[Music] hmm all right uh my name is cory petty i do a myriad of things throughout the ecosystem namely um podcasting hashing it out which is one of the sponsors and i've been doing security and i guess security education or awareness for status for the past four years or so um i've recently moved more into infrastructure but i still have quite a few opinions uh and i've i've worked with basically everyone in terms of bug bounties and uh binding programs and security programs and audits and so on and so forth so uh i'm really curious to see how this works out and how we do it with and on so uh in the interest of like keeping it fun and light i don't have any objectives i just want to have a conversation so i'm going to do what i normally do and allow people to introduce themselves because i always do it better than i can so let's start on the couch here tell us who you are and why you're here is this working okay as well uh my name is mitch lamodor i'm the founder and ceo of unify and i am here to encourage as many people as possible to participate in responsible disclosure and frankly get more involved in security in the ethereum space i think we need a lot more uh i'm frederick santos i work for the ethereum foundation as a security researcher mainly focusing on the consensus layer and the merge but yeah i'm also running the uh bug binder program for the ef um i'm emiliano milano um i'm happy to be here with this great forks we spent many many nights together saving a bunch of protocols now i'm the founder of rentable a protocol for renting nfts but i work a lot in security uh war rooms and so on and i'm here to promote and you know support people to advocate security practices in their protocols all right i'm saying i want to go ahead and get started sure thing hey uh i'm sam i guess i'm here because i do a lot of bug bounties and white hatting in my spare time um so let's see i used to work at trailer bits i used to do some audits there now i work a paradigm as a research partner mostly you know focusing on security in the space as well as within our portfolio companies and then in my spare time of course uh helping report all these fun bugs storm okay can we get that fixed all right well and while he's trying to get that fixed we can keep going um it's nice that we have both sides of the coin here we have the people who are actively looking for uh security vulnerabilities in the ecosystem for the purpose of fixing them and not exploiting them which is a wonderful thing to have so and been making reasonably good money doing so while lifting up security across the ecosystem and we have the people who are providing opportunities for them to do that while maybe not necessarily um forcing them to work within a given firm to get that done and it's it's something that i've seen grown within this ecosystem more than any other both in trying to do programs myself and looking around for opportunities or teaching people on how they can get started so uh let's start with the people who are providing the platforms to do this where do bug bounties fit in and we had a conversation a little earlier about this uh with with you with your talk but where do bug bounties fit in into the overall security process of uh of the ecosystem sure so i mean i can take this one unless you want to do it further okay bug bounties are the very last tool in the security stack you know ideally you've invested resources into everything else and it's it's the last thing you have it's the thing you can pour a lot of resources in but it's the it's the very last thing that you should be leveraging and so you know because of that it's when everything else fails you need you absolutely need this to work yeah and i definitely agree um it's definitely not something that you just get and then skip everything else it's something that should augment everything else that you already having your toolbox sam what about you where do you think it fits in should it be should it be what they've do you agree with what they've said yeah definitely i think you know first of all well i think uh you know the cost of a buck bounding compared to an audit is like you know multiples higher right so obviously you don't want to be relying on black bounty to sort of find what you're paying the auditors for definitely agree that you know you should you should be treating the bug bounty as like a if all else fails then at least we have this in place to sort of you know mitigate the the few final attacks remaining i would like to i mean i definitely agree that bug bounties fit into something like we've done as much as we can let's have what was probably the easiest way to have continuous security coverage of an underlying protocol by saying like this is the scope of work we think is risky have at it people will pay you and we'll do things and what is the hard part about this for protocols um and y'all can y'all can correct me if i'm wrong here is for projects to understand the scope of which they want people to focus things on and the amount of money they should be allocating resources to and whether or not they even have those things based on the rising prices of uh of much these what payouts are how do you help projects figure out um what they should be having people look at and how much that's worth okay so you know the first thing to consider is you know where buck bounties came from you know previously especially in web 2 it was very hard to assess the value of a vulnerability and so we came up with cvss and other convoluted ways of calculating what a bounty should be paid as but was all very arbitrary you know our you know arbitrarily designed kind of connected to the level of interestingness and how bad multiple factors could have been but it wasn't there was an attempt to make it systematic and connected to value but it could not have been successful because you cannot compare the exploitability