of the organization and the technical part, but I did the process as a user. Like, I did something as a user, and I realized that in one page there was the terms and conditions link. And the link was really different what I saw from the name of the URL. That was the link to some agency, I would say. And I was like, hold on, like, I'm doing this stuff for that organization and it should— in the text itself, it's the text from that organization kind of. But the link is from the other domain like that is, that is not really connected from the WHOIS. You cannot like differentiate Like you can literally differentiate it. It's a different organization. And I was like, what if this agency worked for that company and do something for them? Like literally. And I did this like with the products that they offer. And I was like, okay, let me check this agency slightly without digging too deep, without breaking some rules and like making me like harmful as a hacker. So I checked, I did the basic recon and I discovered the Symfony debug mode enabled. And from the Symfony, I was able to go deeper to the environment variables for the PHP info of that application. And in the PHP info, it was the credentials to something else. And I was like, hold on, like, I'm not really sure that I'm hacking the right way. Like, what if I will break the rules? And yeah, the terms of the usage of that service. And I checked one more thing before going deeper. I checked another place where the log file was exposed, and the log file in another domain of that organization says— like, the log file itself was like kind of useless. You cannot do anything with this. But the log file literally says how they're working with the organization that I used before. They're like doing some kind of content management, I would say, doing some like upload files, etc. I was like, okay, that's legit. That organization connected to the production where I just saw that link. So I checked the credentials. It gave me the access to the WordPress admin panel where they're doing this management part for that organization. And I was able as a user with these credentials to change the content of that first organization.

[00:14:49.35] - Joseph Thacker
Yeah.

[00:14:50.04] - Valeriy Shevchenko
And I was like, okay, that's, that's like, that's kind of dumb, but it's interesting because I was able to change anything with the stored XSS, with the content itself. And I was like, what if they do this as well on the main domain? Because I discovered that from the organizational one. And what if the, the main organization have this in the main domain, right? So I checked and I found the, the, the path with the login to the WordPress and I reused these credentials to get into the main domain of that organization and it worked well. So the suppliers did their work but they did that work not really smart enough to use different credentials for the different environments, for the different applications. And yeah, I was able to jump so far out of scope to bring the items from the out of scope to the in scope and it was so heavy Organization just immediately broke the application itself, stopped that service, changed everything. But the fun part is, that's a legit story when the supplier can hit you hardly. And you should, as an organization, you should do your own due diligence before working with this organization, right? Another part that is really interesting for me was That WordPress admin was on a very well-known brand. And if I will tell you like later after the podcast saying like, look, I got the admin access of the WordPress of that organization, you might be very surprised saying like, no way they have WordPress on the main domain. But the story is they're doing the microservices integration from the, from the all domains to the main domain through their proxy and you see like kind of the link, but technically that's a proxy embedding the content from the different domain and from the different, like really like scope of the domains with the applications, with the technologies. And as I said before, like Matthias Panse was kind of smart saying like that's might be your scope items itself by crawling the application. So that might happen. And for me, from that story, it's kind of the question every time when the triage is saying like, look, guy, that's not listed in the scope, right? But with this complex situation, when everybody might work with different microservices, with integrations, with the proxies, how can you say if it's legit or not? You can only guess, I think. Yeah. But that story is really like— Important to mention once again, like, don't go too deep before doing something. You should summarize and think twice before kind of breaking the rules, I would say.

[00:17:43.08] - Joseph Thacker
Yeah, yeah. No, I think the fact that you found that log file is hilarious and cool because you basically were able to know for a fact that they were using this provider for their third-party management of their CMS or whatever it was. But Yeah, no, it also reminds me I had a very, very similar finding actually. Um, I was working with Eric, uh, Today is New, and he had found like a leaked Google Doc, like Google Drive or like Google Sheets link that had a whole bunch of like hardcoded usernames and passwords, um, for a bunch of Drupal websites. And it was the same exact thing. A major company had hired, uh, you know, some sort of like content or marketing firm to basically manage all of their Drupal instances. And so then they had just put all these username and passwords for all of those Drupal websites, which were in scope. You know, like the, the company that we reported this to was like, you know, star.example.com. And this was a whole bunch of like marketing pages for that, that were on that domain. And so it was in scope, but basically the third-party marketing company had exposed all of those credentials and you could just straight up log in and then use the Drupal. Um, there's like a, in some Drupal instances, you can just get RCE immediately on the server. And so it was like, I don't know, it was like, it was like RC across a bunch of different sites. Um, and I absolutely think that what you reported was in scope, right? I mean, you could manage the content for that main thing. And I'm not surprised at all that they— you were using WordPress under the hood, because I'm sure you see this all the time. Whenever I'm looking at major companies, it feels like 90% of them somehow have like Adobe AEM that like tied in with a bunch of other microservices on their main domain. It seems like so many companies, even though under the hood it's like also a Next.js app or something else. They're still like— all the content seems to like come from like all of the static resources still somehow route through AEM. Like, that's true for LinkedIn, which is like super weird, right? It's like a large company, you would think they would have their own thing. Um, so it doesn't surprise me at all that they were using WordPress under the hood. Now that's a really— that's a really cool finding, man.

