Our success relies on the efforts of our expert bughunters, and we like to profile them in order to get some tips, trick and cool stories.
Today’s profile is on Osanda Malith Jayathissa
Check out his Bugcrowd profile here : https://bugcrowd.com/Osanda_Malith/
How did you get into hunting bugs?
I’ve been in pen-testing for a couple of years, and only recently gotten into bug hunting. I’m currently a student at the Asia Pacific Institute of Information Technology (APIIT) in Sri Lanka.
How long have you been hunting bugs?
I started bug hunting a month ago back in August 2013. It was a cross site scripting issue in Adobe which I just found while I was browsing the website. After that through social media I got to know that there are so many application security researchers around the world. So one day I saw a tweet from another researcher re-tweeted by BugCrowd. On that day I got know about BugCrowd and their great service and support rendered to security researchers.
When I saw the list of hall of fames and the security policies published by BugCrowd I was surprised to see them and I started bug hunting as much as I could. Within a month I was able to report in more than 20 organizations around the world. I must be thankful to the BugCrowd team for their support and service.
Yes I’ve seen you on a few Halls of Fame. Amazing you have been able to achieve so much so quickly.
What is your most memorable bug so far?
My memorable bug was a DLL Hijacking vulnerability in a very famous application. It was so fun to learn and also it was the most powerful exploit which I’ve found so far. Soon the CVE would have been released.
Other than that mostly cross site scripting issues with filters which is very challenging to provide a proof of concept to the respective organizations. XSS is still my favorite bug to look for because it is possible to find them very often.
What do you like about bug bounties?
Well, yeah these bug bounties do a great work for security researchers and also gives us a chance to show our skills in an ethical manner. But to be honest I am eternally glad to help people to secure their organizations, their publicly facing websites and software. I really enjoy being honest and helpful.
It *is* a nice feeling knowing you are using your talents for good things 🙂
There are lots of bug bounties out there. If there was one thing you could suggest to improve the way bug bounties are run, what would it be?
I really love all the bug bounties and the responsible disclosure programs. I think every major organization and major websites where users interact a lot should have a responsible disclosure program, or some kind of bug bounty program, so they can secure their systems to a higher level. And they have the support of so many researchers to do it.
What methodology do you use when participating in a bug bounty?
Nothing specific, it is upon you and your talents. Always read the agreements carefully and don’t break any rules. And the more experience you have the more you can hunt.
And the more you will find.
Thanks Osanda, its great you’re a part of Bugcrowd.
Thank You Olivia for the interview. Glad to be a Bugcrowd Ninja 🙂
Wish you all Happy Bug Hunting!