and unique characteristics of an exploit directly to the value of that particular exploit it's totally different in crypto we now have a way of describing exactly what the consequence of this of this exploit is and we should be moving in that direction the scope that matters is not really or not necessarily the the scope of assets at risk and the level of creativity and the degree of penetration that an exploit uh could create the scope that matters is the impact what tangible result does this have to the protocol does this have to the user what damage does it cause and based on that based on the prevention of said damage how should the person who directly prevented that damage be compensated this i think is the way to proceed frederick does that transfer over to more infrastructure related things because this works really wonderfully it's more i say easier for smart contract situations as we move more to like infrastructure and node management and the things that you're working with with the merge it may be a little more muddy yeah it is it's it's a i think a much more complicated question in that sense um because it's covering almost everything um if you're looking at like different d5 projects and so on they're kind of in these kind of small islands that they're trying to protect but when you're trying to protect the base layer everything is kind of in scope so you know if the base layer goes down or there's a massive expert or something all the other projects that's running on top of it will probably affect it in some way how do you measure that what's that worth you know bounty wise so it's it's a very hard thing that we're looking at wouldn't the answer be a lot it is a lot um and it's that's a very long discussion i guess but yeah so currently i don't know for those who don't know the the bounty for the execution layer so that's gets basically that's running right now on the bounty program that has been 25 000 for a critical vulnerability which is kind of low considering the impact that it could have um for the consensus layer which means that the clients that are um yeah running the node software for the validators that's been 50 000 as a max payout which is also pretty low considering the tivel on ethereum that's going to be adjusted upwards so it's going to be made into 250 000 which still is you know it's not that high compared to maker or you know wormhole or anything else so [Music] yeah it's a hard it's a hard question but for now it's been the ethereum foundation that's been paying for all of these bounties as a public good service kind of because yeah so the the stanford nation has been interested in keeping the term mainnet secure and because of that they have been paying rewards for the nine different clients that kind of exist now both in the execution layer and the consensus layer one of those clients are actually being developed by the ef the rest are being developed by external teams that the ef does not have any control over so it's a public good service but i do think that you know the the ecosystem should come together and create some kind of fund that would i don't know help increase the bug bounty for the base layer 10 fold 20 fold who knows but to an amount that makes it worse for researchers to actually spend time looking at looking at it and yeah getting an roi for it uh are our virtual participants how much does the bounty amount affect the amount of time you're looking into a specific thing you you clearly understand the concept of risk but you're spending time looking at various things probably based on the potential rewards how can you reason about uh understanding risk in something that doesn't have high bounties but and then spending time on something else do you wanna go first some okay i can take this one for a second oh go for it go for it okay okay i guess uh yeah it's uh it's it's a complicated problem like uh how do you get to the 99 of the box of a contract like at some point i'm guessing you get diminishing returns of uh this the time you spend and couple that with uh what's the potential impact that you can have uh or the bounty that you can pay like uh now i'm very much for from our side like in i'm on both sides of the this problem because like i receive bounties from unified because i'm i'm on top of watching the security part and yearn at the same time i look for stuff uh when i have the time and um yeah it's really hard to to measure um how much time you can you can dedicate and and it's a and it's not a symmetrical uh problem that we have because there's too many eyes looking at our code from the bad side and we need more people uh from the good side trying to try to and incentivize them sam yeah i think for me at least um frankly speaking the bounty amount does factor into uh you know my consideration quite a bit um you know i think if i'm depending on the my current mindset like if i'm you know if i set aside some time to look at bounty specifically i'll like scroll past most of the lower capped bounties um if i'm if i just get like a ping with some message that might you know short circuit the process but uh in general definitely um expecting that typically when a project makes sound humidify or you know similar uh they've probably gone through a pretty rigorous process and so therefore if it's under some threshold you know it's likely not worth the time i spend to you know get up to speed with the code base to actually you know start doing that yeah i i would add honestly that at least for me um when i look for bounties in general um i look more for uh the interest so maybe i could got you know interest about you know some exchange some lending platform maybe i'm more skilled on those kind of issue so i try to filter those kind of things but for the let's say bounties that i that i received basically most of the i wasn't looking for a bounty i was building some sort of