[00:19:50.45] - Valeriy Shevchenko
Appreciate it.

[00:19:51.56] - Joseph Thacker
All right, so one thing I wanted to mention here was Um, also, do you pronounce your handle Kravetko?

[00:19:57.55] - Valeriy Shevchenko
Yeah, that's right.

[00:19:59.19] - Joseph Thacker
Okay, cool. Yeah, so, um, his handle is Kravetko. Um, so on X he's Kravetko Valery. And anyways, we'll put the links in the show notes. But his, uh, his stats, just in case anybody's wondering, just over the last 90 days on HackerOne are a 7.0 signal and a 41 impact score, which is in the 98th percentile. So like he said, he's basically only reporting Highs and criticals. So yeah, I had a question. Do you farm a specific program? Like, do you have some anchor programs or do you kind of like just look across a bunch of different stuff? Like, what's your game plan when it comes to doing bug bounty? Because obviously you have a full-time job as a program manager as well.

[00:20:36.23] - Valeriy Shevchenko
Yeah, actually the statistics might be greater because the program where I did this cool stuff just made the pause saying we have too much to make. That's the very big technical backlog. So we are pausing the entire program because kind of me maybe and other hackers that were there. So yeah, and I have a few things in my draft. So when they will come back to the program and unpause this, I have something to surprise them.

[00:21:04.94] - Joseph Thacker
Actually, let me comment right there. It feels to me like that's a second indicator of you being very prepared. So like, you know, if I'm being honest, I think, you know, all of us have heuristics for things. And I think that like my heuristic for understanding who you are as a hacker, the fact that one, you were like prepping for the acquisition and then the fact that here you have— you literally have draft reports ready to submit makes me like see how like how prepared you are basically. Like, you know what I mean? As a hacker, you are. Optimizing. And I think this is really key because, like, you know, in my personal success, when I first got started, the only way I was able to find bugs in this, like, sea of people who are much more talented was by being, like, slightly faster than them, right? The instant I would get a new invite, I would just, like, hack on it for 2 hours and, like, run all the things and try to get a report in because I knew I wasn't smarter than a lot of the hackers at that point in time. And so I knew I had to win by speed. And so it feels like you are, you know, kind of optimizing in a similar way And it comes through like you basically being prepared, which is really cool.

[00:22:10.50] - Valeriy Shevchenko
I would say controversial. I'm kind of lazy and I'm doing my homework just to have my time and my like rest time on my sofa. So I'm doing this homework. Yeah, just to save my time in the future. But that's never-ending story. I'm working, working, working. Yeah. It might feel like I'm really concentrated and prepared, but technically when I'm getting some results, financial results for the year or like statistics results from the reputation score, I'm kind of trying to be chill. Like usually it happens from August or from September, like when all goals that I put on my desk achieved. And I was like, okay, like let's do some fun stuff like riding snowboard, riding the surfboard, anything I want. Yeah, without focusing on security especially. Yeah. So let me go back to my question.

[00:23:04.57] - Joseph Thacker
So did you say you do have anchor programs or how do you handle that?

