The player is loading ...
Sign up to get updates from us
Episode 104: In this episode of Critical Thinking - Bug Bounty Podcast Justin reflects upon the past year and walks through some of the bug bounty goals he had for 2024, and how he feels like he did. Then he sets some goals for 2025, as well as some exciting CT news for the coming year.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Rez0 on X:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at https://ctbb.show/swag!
Resources
CTBB Full Time Guild
Critical Research Lab
CT Episode 51 - 2024 Goals
https://www.criticalthinkingpodcast.io/episode-51-hacker-stats-2023-2024-goals/
Personal BB inventory and goals
Timestamps
(00:00:00) introduction
(00:00:57) Critical Thinking 2025 Announcements
(00:04:21) Personal Inventory of 2024
(00:24:05) Goals for 2025
Justin Gardner (00:00.578)
All right, sup y'all, it's your boy Rhino Raider here on the solo episode. Now, I told myself this week that I was gonna take it easy, I was gonna do a short episode, but now I'm looking at this doc and that is probably not gonna be the case. And the reason for that is because one, I'm a long-winded guy. But for two, we have a lot of things we need to talk about for 2025 with critical thinking, okay? So first we're gonna hit you with a couple announcements and then I'm gonna give you a template for.
how to evaluate your last year in Bug Bounty and how to set some goals for 2025. But first, let's get to those announcements. so Critical Thinking is gonna launch some cool shit in 2025, particularly in January, okay? So the first thing that I wanted to mention is that we are going to launch the Critical Thinking Full-Time Bug Bounty Hunters Guild, okay? And I'm not sure we're gonna call it that just yet. We're still kind of workshopping the idea, but since I'm...
I'm recording this earlier in December. I haven't got it fully completely worked out yet. But essentially what it's gonna be is a place where you apply as a full-time Bug Bounty Hunter. And if you're accepted into the community, which full-time Bug Bounty Hunters will, or people that make over $100,000 in Bug Bounty part-time, then you'll be granted access and you'll get access to a bunch of perks, a community, a sense of accountability. That's a big one right there.
A lot of hackers have expressed to me that they kind of miss the reality of having coworkers and having some sort of sense of accountability for their work. So this initiative is an attempt to fix that. There's gonna be a lot of other pieces to it as well. We're gonna put the details up for that on the website at ctbb.show slash ft for full time. ctbb.show slash ft.
So if you're interested in that, go ahead and check it out. But I'm pretty optimistic for it. I think it'll be really helpful. And I kind of need it myself because for me, just kind of sharing personally, looking at this past year, I've spent a lot of time doing critical thinking related stuff and other stuff. I had a bunch of personal stuff come up this year with becoming a father and a bunch of other things. But a lot of my time got taken away from hacking. And I think I need that sense of accountability that this group will offer.
Justin Gardner (02:16.878)
to make sure I'm staying on track and actually living the life that I wanna live as a hacker. So I think that'll be really helpful for a lot of people. Yeah, if you're interested, check it out, ctp.show.ft. Okay, second thing that we're releasing in 2025. I'm really excited for this one. This is the Critical Research Lab. So I was thinking back over all the critical thinking episodes that we've had, and I was reflecting on the ones that I liked the most. And the ones that I liked the most was when we were presenting original or like,
very newly released research, very granularly. And that just felt so good and felt so right. So was like, okay, how can we do more of that? And the answer to that is to take away Justin's profits again from critical thinking and put that back into a research lab. So what we're gonna do is we're gonna select a set of researchers from the Bug Donnie community and give them a stipend for
doing research is probably not gonna be anything huge, but it's gonna be what we can do. And that stipend will hopefully help them mentally shift a little bit from like, I gotta do bug bounty or everything that I do in hacking should be directly financially related to, okay, I'm a researcher and I'm gonna try to do more research. And then when they're ready to release that research, whether it be something small or like a big presentation, then we're gonna do that through the podcast and through the blog. So we've already got some really big names that I'm really excited about.
that have signed up for it. I'm gonna get everything signed and we'll put it up on the website. That'll be at ctpb.show slash c-r-l for critical research lab. Yeah, very excited for that. I think some amazing content's gonna come out of that in 2025, but I guess we'll see. Okay, cool. So now let's get into the content of this episode. What I wanted to talk about was my personal strategy for goals and a personal inventory of types.
as a bug hunter looking at 2024 and then making goals for 2025. So let's go ahead and take a look at that. Well, okay, first, first, I should go back. We did an episode, episode 51 at the end of the year in 2023. And I just wanted to look back on that and kind of compare the statistics across the board and sort of do a check-in with how I did. And I probably should have done this quarterly.