integration or something like that so i was studying the protocol for my own and i discovered the issue so it was not driven by you know the size of the bounty or whatever but more by the interest anyway for many other people the interest is more you know the the bigger is the bounty the better for me you know but it's not always you know that you if you go to the biggest bounty you you get it or you know uh it's easier yeah and for the ef bug belt for them that's definitely the case um it's the people that are reported have mainly been people that have either um you know they're into cryptography or they're into um just specifications of the base layer or they're developers or something like that it's not so much about the band itself because it takes a long time to wrap your head around the base layer you know probably a few months for a person who's not really looking into it before and then you're going to have to look into clients so it's a big effort so that's that's a hurdle i just want to echo that so you have this you know class of bug hunter that is really driven by the bounty size or at least that's a precondition that's most people it's normal it's healthy but you have a whole other set of bug countries that are kind of just incidental that have exactly the attitude emiliano described or that frederick described like we have a whole bunch of ctos and senior engineers who use them unified but they don't they're not looking specifically at bounties on the contrar they're analyzing related projects trying to understand how their contracts are written trying to understand the features that they have and in the process of that they discover vulnerabilities in the first place like okay i should go to unify and report that see if there's a bounty but that's incidental they're really just going after what they think are the most interesting technical problems and you know if there's a reward for helping that project then that's a you know a great bonus they know exactly where to go to claim that i think that speaks to all the projects out there that you know regardless of the scenario or your ability to assess risk or or scope you should have some form of way of telling people where to go in this in case they find something and that you're willing to negotiate with them that there's you're willing to work with them as opposed to letting them try and think about what to do with the vulnerability they may have found and that transitions nicely into something that i kind of wanted to dive into a little bit and that is we like we have we have two people virtually here who have some form of pseudonymous or anonymous personality how does that fit into your reasoning and participation in this in this community why and on and what does that do for you i'll let some answer first yeah i mean i think the moment the moment you mentioned anon the first thing that came to mind is all these programs that uh or at least claim to enforce kyc on their bounties and i'm just like why um so that part's a shame but i guess the the question of why is it best answer just by the fact that you know i think a lot of us are pretty security conscious um i mean i think you sort of have to be in when you're doing security and especially security in this space and so you know it's obviously the less you know this is true in uh smart contract engineering where like the smaller your attack surfaces the you know the less potential vulnerabilities you have and i think it's the same case for you know personal object too it's like the less information you expose the less potential risk you have you know in whatever that may be i totally agree that it's the same case for me like it's incidental that i happen to be looking at security stuff uh i decided to whether that's anonymous anonymous like uh our mindset is always uh think about the worst case scenario like even when you're looking for smart contracts so how do you go about your personal uh stuff um within year like we have both people that decided to be open and people that want to respect their privacy and and service like the culture that we we um we promoted within the the dao but like with to the wider ecosystem uh you should be accepting bounties from anyone because this is like you just need a poc and code that's it you don't need to know who who this person is to to be actually um work with the bounty and and and patch things and i think that we've we've created an ecosystem and a technology that um further enables people like you to contribute vulnerabilities without disclosing who they are um based on our ability to pay you and can you talk a little bit about some of the benefits slash how many of the benefits but like difficulties you've found on the process of doing this maybe that's whether that's in different war rooms of trying to do like coordinated disclosure with people when you find things or um things you may need to look out for that you didn't think about ahead of time when trying to continuously protect your identity as you as you have more and more maybe reputation around disclosing certain types of vulnerabilities well i think that you hit a good point i mean that uh the important stuff is that yeah you build a reputation up to you so despite you are anonymous or you know non-anonymous like me important stuff is that you know people know you okay despite who are you physically so uh honestly my experience um [Music] the founders so the people that we supported never care too much about you know who we are at some point okay yeah there are some protocols that maybe could be scared the very beginning but as soon as you in the war room you know explain and you have a positive attitude so we are here to help not to you know blame or whatever that's you know they they start to hear you so they don't you know you have also to think that they could be scared the beginning so me and mitchell have