[00:23:08.28] - Valeriy Shevchenko
Like, that's kind of the, my, like, I'm doing this first, first of all, I'm doing that part of hacking on that way because I just want to be with a high success rate of each submission. I didn't want to waste my time on the duplicates, on the questionable reports where the impact might be in question from the program management side. I do this specifically with the— yeah, as you said, with the highly critical. That's the statistics. When I'm doing this, I'm trying to find my passion. I can't like force myself to the specific direction, hacking to the Coinbase, hacking to the something like really hard programs where everybody was there, I would say. So I'm trying to find my passion first with the leaderboards of the private programs. Okay, I got the invitation to the private program. That private program is on the platform for at least 3 years already. Let's check who is in the leaderboard. Okay, Hamza. Okay, Justin. Let's beat that guys with the, with the findings, with the statistics. Uh, and that's kind of the part of the motivation from my side. How can I like, uh, stick on that program? Um, if the program was really old, I'm trying to check what the activity statistics was. Were there like really a lot of findings before or they just wasting the time on the contract paying to the hacker one without really profitable bugs? Because that might happen. So if I see this, I was like, okay, that's my time. Let's make the rock and roll. Let's surprise the program. And that happened a few times. Even my friend, he worked in one company and I got the invitation and the program was old. I was like, okay, like 'There is a guy, there is a Ben in the leaderboard. Let's do something interesting.' And I got the third place, I would say, in their entire leaderboard history. And a friend of mine once shared with me, not the private message, but the feedback from the development team when I discovered another critical finding. And I was like, okay, like the people really amazed of my work and it kind of fueled me to bring more. So I'm trying to work on the programs where I see that appreciation, I would say. Yeah. And when the company even commenting the findings with the human text that in our days it's rare, like usually they just use the predefined answers or AI responses. When I see the human interaction, I was like, okay, like, dude, like, that's amazing. Like, I would like to work with you more, so I'll submit more. Um, yeah, that's kind of the passion. And the biggest part is I want to have attachment to the well-known brands. So I'm choosing the programs where they connected to the health, to the connect— connected to the sport, connected to the finance. And like making the beer time with my friends, I could say, dude, like I just hacked them, like without exposing anything. I can like— sure.

[00:26:09.01] - Joseph Thacker
Yeah, of course. Yeah, that's really cool. Yeah, man, a couple of things there. One, I definitely agree. Like, when there is a human on the other side that I respect and like and can tell they like, like and respect me, like, I'm gonna throw out some random names, like Roy from John Deere and like Hugs for Bugs from Capital One. Like, when I see those things, like, I legitimately get way more excited and invested in actually hacking on them. I think it's funny that you, uh, that you use for motivation like bypassing other top hackers on the leaderboard for specific privates. I think that's a really, that's a really like, uh, cool, funny motivation. Um, in fact, I think you messaged me. I would love to, uh, for you to share just real quick what, uh, motivated you to get into bug bounty hunting, because I think it's cool, and just the way that like your little goals have like stacked up over time.

[00:26:55.36] - Valeriy Shevchenko
Yeah, that's true. Yeah, the fun part started like with the first submission to PayPal with my friend, and before that submission, I did the research for fun. Like, it was not my really like them and concentration. I did this for fun. I was like curious about how this stuff working, how this IoT device is working, how this web application is working when I'm using this web applications. And I practice kind of on the real targets. And one day the friend of mine mined a lot of submissions critical or the high with the great payouts on the PayPal. And I was like, okay, what that dude is doing? Like, I kind of knew him but not really well. Let's check like who is here, like what he's doing, like maybe to collaborate. And he knew me before from my social media activities, from Medium, from other places. And he was like, you know, dude, like I really trust you. Like what if you can like help me to make more stuff on that target that I hooked? And he shared with me the part of the target that where he mined the vulnerability before. It was like, 3 vulnerability reports with the CVE-9 on PayPal. And I was like, okay, like, that's interesting. Let me figure out what it is. And I realized that when he did the submission, they patched the submission not in the chain of the CVE. They patched this like with a specific chain that kind of breaking the CVE itself. So I found the bypass and we did it again together.

[00:28:32.32] - Joseph Thacker
Nice.

[00:28:33.10] - Valeriy Shevchenko
And my first bounty was $6K. Like, I was really amazed. That's lucky.

[00:28:39.77] - Joseph Thacker
That's insane. I would be curious to know what like most people's are. Mine was $750.

[00:28:45.95] - Valeriy Shevchenko
$750. Yeah. I wasn't really, literally, I might be happy with the $300, with the $200, but with the $6K, I was like, holy moly, like, what is going on? And that story—

[00:28:58.44] - Joseph Thacker
Did you have anybody in your life that was like shocked by that? Like, were you young and like told your parents or did you have a girlfriend that you told that was like mind blown?

[00:29:05.56] - Valeriy Shevchenko
No, I was like really like already kind of mature. I had a wife, we got a kid and I was like, you know, like I just saved our rental payments for the next like 4 months, 5 months. Wow. And I was like, like kind of that feeling of fresh air, like kind of spin that wheel. And I, from that time I started constantly spinning this wheel because of the gamification platform, I would say. Like you see this leaderboard, you see you see this statistic, you see that stick pictures, you're like, okay, like I was lazy on that month. Let me find something. And each month I'm doing this, like for how many years? I think more than 6, I think.

[00:29:53.56] - Joseph Thacker
All right, dude, thank you for all of the, all of the tips and all of the like insane bugs that you've already shared. But now I want to get to like the main reason we're bringing you on for our listeners. This is actually like really, really interesting to me because Well, first, let me, let me broach the topic. The topic is basically that Valerie had some reports, research stolen through bug bounty. And I'm going to let him kind of lay it out here in a minute. But I think this is like very, very interesting because of the way that it happened. And, you know, we've known in the past, hey, if you submit a vulnerability through HackerOne, there's always like a tiny chance that hacker, like the HackerOne triage that sees it might take it. You know, HackerOne punishes that and is very serious about it. But there's always a chance. And then also we've seen examples of program managers or triagers for programs taking research and running with it. But this is kind of something that's neither one of those and it's pretty interesting. And so Valerie, you actually, I'm going to stop calling you Valerie. I'm going to start calling you hacker handle because I always like being called Rezo on here. So Kravetko, you know, you reported a bug back in 2023 and it was more of like an entirely like new research attack vector that you're not really willing to share yet. But then tell us what happened. Kind of after that?

[00:31:10.18] - Valeriy Shevchenko
Yeah. Well, I think it's kind of important to share that it was the attack surface. Like, it was not the vulnerability. It was not the tiny vulnerability because I shared that story with my friend and the friend said, like, well, like, some people might steal your XSS attack payload. Like, why don't you, like, care about this? But at that time, it was the attack vector itself. And It was harmful attack vector because before that, like it was 2021, I did the research and in 2023 I discovered that I might do even greater things with the different techniques and with the different technologies and the data.

[00:31:55.11] - Joseph Thacker
So this would be, this would be kind of like if someone found request smuggling kind of before, before someone else did and then was like using it on targets. It's like a new vulnerability class kind of.

[00:32:05.53] - Valeriy Shevchenko
Yeah, that was definitely the class. So I did the disclosure for a few programs just to verify my, my theory and how that happened and how impactful it is. And I still have this like classification in my HackerOne profile in the private where some money is accumulated to that classification, which is kind of interesting. So I did the verification for 10 maybe reports on the platform. Discussed that vulnerability, not the vulnerability, attack vector with one of the top HackerOne hackers. He's, I think, in the first 5 positions in the HackerOne leaderboard even on those days and even right now. So that's a trusted guy. And we discussed with him like about that, about the what can happen and how can we verify, how can we submit this. But submitting this at that time was kind of hard and you might be punished quite well. Like nobody noticed that it's like it's the, the problem itself, not just you doing something bad against other organizations. So yeah, the time's fine. I changed from that period a few places and I landed in an organization where we do our program management. Like we have the program, we have the scope, we have the applications. And I did this research against our own organization just to verify that we are kind of secure and did—

[00:33:37.76] - Joseph Thacker
Where you work?

[00:33:39.11] - Valeriy Shevchenko
I'm in Semrush. And you mentioned before the Semrush.

[00:33:42.66] - Joseph Thacker
No, no, no. I'm saying that that's where you did it. That's where you like right now, this part of the story, that's where you're saying you tested it internally.

[00:33:50.09] - Valeriy Shevchenko
Yeah, yeah, yeah. It was verified internally. So, and I even did a few talks within the organization saying like, look, that's the attack vector that is kind of bad and we need to make some like protection mechanisms in place. And we did this. I did the education part for the security team, for the employees, and we are kind of okay with this. And yeah, after the 3 years, I got the report from HackerOne and it started with the words and with the links as I did 3 years ago, like, like completely, like even like the commas, the, the, the words itself, like it's replicated 100%.

[00:34:39.42] - Joseph Thacker
And I was like, so just to clarify for the listeners, Basically, Kravetsko, 3 years ago, submits something to like 10 bug bounty platforms— or sorry, 10 bug bounty programs— like puts in like 10 reports. Then literally, like, was it a month ago or 2 months ago, for the program he manages, he receives a report that was word for word his, including comma for comma, period for period, uh, the thing that he had basically reported 3 years ago.