Justin Gardner (04:37.71)
This is something that I think the full-time Bug Bounty Hunters Guild will help with. But looking back, I did all right on my goals. So let me go through the goals that I had for 2024. I had, I would like to do more research. And that is the one that I did not do, right? On top of doing Bug Bounty and critical thinking and everything. My time really did not get allocated to research this year, which is unfortunate. But that is something that I do want to change in 2025.
The next one on the list is accomplish badass stuff inside work hours. That was what I had. And I think I did a really good job of this year. As a full-time hunter, it's really easy to be at your computer constantly, but this year I think I did a particularly good job of working my eight hours or six hours or 12 hours, whatever I have allotted, and intentionally doing that, right? And then walking away at the end of the day. Much better than in previous years, which I think is a big improvement, quality of life for me.
and for my family. I had hack more IOT stuff or hardcore source code review. And I did not do as much IOT stuff as I would have liked, though I did do a little bit. And I did do hardcore source code review, which was awesome and generated one of my favorite moments of hacking in 2024. So I'll tell you a little bit about that in a second. But that one is a check for sure. I did get that one done. And then...
I had non-traditional automation, so in this one I was talking about JS monitoring and source code monitoring. I did get some personal tooling for that in place, but I did not utilize it to its full extent. So I give myself half credit on that one. And then lastly, I had influence tool creation in the community, and I think that is something that we definitely were able to do this year. Let me grab some water really.
I think that was definitely something that Joel and I accomplished this year. There were a lot of tools that came out of ideas that came from critical thinking. And man, I was so happy to see that because some really awesome stuff has been put out. Just off the top of my head, the 403 Bypasser, the Kydo Notes app that Static Flow built, which has just totally changed my workflow. What else was there? I know there was a couple other ones. I didn't put them in the notes, but they'll probably come to me later.
Justin Gardner (06:59.17)
I'm just really excited about that possibility and the possibility to be able to share concepts with the community and then potentially have somebody build those. I think that'll be great. So overall, I'm hitting at like, what is that, like a three and a half out of five for 2024? Not the worst, not the best, but I think we can do better this year. Okay, so let's go look at sort of a personal inventory of 2024.
and then we'll move into 2025. Now, the template that I'm about to use, I will be sharing to you all. That will be on the blog. So you can go to ctv.show.blog and it should take you to the blog or just go to the website and click the blog button or hacker notes button. And there should be a template up there for this personal Bug Bounty Hunter inventory that I'm doing and then also a, like goals for.
2025 how to set those goals. So just some questions to ask you to ask yourself, you know some introspection to do and that will hopefully help you identify what kind of hacker you want to be in 2025 and Be sort of honest with yourself about what hacker you were in 2024 because to be honest I'm reading through some of these questions and I'm thinking back and And I think there's some things that I need to change. So let's get to that. Okay, so 2024 bug bounty hunter personal inventory
First question on the list that I had is, what moments or bugs were most fulfilling to you as a bug hunter in 2024 and why? And the reason I stuck this question at the beginning is because I think it's a little bit telling, but go ahead and answer this question in your brain first before you read any further, okay? Or listen any further. So for me, the most fulfilling moment was when I was working on a SQL injection with shubs.
at a live hacking event and we finally frickin' popped the bug. And we saw the errors in the logs and we're like, yes, the SQL context is being escaped. I remember sitting at this desk right here where I am right now and just like slamming my hands on the desk and being so excited. And then the other one was sort of a toss up, but it was a crypto bug. It was a crypto bug that I had banged my head up against the wall for like eight hours without any progress. And I was just very stubbornly refusing to give up on this bug.
Justin Gardner (09:18.054)
And eventually I did give up on it and moved on. And the next day I was sitting in my hot tub and I solved it. And I came back inside and I tried it and it worked. And that moment when I solved it in the hot tub and I was like, no way, what if I did it like that? Then that was the moment that hit me. so the follow up question to these, were these the moments you found the bug or were these the moments you got the bounty? And I think that this can be a telling question.
for anybody who is trying to decide whether, what kind of bug hunter they are. Because I think there is a big pull to bounties in the bug bounty world, right? There's a lot of emphasis attached on this. But at the end of the day, when you're trying to identify whether the bounty or the bug is important to you, whether you're trying to decide whether you're a passion-based hunter or a finance-based hunter, I think this can be a good question for you to ask yourself. And what moment was most fond? When you looked at the phone and you saw
Whoa, that 50K bounty just came in or was it the moment when you finally popped the bug? So that's something to reflect upon. And just to be clear, no shame. I'm not dissing anybody who's more of a finance-based hacker, right? If you're just trying to make money in bug bounty, that's great, that's fine. It sets you up for an amazing lifestyle, really. If you can do it full-time, I love it. It's totally worth doing it for just the finances. But I think a lot of us, especially at the top level,
or doing it also for the passion, which I think is great. And you can kind of tell where you're at on that spectrum a little bit by looking at this question. Okay, so the next question that I had here was looking back on 2024 bug bounty performance, were you satisfied with one, the number of bugs that you had? So for me, I had 126 bugs in 2024. And that I think is pretty good considering the year that I've had and how little I've been able to hack.
