In the past few years, especially the last decade, the real major hero are the guys in the chair. They’re as much the heroes as the ones in capes or tuxedoes who they help from the shadows. These guys in chairs protect the general public from getting their accounts hacked, their money stolen, or their computers controlled. They also look for bugs is the software we use to help fill any holes in security. Let’s get to know some of these Top Bug Bounty Hackers in 2022.
These days, major companies, tech or otherwise need to be on the lookout for security breaches and functional errors in their software. Patching holes in security increases public trust in these companies, especially those that deal in finances. Fixing functional errors increases these companies’ efficiency which is highly important in their respective competitive landscapes.
Companies thus look for special individuals to rid their software of issues that affect usage and security. These heroes are often unnamed thus unsung. But if you know at least a little about the following Top Bug Bounty Hackers in 2022, you can sing them some praises and they can continue to do their work. This little list won’t be in order as it could be a little subjective as they probably have more on their belts than what they did just last year.
Let’s begin with security researcher satya0x. He discovered a vulnerability in the crypto platform Wormhole, which is a core bridge contract for Ethereum and other cryptocurrencies. By discovering this breach, satya0x exposed the potential that the Ethereum Wormhole bridge could be bricked, and all the funds residing in that contract lost forever. Because the discovery is so massive, satya0x earned a $10 million bug bounty which is so far the highest bounty ever rewarded.
gzobqq won a massive $605,000 reward from Google after discovering a five-bug chain within the company’s Android operating system. He also discovered other vulnerabilities in Android the previous year also earning him a substantial award. Speaking of Google, they also rewarded researcher Rory McNamara who they recognized as the highest-awarded researcher of all time in the Chrome vulnerability reward program after discovering 40 impactful vulnerabilities within Chrome.
Next is a researcher who just goes by Chim, who managed to discover and easily execute an improper input validation attack on the Samsung Galaxy S22 flagship phone and earned a bounty of $25,000 and 5 Master of Pwn points. Of course, after this, Samsung will issue a security update and Samsung Galaxy phone users can sleep better at night.
At another Pwn2Own event, this time in Miami, researchers Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) won $90K cash for discovering exploits in industrial control systems. While these systems are less mainstream, they’re no less important as problems in such systems can result in halts in production and affect the economy of a small to large region.
This time, we’ll acknowledge a team of researchers from DEVCORE who discovered and successfully executed two different Stack-based buffer overflow attacks against a Mikrotik router and CANON printer. Both well-known consumer brands. DEVCORE earned a $100K cash bounty for this endeavor during the Pwn2Own Toronto 2022 event. This is followed by the Neodyme team who earned $50K after successfully attacking a NETGEAR router and an HP Printer, also major consumer brands.
Finally, we have independent researcher @bl4sty aka Peter Geissler who published a chain of vulnerabilities in Lexmark’s printers that affect over 100 printer models. He’s a sort of anti-hero for doing so as he released these vulnerabilities in the wild to spur Lexmark into taking immediate action instead of him withholding the information until he’s paid the paltry sum being offered by Lexmark.
He chose to ignore the payment completely and just did what he had to do. Lexmark quickly issued patches to correct these vulnerabilities he discovered during the Pwn2Own Toronto 2022 event. Some of these vulnerabilities he didn’t manage to crack within the allotted time period. Suffice to say he didn’t earn much for this efforts, but the public is a bit safer.
Well, these guys in their chairs don’t exactly operate in a dark basement. Their bounties can provide them with all the light they need and more, while working independently or for their respective security companies. They discover vulnerabilities from their offices or during bug bounty events. Wherever or however, they work, these unsung heroes make the world safer, but actually get paid. What could be better?