[00:35:06.96] - Valeriy Shevchenko
Yeah, and I was really sad because not that the attack surface, that attack vector was exposed. I think it's well known right now, like, and some people knew about this, some people knew about how it had happening and why it's so. But I was sad about that. The work I did, the words I placed word by word explaining everything with the link, with the reference about that, it leaked.

[00:35:34.03] - Joseph Thacker
And the word and the word The words were also, sorry to cut you off. The words were also like, I did this research.

[00:35:40.67] - Valeriy Shevchenko
Yes.

[00:35:40.92] - Joseph Thacker
Not only was this person stealing your report, but they were also claiming to do research they didn't do.

[00:35:45.73] - Valeriy Shevchenko
That's hilarious. So I was like, kind of, okay, let's put away my emotion. Like, let's ask that guy as a program manager, where did you get this? Like, and ask him like, dude, where did you get this? And he like replied to me saying, oh, that's, that's the ChatGPT helped me with this. I was like, no way. Like, okay, let me try. If my research like 3 years ago linked to the LLM models with the word by word, and if they can give me back this, I can believe you, right? So I tried, I tried 10 times, nothing worked. I can't get back the same words as the guy did. So it was clearly like he got this from somewhere and I was really like, in a question again saying, dude, like, I knew that it's not ChatGPT. Like, share me like the story. And he was like—

[00:36:39.76] - Joseph Thacker
Did you say that at the end or did you reach out to HackerOne first? Like, how deep did you go questioning the reporter before you just went to HackerOne?

[00:36:50.19] - Valeriy Shevchenko
I didn't try to blame the hacker. I didn't try to make my own investigation against that guy. And I knew that that guy might be just the one guy. He might found that somewhere. And I checked his statistics. His statistics started like a year and a half. So it wasn't clear, like, was he the first one? So I immediately raised the mediation report to the HackerOne saying, look, like, that's the stolen research before and it was never published somewhere. And important part is I never published this on purpose because I was like afraid of magnitude of the problems that might happen with other organizations and companies if I will share this publicly.

[00:37:34.82] - Joseph Thacker
So I can bet that you, the way that you talked about it at your work, it sounds like it's kind of like not a super easy fix. Like you need to come up with some like mitigations or strategies for it, right?

[00:37:44.36] - Valeriy Shevchenko
Yeah, yeah, yeah. And if I will just expose this Pandora's box to everyone, yeah, I might be just the one, the first guy who will be on blame about that problem. On all of the companies around the world. I wasn't happy about this, so I kept that as a secret. So the guy replied to me back saying, no, no, like, that's 100% ChatGPT. I was like, dude, like, that's, that's horrible. Like, you're doing horrible things. You're stealing the word by word report, even started with like, I'm doing this research. Like, you never did this. Like, what are you talking about? So yeah, I shared all the things to the HackerOne and to my surprise, HackerOne did quite well investigation and I think I might say this, that they discovered multiple people use this as a template. They first said that it's a stolen template, but it's hard to say that it's just a template. It was like the pure research explained well And like somebody who have zero clue about that might just replicate and get some money. Like it's not a template, it's kind of research. Yeah. So they did an investigation and they found that that might be leaked not from the Hackathon triage team, but could be leaked from the customers, I would say. Yeah, 100%. I'm not surprised about that. And could be leaked from the collaborators who joined the initial report because they submit the duplicate one. And that story is kind of shady and it's difficult to protect your intellectual property in that story. But it gave me some insights about that story as well. And I'm really curious And I'm really happy to share this with you because it might be important to other hackers like to think twice before making the report so much clear just to express someone, just to make some bonuses maybe for the very clear report. I don't know. So yeah, the intellectual property might be exposed from the customers because I saw the organization when The— it was not my organization and it's not mine at that moment, but the friend organization was connected with a Slack channel to the HackerOne platform. So when the researchers submitting the finding, it's going to their Slack channel and that Slack channel was publicly accessible to all employees, not just for the security team. And you can't control managers from marketing team. You can't control, like, other people that have no idea what it is, but they just can copy this, right? They can think like, okay, that's interesting. Let me share this with my husband or with my friend, for example. Right. So you can't really control this and keep this as a secret. And yeah, the second part is when the collaborator joins the initial report because he made the submission as a duplicate, that collaborator can expose the changes that you made. Even if the final report might make quite well, but the technique might be exposed. And that's the part that is like extremely important. And I think that Hackathons shouldn't allow program managers and the triagers to allow to join the newcomers to the initial report without acceptance from the initial hacker. If the hacker is okay to share this, yeah, that's okay. If the hacker is not happy about this to share with everybody. Yeah, I think it shouldn't work like this. Like, because right now you can, you can put this guy to the main report and he can chase to something that was crucial for you.

