Critical Thinking - Bug Bounty Podcast

Episode 48: MVH, DEFCON Black Badge, Googler - Sam Erb

Dec 7, 2023

Sam Erb, Google Security Engineer and DEFCON Black Badge winner, discusses the importance of understanding how systems work to find vulnerabilities, his engineering background influencing his hunting style and methodologies, his career development and work with Google, recent Google Vulnerability Programs, centralized management and control of API endpoints, exploring majors and career paths in security engineering and computer science, accessing open data and hosting, experience at Google and involvement in bug bounty program, hacking on Google and manipulating protobufs, discussion on Brand Indicators for Message Identification (BIMI) and abuse-related methodologies, and bug reports and prioritizing fixes.

01:36:45

Creator website

Episode guests

Sam Erb

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Understanding development and production environments is crucial for identifying vulnerabilities, and exploring the development environment and leveraging GitHub can provide valuable knowledge.

Balancing exhaustive testing with deep thinking about bugs can lead to better findings, as throwing every idea at a bug and understanding how the system works both have their merits.

Collaboration in bug hunting is important for sharing vulnerabilities, knowledge, and unique perspectives, but setting high expectations for oneself can also drive personal growth.

Balancing bug bounty with other responsibilities requires setting boundaries, saying no to certain opportunities, and focusing on personal growth rather than the monetary aspect.

Deep dives

Finding vulnerabilities in development and production environments

Sam Erb emphasizes the importance of understanding development and production environments to identify vulnerabilities. He recommends exploring the development environment, searching for origin servers, and leveraging GitHub to find knowledge and vulnerabilities.

Introduction

2min

Going Deep: A Hacker's Approach

16min

Centralized Management and Control of API Endpoints

28min

Exploring Majors and Career Paths in Security Engineering and Computer Science

14min

Accessing Open Data and Hosting

9min

Experience at Google and Involvement in Bug Bounty Program

2min

Hacking on Google and Manipulating Protobufs

10min

Discussion on Brand Indicators for Message Identification (BIMI) and Abuse-Related Methodologies

2min

Bug Reports and Prioritizing Fixes

14min

Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs.

This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

—— Links ——

Follow your hosts Rhynorater & Teknogeek on twitter:

—— Ways to Support CTBBPodcast ——

Hop on the CTBB Discord

Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://twitter.com/erbbysam

Sam Erbs Static Secret

Security Now Podcast

BIMI: