0-day Research Disassembled presented at BSidesWashington 2019

by David Wells, Chris Lyne, Jimi Sebree,

Summary : 0-day vulnerability research is a hot topic these days. Adversaries, governments, and researchers all have their secret stash of 0-days. Bug bounty programs have become evermore popular. With a tuned skill set, anyone can get started hunting bugs. Some do it for fun. Others do it for cash. We do it for a living. It’s our passion.How does one pick a target to research? How does one improve the success rate of finding a 0-day? What skills are required? How does one deal with setbacks? We will go over these and several other questions via selected case studies of 0-days we have found in various high profile products. We will discuss ~10 0-days that haven’t been disclosed (at the time of submission) and go over various scenarios showing how and why these were found.In order to be a successful researcher, there is a broad skill set and knowledge base required. Additionally, the mindset of a security researcher is a key driver of success.We outline these points alongside real life scenarios of our 0-day discoveries this year, demonstrating that with the proper methodology, luck, and determination, anyone can achieve similar results and help contribute to making the world more secure.