[00:41:40.07] - Joseph Thacker
Yeah, yeah, exactly. Yeah, it's really weird. I feel like I've always been on the other side of it. Like, I, I don't know. I feel like my reports don't get duped on very much, but I've duped on other people's reports and I'm always frustrated. Like, just let me see the report because then I can verify if this is a real duplicate duplicate or not, right? Like, I want to be able to verify myself whether it's a duplicate. And then now all of a sudden, after the story, I'm like, oh, it makes so much sense why they don't just let people be joined. Because like, all of those people who, you know, get duped to it— one, if it— if their report wasn't a duplicate, they just got access to your report for no reason. And sometimes they are wrong, right? So maybe they got added to your report and you lost your intellectual property and they didn't even submit the same bug. It was some other random bug, right? But then even if they did submit something similar, they still get your full explanation, right? Maybe you're a much better report writer. Maybe you have other escalation paths in your report that they didn't have. And so anyways, now I'm very sympathetic to that. I still think, like you said, there should be some sort of a way to like request access to that first report. And if the first hacker doesn't care, then it's like, who cares? And I also think that HackerOne and other bug bounty programs should definitely allow the report title to often be like verified because sometimes that'll give you enough information to know if it's like actually a dupe or not. But yeah, I was thinking about this and I was chatting with AI about just like this whole situation and I feel like, you know, there's like a couple of takeaways. One is like you said, maybe don't over-detail your reports. You know, like you need to put enough details to replicate it, but maybe don't explain like, hey, I was doing this research and I found these other things because, you know, you might be giving away your thought process or more bugs than you even, you know, mean to. Another thing is like run exploits through like your server instead of third-party services, right? Like set up your own Burp collab, that sort of thing. Then yeah, definitely don't disclose— like don't automatically add dupe reporters to your thing. And then, um, one thing I don't know, uh, if you mentioned this or if it's something that like, uh, I wrote down, but, uh, I think it'd be kind of cool. And I think some people do do this, but just like have some sort of like watermark or hidden watermark in your reports.

[00:44:01.32] - Valeriy Shevchenko
Like, yeah, I mentioned this, uh, as a, like, as a final thoughts about that story in the HackOne private channel, uh, saying, yeah, that's kind of the story why I would like to keep my secret as a secret without exposing the entire chain of like making the account, making some change of the bugs to be as an ERC because it's meant to be the code execution. So fix this. You shouldn't care about the part of the chain that I made or like some small part of the chains that is important for myself. Yeah, I saw, I even saw as a program manager when some people doing the vulnerability submission and they giving you the ability to replicate that complex bug through their own server without exposing the binaries, without exposing the process of making that exploit valid. Back on that time when I saw this, I was like, dude, why don't you share with me this? I need to replicate this. And now I was like, okay, that's the reason. I will do the same next. Yeah. Overdetailing the report, it might be like the problem in the future. And regarding the watermarks, like, I was such a lucky person to see my report after the 3 years word by word. But what if the guy was like a bit smart just to change the wordings, just to change everything? He found the attack vector, right? But he was smart to to hide this, to make as his own. That dude wasn't smart. But in that story, I think in the, in the crucial words maybe, or in the crucial links or the part of the exploit, you might put something that can identify you as the owner of that information. Maybe putting some mistakes in the word, putting the words in a different language where you can verify that, okay, Google Translate, please translate this word and it's not translatable. Because the word, the letter in the middle is like from a different language. But after all, you might verify that. Okay, that's mine. And where did you get it? I have no idea. Let's figure out. So I think that watermarks kind of the, the, the important stuff. And I even shared this idea with the hackathon because they should secure the reports from triages as well. So yeah, yeah. The triage is also like the parts.