you know several instances where you know the founder could be a little bit treated because okay it's my first issue security so what they do who you are maybe they don't know you so having you know trusted party that maybe are not hand on could help but also you know people like sam storm you know they have a pretty good reputation so somehow you know that they're good two things there can you give projects a an idea of um how to foster that environment so that people are more willing to try and join a war room and disclose things if they're nervous about doing that and and maybe feeling from traditional attempts in this and maybe web 2 or being attacked or like why are you trying to do this to me like i'd say we foster a little bit better of a acceptance of these things because everything's so transparent how can projects make people feel more comfortable about disclosing things and doing coordinated disclosure on fixing them well uh the first rule for me is that you have to be prepared so you have to know that at some point you have to coordinate some people so you have to you know uh you have to provide a security reference you have to incentivize people to contact you uh instead if you say if you don't say on your web page that there is a security reference that you know we can contact in case of security issue that's just you know it's also i mean um red flag for a protocol you know so uh as soon as you have a security contact uh maybe you have a partner like you unify uh that's a good way to incentivize people to talk with you i'm not sure about i mean i saw many uh i mean not many but some of the protocols that maybe are listed only modify that require kyc for the is back bounty honestly i don't know why you should know that guy i can understand on the other side that maybe you know the guys is it is disclosing one bug per time so maybe start to trip your you know your bounties because uh maybe instead of disclosing all of them this was one by time so knowing exactly the person could help to you know avoid those situation but honestly the more you are open about your let's say public security procedures or the way that they can contact you uh that's the better you have you have a slippery slope here because i mean we see you know the two the two we have today are known um for their work quite publicly and because they are synonymous or anonymous they have they built a reputation on merit and that's why people trust them when they say something but if there's a completely unknown person that's never disclosed something to you uh there's there's this potential that they're the developer that's disclosing the bug in the first place and there's that you need to go through additional kind of i mean that's why i could imagine someone would want to do kyc is to guarantee something like that but it's not a guarantee though i mean you could get a friend to submit it for example that's another option of course let me jump in on this right the the kyc issue as noted is easy to dodge and usually any requirements for kyc have nothing to do with security and everything to do with the tax man especially with large bounties someone's got to pay the bill and when that money leaves the government's like oh that's an interesting million dollar you know million dollars off your books what'd you do there you just pocket that and so that's typically the origin of those needs whereas and that should be very separate of like how do we make it easy how do we make it safe fundamentally for someone to do a good faith action disclose a vulnerability that's an expectation setting problem that's a signaling problem by having a clear bounty program by having clear references by showing hey look we do care about security here's all the things that we do here's what we commit to do with you if you help us in this work you can actually eliminate most of those trust problems i mean just think you know when we get called into a war room the biggest problem the biggest problem with most disclosures is actually the projects freezing up or them being highly distrustful they create the problems by not being prepared and not setting great expectations around how the process needs to go so that we can easily work with them if those two things are in place and there's no reason they can't be public ahead of time in their docs or elsewhere then the process can be very smooth and this applies whether you're a non whether you're a public it should just be very clear very simple we should have a lot of trust in the process of disclosure that is what i think would create all the difference but of course that requires work that requires an investment into security and who wants to do that when they can make more money yeah and for our program i would say that we have security researchers and that probably helps quite a bit because we can then start to assess the report see if it's actually valid um check if other projects are perhaps impacted by the same vulnerability before we start the conversation with the with the reporter um yeah i mean we've received i think 150 valid bug reports through the program so we kind of we can kind of spot the ones that aren't actually real issues and the ones that you know you need to dig into and speak with the reporter more about storm sam you've all had any experiences in the past of finding something and being and then realizing the project and maybe how ready they are just being like no thank you i i helped we were adjourned looking um we do due diligence on some of the stuff though where we decide to allocate funds so a strategist will fetch a propose a strategy and say yeah this is new protocol and phantom helping a lot they're mostly forks or forks which is worrying and we usually never put a cent before we do due diligence and that entails a small review of the important aspects like what's the multi-sex situation um how can can they