And that is a 25 % increase from last year. So I'm pretty pleased with that. I think that's kind of where I want to be. It's like roughly, it's only roughly two or more bugs per week, which is not as much as I was hoping for. And I think I can do better than that in 2025. But given the year, I'm pretty pleased with it personally. Okay, number two was, am I satisfied with the impact of bugs? Now this is where it gets a little tricky, guys.
Justin Gardner (11:42.124)
So for me, I had seven crits in 2024, and there's a couple days left, so maybe they'll get some more. I just popped one not too long ago. And there were 45 highs, 57 mediums, and 18 lows. And I'm looking at this and I'm like, that's a shit ton of highs and not a lot of crits. That is a very low amount of crits. So what I'm thinking this year is I kind of struggled to get from that high to crit range.
So I think that's probably one of things that I'm gonna put in my 2025 goals is I need to try to push a little bit further on some of these highs to see if I can remove any of the inhibiting factors or anything that's reducing that score from high and try to get it to a crit. Because 45 is a lot of highs relative to my actual amount of bugs that I had. So I think there's probably some room to grow there. What kind of bugs are you finding? That was the next, the next.
like am I satisfied with what kind of bugs I'm finding? And for me, that is mostly IDOR, access control bugs, authentication bypasses, XSS, and this year actually a decent amount of crypto bugs, which I was kind of pleased with. And so I am kind of pleased with that distribution. I would definitely like to see more RCEs, I think we only had a handful of RCEs in 2024, and I would like to see more...
SSRFs. I really did not have a ton of SSRFs in 2024. And I think that that's a bug class that often has a lot of impact in modern day architectures. And it's just not something that I was able to exploit effectively in 2024. I did have a couple blind SSSs. I mean, not blind SSSs, excuse me, as blind SSRFs and a couple of full read SSRFs. But there wasn't as many as I would have expected given where I think the industry is at.
So that's a thought. Was I satisfied with the scope that I'm working on? So for me, that was almost entirely web this year. And I am pretty pleased with that. I definitely would like to have done a little bit more mobile this year. I kind of like to keep those skills sharp. But I did do a bit of mobile for like a two week sprint. But there wasn't a lot of bugs that fell out of it this time. The app that I was looking at was just
Justin Gardner (14:04.472)
really, really locked down and I had some mobile hackers that I really respect also take a look at it and yeah, mean it was tight. So I still kinda kept those skills sharp but didn't land as many bugs out of it, unfortunately. I did, however, do some enterprise software hacking this year which I really, really enjoyed and I definitely would like to do more of that in the future. Was I satisfied with the quality of my reports? Now this one I think is the one where I gave myself the lowest marks.
This definitely needs some work.
getting some water. Yeah, so I think for me, the quality of my reports was really not as good as it needed to be. And I think that that was because I often am putting off report writing till the end of the day when I'm tired and I'm just trying to stay in that flow state. So I think I'm finding more bugs, but the report quality is worse. So how do I fix that? One, I think I can...
sort of try to make that process a little bit less frictiony by using the Kaido Notes app, that static flow release that I mentioned before. I think it'll be really nice to start writing some of those reports inside of Kaido as I'm going along. I think I can utilize AI for portions of the report and try to do that a little bit better. But at the end of the day, I think I need to just write better impact statements and spend more time on that section.
and rely less on the POC videos that I do. Because I do kick ass POC videos, I really do. And I build really, really good, excuse me, I do really, really good POCs, honestly. But the quality of the explanation isn't quite there. I think I'm jumping over steps and it's making it a little harder for the triageurs to reproduce. Okay, and the last one here was...