[00:46:32.07] - Joseph Thacker
I had two cool ways we could do that. One is like, uh, invisible Unicode tags, like the stuff that, you know, is kind of cool for AI. And then the other thing is like just zero-width characters. You could like, you know, pepper those in certain places. And then the other cool thing about it is like the bug bounty platforms should be able to like grep across or search across all reports for that string, just like to immediately know if it was used elsewhere, you know. I guess it would have to be like a super user who could do that because there's not very many people with access to every program. But, but yeah, that'd be really interesting. Did they tell you how many other companies they had reported it to or anything?

[00:47:08.59] - Valeriy Shevchenko
I knew the amount of the hackers that was identified with my template and it's more than 5 but less than 10. Wow. And I tried to to push this story forward, saying, look, like, what if these guys might be discovered later in life hacking event? And if they did that shitty things before, they might do this shitty things during the event. So I would like to have them like kind of punished, saying like, okay, they, they broke the rules of the code of conduct at least. So do something with this because, because of this, they will not be invited in the future. As HackerOne says, like they did this violation of the code of conduct for the hackers. So I'm okay with this. And that story might be the lesson for, for those who might have the intellectual property in their own screen and they're thinking about using this. Well, like some days it might be exposed and you will find yourself in a shitty situation and just measure your name and the profit that you might gain. Like that's question like and I will not do any dirty things against different interesting techniques because I do value my, my name. Like, I don't want to find myself in trouble in the future.

[00:48:26.13] - Joseph Thacker
Yeah, yeah, that's true. You know, it's kind of tough also. I'm not standing up for the, for the bad guys, but I like for the hackers that did that. But, you know, it's also one of those situations where maybe one or two of those first people that got access to it said like, this is my template. As they sent it to the second and third and fourth and fifth and sixth, you know. And so they feel like they have permission from the first person, but the first person actually stole it. You know, it's like, man, these sort of situations are really tough.

[00:48:56.38] - Valeriy Shevchenko
Yeah, that's true. But such an irony, like, seeing my report started with the same words as I did 3 years ago. I was like, such a joke.

[00:49:07.67] - Joseph Thacker
Oh yeah, seriously.

[00:49:10.17] - Valeriy Shevchenko
All right, dude.

[00:49:11.11] - Joseph Thacker
Well, we can wrap it here. I really, really appreciate you coming on. Did you have any other things that you wanted to mention or shout out, like either your company or your program or your socials or anything that you wanted to mention?

[00:49:23.17] - Valeriy Shevchenko
Oh yeah, we do the human validation on the HackerOne. We don't reply with the buzzwords, with the predefined templates, and we do the good investigation against each of the reports with the with the severity evaluation as well and with the business impact. So we are not really dumb. Me as a hacker, I treat other hackers as I want to be treated. So yeah, feel free to submit some bugs on the Semrush program. That's a public program on HackerOne. We do pay still quite well. We are kind of in the transition of the business transformations. Soon you'll find out, maybe later in the news. But so far we have a program, we do our security as best as possible. And yeah, if you find something cool and interesting and critical, or even if it's outside of the scope or even like at least connected to our brand and to our organization, we do evaluation. We don't like do that stuff as like other programs might, might make it seem like, okay, we have a scope that's out of scope, that's not counted, that's informative, that's not counted. We really value each report and trying to figure out, is it like impactful for the business? Do we need to pay for this or not? Yeah.

[00:50:40.75] - Joseph Thacker
Awesome. Well, thank you. Yeah. So go hack on, on SEMrush. Go follow Krevetko on social. It's K-R-E-V-E-T-K-O and then his name, Valery. But you'll find it if you look it up. He's got lots of bug bounty followers, so it should pop up for you guys. Thank you so much for coming on today, brother.

[00:50:57.53] - Valeriy Shevchenko
Thank you for the invitation. It was a really amazing opportunity. I can't still imagine that you just invited me. Like, who am I? I'm just a random hacker.

[00:51:07.55] - Joseph Thacker
Justin said he wanted to have you on already in the past, so it's our pleasure. Appreciate it.

[00:51:12.84] - Valeriy Shevchenko
Thank you.

[00:51:13.48] - Justin Gardner
Peace.

[00:51:13.75] - Valeriy Shevchenko
Have a nice day.

[00:51:15.51] - Justin Gardner
And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y'all. If you want more critical thinking content or if you want to support the show, head over to ctbb.show/discord. You can hop in the community. There's lots of great high-level hacking discussion happening there on top of masterclasses, hackalongs, exclusive content, and a full-time hunters guild if you're a full-time hunter. It's a great time, trust me. I'll see you there.