can they upgrade the contracts uh who where are they on and well who isn't the multi-cigar there's is there somebody trusted uh it doesn't need to be like a known person but at least do they have the reputation that we're talking about and um how the contracts work what what is the diff of what they change from the original fork things like that and we we bump into one of those projects and they had two docs see a way to contact them and we found quickly an issue uh what the milliana was saying like uh these are things that once you get enough money i wrote this on twitter recently you should start caring about how people are gonna get to you real quick if if the only way i can contact you is through a discord in your in your project phase there's probably there's gonna be issues like we've seen like uh developers before trying to go to this score and getting like shot down by the support staff which is really not not they're not ready to take on this like you you should have a proper channel and um yeah it's they get scared uh like it's it's something that you don't train there's no way to get experience just i recommend drills we started the rails very early on year but it's just the fact that all the stuff that we touch on on d5 we get affected a lot so by whether that's good or bad we get a lot of experience on there on this but yeah anything to add anybody all right i had small change small shift here um and then i'll get to some questions i literally have no idea how much time we have left so 10 minutes cool this will be a pretty quick one um in my experience doing bug bounty programs and trying to basically incentivize the swarm of hackers out there to look at my code base and specifically target the ones that would be good for looking at my code base and giving me meaningful feedback either from me raising security of the products that i'm offering or finding a marketing funnel of people have been familiar with my code base um i've had very varied experience and quality of of of candidates based on the platforms that i use and so the name of the game for an organization to do bug money programs is to uh find out where the hackers are that can do anything that is useful for you uh so hackers are more often than not you're typically using multiple programs assuming that multiple programs are paying you out uh a commensurate to your time and effort where are you using where are you going where do people worse where what can we do as people trying to get a hold of you um like start talking to the right programs or doing the right things to incentivize your effort to work on the things that we want you to work on i think he's looking at you sam he he wants to get you on status pretty pretty fast anybody anybody that's capable of like quality code bases it's hard um yeah i know i think part part of it is definitely i mean immunoblade's been a great help here just sort of aggregating these projects and having one centralized feed of you know what's available what's in scope where to report even a lot of other times it's really just um you know the the age-old game of here's a contract on mainnet and i don't know whose it is and i don't know what project it belongs to and now now begins the guessing game um and actually i think on that regard there was this interesting initiative in the solata ecosystem where uh i think neodymium or one of the one of the firms they did like security.txt but for blockchains and so you could embed in your salon program this like uh this not necessarily a text file but like you know a salon a buffer that contains information about your contract and where to contact uh and i think currently the the closest alternative we have to on ethereum is like you could add a comment to the top of your contract as you verify it that says this is the project um even that would be a great help uh if someone just finds your contract on mainnet with no documentation it sometimes is a pretty big pain to sort of figure out who exactly belongs to is an ad storm yeah i mean on the regards of bringing more people like more eyes engineering like i agree like immunify is doing a great way of funneling um a lot of uh the talent that we have but we still i think it's something that we are all aware that we still need to do a lot more i try to follow on twitter security researchers from outside crypto and you get when real quick that the top bounties google are 50k probably top top and they actually and they're they're they um and that's what they get when they get paid actually like uh people that are able to uh to uh they have the capacity and and the skills to look into um bounties of those global systems like we know not everything is open source apple like all everybody has the the skills to uh can perfectly apply them to smart contracts and even smart contracts are all wide open um how do we get engagement with that community because for good or worse like crypto has this rep and you and probably if you heard that you you decided on it fairly quickly and so it's is that sort of like a challenge that we need to address how do we get more more um security people that come that come from that background into smart contracts which i think are a great fit um and that's probably how we all got started somehow we we come from this into different systems um and we just apply those skills to to ethereum and open contracts you can add something um completely agree to what simon storm said if i could talk directly to those people you know that should come to the web 3 world i think that it's not only the money okay that is pretty interesting you know because in traditional world we have no just 50k here we are talking about millions and then billions uh the stuff is that it's you know intellectual interesting you know this kind of technology okay uh now we have solidity but now we have also uh solana with you know with other constraints