Justin Gardner (16:01.038)
Are you happy with what programs you were working on? I generally liked it. I think there are some programs that have changed quality a little bit this year, but overall I'm pretty good. I'm not gonna name any names right now, but I think definitely in the future I would like to hack on similar programs to the ones that I hacked on this year. Okay, and then the next section of the performance is performance eval, or what did I call it, the personal inventory.
is am I happy with the current levels of XYZ? So the first one on the list was automation. And for me, I'm really not happy with my current levels of automation. I left the recon game a long time ago, and the automation game a long time ago because I was spending too much time coding and not enough time hacking. And I think now with cursor coming on the scene and me starting to realize the value of having actual passive automation,
I think I would like to fix that. So I may get back into the recon game this year. I'm not 100 % sold on that, but what I am sold on is I will be doing some lead generation automation, which is gonna be mostly JavaScript file monitoring, change log monitoring, source code monitoring, that sort of thing. 100 % that will get done this year. Organization. Am I happy with my current levels of organization? I'm pretty pleased with this actually. Kaido really helps with this with the collections and...
Being able to sort stuff out much easier. And with the new notes plugin, I'm sorry guys, just download the freaking notes plugin, man, it's so good. Just having that inside Kaido really made it easy and seamless for me to jump into my notes, take notes, see them beautified on the right hand side, rendered and marked down. So that really helps a lot. And then I've had this system for a couple years where I just have a bug-money folder, and then I go into that folder, create another folder for the target that I'm working on.
And then I have this bash alias called temp-home, which essentially takes the current directory that I'm in and makes it my temporary home directory. So whenever I open up my shell, it will take me directly to that directory. And so I don't accidentally put files in a different folder or something like that. And that keeps everything sort of isolated into the project that I'm working on. And then whenever I'm done, I have this alias rev-home, which is like revert-home, and that takes my home back to where it was before.
Justin Gardner (18:27.822)
So overall, pretty pleased with that. Am I pleased with my current levels of collaboration? Yeah, I think I am okay with it. I'm not collaborating as much as many hackers are, and I've kind of wondered whether that is a downside or not, but I think I'm mostly okay with it. I've definitely helped a lot of people this year get bounties, and my mentees, my two mentees have done really well.
So I'm pleased with that and I think the times that I have collaborated with other high skill hackers have been really rewarding. So I think if I can keep the collaboration levels at a similar amount, I think that would be good. Am I pleased with the current levels of time that I'm getting to put into Bug Bounty? Absolutely freaking not, okay. Yeah, my year got crushed by critical thinking and by...
just other stuff going on in my life and I really, really did not get to hack much this year. So I am really trying to protect my time next year with this full-time Bounty Hunters Guild with some accountability saying, I actually didn't hack this week. What the heck is going on? Let's diagnose that. Trying to be really intentional about building my life around my work hours involving hacking at least 80 % of the time. That's what I'm shooting for.
80 % of my working hours I want to be hands on the keyboard hacking. So that's kind what I'm going for. Okay, last but not least, motivation. That is the plus side of not getting to do as much hacking as you wanted to do is when you finally do get to hacking, you are just pumped for it. So I am like chomping at the bit to do some hacking, which after I record this episode for the rest of December, I'm gonna be ready to roll hacking on stuff when I'm not spending time with family. So I'm very excited for that.
But my motivation overall is great and I think as far as a plan goes for that, I think I need to, if my energy levels kind of go down and my motivation for hacking goes down, then I need to take some breaks, do some self care, and then that should come back up. Or like I've been doing in the past, focus on other things like critical thinking, building that business, my real estate portfolio, fitness, those sort of things. And then when I come back to hacking, I should be more motivated.
Justin Gardner (20:48.334)
Okay, so what is my overall goal for Buck Bounty? I put this one down, I might move this one up for y'all on the actual template if you guys wanna follow along yourselves. But for me, my goal for Buck Bounty as a full-time hunter is to sustain my life, you know, is to meet my goals financially. I have a pretty aggressive FIRE goal, Financial Independence Retire Early goal, so I'm gonna try to stay on track for that.
But at the end of the day for me as well, it's finding cool shit that I'm proud of and excited by because I'm very passionate about web security and whenever I am not finding bugs on regular basis, I can feel that drain a little bit. So I also want to find and hack cool shit. That's kind of where I want to be. And I want to make sure I'm growing as a hacker as well.
Okay, what are my weaknesses as a hacker and how should we remediate these? Yeah, for me, I need to focus on focusing less, which I think is a little bit of a weird thing to say. In the past, I have really needed to kind of get in the zone and like tune out the world, forget about everything around me, including any other responsibilities that I have and just
And I think that is not, that's a young man's game. And I think I am, while I am only 28, still in my 20s, I do have family, I do have a business, I do have employees, I have other responsibilities. So I think I need to learn more how to hack in the in-between times. And I think that's gonna be a challenge for me, but I've seen people do it effectively, so I know I can do it too. I need to go for bigger attack scenarios, as we saw earlier. My high to crit ratio is really,
skilled slanted towards highs and I really need to kind of move that more into the crit arena. So I think I need to try to remove those inhibitors and really push for the crit. I think I would like to do some things on different attack surfaces. Definitely would like to go into the binary exploitation realm. I'm not sure if 2025 is the year for that. I suppose we'll see. But definitely would like to do.
