by Calder White

I was just a 15 year old kid dreaming about security research. Then I uncovered my first exploit.

p-r8L0zhKj59Ys3g88P6vqExxfvi9cLTeBSF

Since I was young, I always had dreams. One was to go to Hack the North (the largest hackathon in Canada), which I achieved this previous September. It surpassed my wildest dreams. My team even won an API prize from eSentire.

tYAZP7kgdHPEaaMr0fdFHxHEr5rLN7xyh4s8
Minutes after finding out we won.

But the point of my story isn’t that I went to some hackathon and won some prize. The point is that I accomplished something that I thought was completely beyond my abilities.

Do you know that feeling? “Yes, I know that there are people out there who can pull that off. But only people with years of experience at [skill].”

Well that was me 3 years ago, when I started out programming.

I thought the idea of making a computer do something was pretty cool. It never crossed my mind that one day I would do anything amazing with it.

In fact, I told myself over and over that all the things I was building had already been done before. That the value in this process was just in me me gaining experience from recreating it.

Well, winning a prize at Hack the North broke my self-suppressing chains. No — it ripped them off completely. I was ready to do anything.

gpudXwwtfmLyLinA9CM7mVhibMng60CFZQiU

Another dream I had, though much smaller: obtaining a GitHub hoodie.

I’d always admired GitHub as a company, and thought it would be so badass to wear a hoodie from them.

2 months later, I was a low point, stuck in my work. I remembered this GitHub hoodie dream of mine.

The issue was, I couldn’t just buy the hoodie. How could I wear something that implied so much skill while having just used money to purchase it? I hadn’t earned it, but I wanted it.

I thought for a couple of ways I could earn it. Maybe a hackathon where GitHub sponsored, like GitHub Game Off. But they all had too many variables.

Then I remembered hearing about their bug bounty program. When I heard about it, though, I dismissed it. I thought, “that’s far to advanced for me.”

Well not anymore. It was time to get to work.

Let’s Get Hacking!

I was really pretty clueless poking around their website. After all, this was my first time attempting to hack a website.

I finally landed on GitHub’s issue system. I already knew that they parsed your comments with their own markdown parser. And with that, I had found my vector of attack. After 6 hours of work, I found a vulnerability far from serious, but good enough to try submitting.

It was a little scary, as you can only submit 5 bugs as a new user, and then you’re toast. I went through HackerOne’s submission process, something I had never even heard of up until this point.

The Response

2 weeks later it was accepted. Sort of.

The exploit was extremely low risk, but GitHub still offered to send swag and pay me. Because of HackerOne’s Hack the World event, I also got unlimited private repositories for life and double points on HackerOne!

Though the hack may have been low risk, and I have personally done much larger projects and better defining competitions, I still find this as a milestone in my career as a developer.

It didn’t matter what I looked like or how young I was. What mattered was my experience in software. And I hope that will always be the case.

I bought my hoodie with a portion of the Github money, and I now wear it with pride as I crusade across other websites searching for my next hack.