so if you are hungry of you know uh understand dive deep on things you know in addition to enjoy your time you're getting a lot of money so uh but this means that you know maybe you start being interested in security and then maybe you start to work with that protocol you know so i think that uh working in security mitchell nobody well is a very uh let's say um interesting opportunity to approach this war because pays a lot challenges are uh very important and also you have the opportunity to you know support someone you know being in a war room with experts where you can learn a lot so i think that you know if you if you look to the complete picture it's not just the money okay it's all all the things that you have around working with great people cultivate your interest maybe you know switch your career and maybe you know start your own protocol or whatever you want so i think that those are good cards to say okay if i want to start a career with web3 maybe i won't fork a protocol i won't develop my own our own and i mean just look in the other codes learn how things works and maybe spot nice you know bounties that can be you know i can buy a villa or whatever yeah i just want to echo i guess everyone who's been talking now that it's it's hard to find those resources for sure if you're looking at web 2 people that are looking for sql injections or cross-site scripting or whatever on web applications you can find them in the hundreds of thousands maybe millions even but if you're looking for specialized people in in blockchain technology um and smart contracts and whatnot it's very hard um so i mean it's great that projects like immunify comes along and shows and kind of brings in this all this kind of knowledge into a specialized platform where people can use it um but i also think that a lot of work has to be done on educating people you know in web 2 there was for a very long time and probably still is a very big shortage of security people and in web 3 of course it's it's way way more of a shortage so there has there should be you know ways to kind of pull them in train them etc and yeah i mean securium and trustdeck is doing a great job with that um so that's that's amazing that you're actually you know pushing this knowledge forward and uh yeah hopefully you know in in a while it will become better and better and we'll get more researchers uh more bug bounty hunts etc and the yeah we won't be wrecked anymore i want to i want to summarize that and make the pitch to all the people who are here with us and watching it so we're all telling you come join us and a world of galaxy brains working on the world's toughest puzzles and if you succeed will make you rich and you'll be glorified for the very real contribution to society that you did this is a pretty compelling pitch at least i feel and i i hope as many people who are watching this take advantage of it and join us because god knows we need you there just aren't enough of us and you don't even need to tell us who you are i'm sold oh uh we could take a little bit of time here to uh get a couple questions from the audience there may be you know we have some great people on on the panel here um any questions someone in the back can we get a microphone to them middle you can take my microphone got a bunch up here yeah man we're okay loaded you for for this panel and for all the members contributing sometimes or from remotely uh i have two questions basically the first one is how do we make sure this works not only for d5 project where there is a lot of money at stake and obviously you can pay huge bounties but also for code that is community good that a lot of people rely on and that that will critically need being secure that's the first part the second part is you've mentioned like using bug bounties to to check code that is already on mainland in production and and live and that's basically that's your last resource uh before does something bad uh what about using the same system way before deployment particularly when auditing companies are fully booked and you have a community that might help you before deployment okay so the first question which is basically i didn't fully understand the beginning part of it is how do we get the projects who aren't you know b5 protocols with billions of dollars in tvl to also benefit from the system and what was the first part of the question so we all understand no it's just yeah that there are projects that don't have money at stake and they need the security critically you mentioned the execution layer that might be one of them gotcha okay well the reality is you know money is a very motivating factor we all know that we're not going to be able to convince lots of people especially those who need it to work for less however projects have another very compelling thing to them which the ethereum foundation fully leverages to the maximum ability which is both the the social good the pro-socialness of the project what kind of contribution you can make to other people that is really compelling i do lots of things it costs me lots of time energy and suffering and i do it just because i feel like i'm making an impact and a contribution to others that needs to be sold up front in the bug bounty program it is valuable and it should be used and then the other factor is what emiliano explained to all of us which is the interestingness to be frankly the best people are just as much motivated by the hardest most interesting problems just to see if they can do it as they are by the by the money you can make money tomorrow but you know the most interesting problem in the world like got a deal that's exciting it's interesting and that's is what uh public goods projects especially need to heavily heavily leverage because especially for the ones that have tractions those resources that security talent is there but their attention needs to be drawn