Justin Gardner (23:09.194)
some different attacks scenarios, I think that's been really rewarding. And then also, I'd like to do more automation. So those are kind of the areas where I feel weak as a hacker. I kind of have a limited attack surface that I go after with web and sometimes mobile. And I don't have as much automation in place as I would like right now. Okay, what are my strengths as a hacker? My strengths, I'm very thorough. I have a really good understanding of both client side and server side web stuff. And I am getting a little bit more into crypto slash auth stuff.
And I think those are some pretty solid strengths. So that's kind of where the personal inventory is at, and I'm gonna go through this next section, which is my plan for how to crush it in 2025, my goals, okay? So the first question on that part of the template, which once again you can find on the blog, the Critical Thinking blog, is what areas, if any, would I like to grow as a hacker? Like I mentioned before, I would definitely like to do binary exploitation. I'm gonna try to do,
one, at least one binary exploitation bug against a bug bounty program in 2025. I just do not have experience with those lower level vulnerabilities. And I'm really fascinated by them. And I think I would respect myself a lot more as a hacker if I had that in my pocket as well. And as far as other growth, I think I would like to go for more critical scenarios. Who would I like to collaborate with? There are so many people I would like to collaborate with, I'm not even gonna try to name them.
How many hours per week on average would you like to hack? I'm thinking 25 to 35 hours per week, ideally 32 hours. Everything else should probably fit into one square business day, critical thinking included. So we'll see. That has definitely not been the case in the past two years, but thanks to you guys, we've actually been able to get some staff to help on the team, and we're finally building out a really good team here. So hopefully those hours will go back down.
in 2025, and I can spend more time hacking. How will I manage my hacker motivation in 2025? That hasn't really been a problem for me, but I think this full-time Bug Bounty Hunters Guild is really gonna help. How much money would I like to make? For me, that's probably around (REDACTED). Probably gonna bleep that. But, you know, I think it's good to set aggressive goals. How many bugs would I like to submit?
Justin Gardner (25:34.102)
I think I'd like to be somewhere between 150 and 200 next year. I think that'll give me a good growth rate. And I think with some automation, that should totally be possible. What would I like my severity distribution to be? I'd definitely like to move a little bit more towards the crits. Maybe take a little bit off of the, percentages off the medium and move them into the crit arena and some off the highs as well, probably. I'm gonna leave off web programs or platforms because I don't feel like looking up
all of the, if it's a private program or not. What automation would I like to work on? For me, I've got some really cool stuff in the works for the critical thinkers that I'm gonna release, I think 2024 calendar year. So by the time this is out, it's probably already gonna be out. But if not ping me and be like, Justin, where's that stuff that you forgot? So we'll see, we'll see. But it's gonna be mostly around lead generation stuff. And yeah, definitely wanna do some AI automation as well.
What research would you like to do if any? For me, I'd like to do some post message stuff. And then obviously I want to work with the research team as well that I mentioned. C2B.co slash CRL. Critical Research Lab. Geez, could not get that out. Critical Research Lab, CRL. If you want to learn more about that. But yeah, I'd like to work with the guys in the lab and kind of help them flesh out their research ideas.
For me, besides some post-message ideas, I don't have a bunch of research ideas kind of banging around in my head, but I know that there are some really awesome things, especially in the client side that a couple of the guys that I'm working with have. So, excited to try to flesh those out. Okay, and the last question is, what, if anything, would you like to contribute to the community? Guys, this pod is what I'm contributing to the community, and it is about everything I can possibly manage. So, I hope you guys enjoyed it.
This has been my goals for 2025 and my personal review. You guys can find this on the blog. I think it'd be good for you guys to go down and check that out and do a personal inventory and set some goals. I guess you guys know yourself the best though. So if that doesn't work for you, then maybe it's more chill than that. I just know so many of you guys out there are really intense goal-based people like I am. So I hope this will be helpful. All right guys.
Justin Gardner (27:55.31)
This is Past Justin signing off from 2024. It's been a great year. Thank you so much for listening to Critical Thinking Bug Bunny podcast. So appreciate the support and I'm excited for 2025. We've got a lot of fun stuff in store. All right. Peace.