with the thing they're interested in uh just to reflect on that um even if you if you're listening and you're considering these things and you we've we haven't quite convinced you yet even if you work on a bug binding program of an interesting project like the ethereum foundation and the merge you don't quite find something you're familiarizing yourself with a very complex code basin which we need tremendous amount of help with we have like everyone in this room who has a project is hiring so by participating in these things and us making it available for people to participate in them we're incentivizing people to come look at this type of stuff and join us in a way that's like comfortable right and and i think that's important and it gives you the ability to like justify to yourself getting your first foot in the door and spending some time getting familiar yeah and i mean if you are spending a lot of time looking at the ef bug banner program looking into clients i mean you're you're basically the kind of person we want to hire so there's that worst case scenario you get a job any closing thoughts i know this is the last panel and reggie would like to say goodnight to you but uh guys virtually you'll have any more closing thoughts or anybody you'd like to tell potential hackers or the audience or us like the people building things oh we have one more question sorry yeah uh to to immunify their point at the end uh how do i get good enough so i'm here like i want to be like that what's the pipeline for that okay so oddly enough look there's there's quite a few guides there's great ctfs there's awesome work by securium that you can go and build your foundations and that's the most important thing in the beginning but once you've built your foundations if you want to go after the really novel problems and really get good you have to do what all of these gentlemen here have done which is go find the problems that are interesting to you and become an expert in it and push the limits all the best security people that i know in this room are people who are just they found something interesting to them they said i don't care if other people aren't interested i'm going to get to the bottom of this and they built these amazing sophisticated expertise that i was like i didn't even know those problems were there and that's how they became so good so follow your interests after you got your foundations yeah i'll just take it out and say that you know if if you want to succeed i guess this counts for anything if you want to become really really good you have to you have to have a passion for it you can't just you know take a course um without having the interest and think that you know you're gonna find a two million dollar bug bounding it's most likely not gonna happen unless you're really really dedicated you spend your days evenings nights morning you know thinking about this doing it um probably without getting paid in the beginning even you're just doing it because it's a passion sam storm does that explanation resonate with the two of you yeah a lot a large part of it at the start is really just building up you almost have to build up the the ability to sort of look at a contract and really look past what uh what adjusting i think that's something that's something you see uh in common with a lot of the more recent big findings is that you know there are things that i think most most people you know would not have considered like it was a way of holding the contract that you would not have thought of and so really i think a lot of it is just building up that muscle looking at all these contracts figure out how can you you know rotate it how can you twist and shape you know do whatever to like get it in a different angle and then with that new perspective uh figure out what's wrong with the code yeah i agree with that i i think uh uh the the just suggestion like to start go deep into is one approach that that's really good the other thing that that could be good would be to familiarize once you have the foundation and some solidity you understand uh go read all the exploits that had happened i believe that if you look at the code and you look at what was the expectation of those developers like sam says that they missed that that in retrospective is obvious what was the mindset on that you start getting patterns into now future code that you look and sort of bri build your library in your head what are the usual things that we screw up as a developer and you'll see that some recurring things not not everything uh but some some stuff continuing uh comes back a lot and it's just because of the developers are human and and we missed uh things so so that's a good i think uh way to approach it the other things there are programs like securium uh we now have unified uh i wanna we're trying yearn to to foster y academy which is also another program where you can come with some foundation skills and and it's like a block and we get you to some point where you're actually doing reviews and auditing protocols so yeah i hope more and more resources pop up that that allow you to go through that funnel easily with some help i'll just make a short plug that yeah i agree with the storm that you know looking at past exploits is definitely something that's extremely valuable and we i think it was about three weeks ago four weeks ago maybe we actually did a public release of all the vulnerabilities that were reported to the ef um so that's 150 vulnerabilities that you can have a look at if you are interested in you know seeing what kind of issues that people find denial of service attacks cryptography issues um yeah a bunch of things so yeah feel free to have a look you can find the link on blog.theturn.org all right i think that's a good way to wrap it up thank you all for joining me uh virtual and physical and thanks for listening [Applause] [Music] Back To Top