[HackerNotes Ep. 167] Acquisition Hunting, Supply Chain Bugs & Research Theft with krevetk0

Hacker TL;DR

• Pre-position on acquisition targets: find bugs before the deal closes, document everything with screenshots

• Third-party vendors reusing credentials across environments create critical supply chain attack paths

• Stolen research is a real threat: over-detailed reports can leak through Slack integrations or duplicate collaborators

• Protect your intellectual property: watermark reports, host exploits on your own infra, don't reveal full chains

Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf

In the News

• HackerOne’s Bug Bounty Maturity Framework

• Intigriti is hiring a Product Security Analyst

Who's Valeriy (krevetk0)

Valeriy, known as krevetk0 on HackerOne, is a seasoned bug bounty hunter and security engineer based in Germany since 2017. He brings a dual perspective to the table: he hunts bugs on the side while managing the bug bounty program at Semrush as his full-time role. His first bounty was a $6,000 PayPal bypass, and he has been consistently active for over six years.

$10K for a Vulnerability That Doesn't Exist

Krevetk0's first bug demonstrates the value of preparation and patience in acquisition-based hunting. Several programs on HackerOne accept findings on acquired assets, and krevetk0 actively monitors upcoming acquisitions to pre-position his research.

The Attack

He identified a company announced as an acquisition target before the legal process completed. During early recon, he discovered a Node.js path traversal vulnerability exposing server-side information. Rather than report immediately, the acquisition was not yet finalized, he documented the finding and waited.

When the acquisition closed, he verified the bug was still functional and started capturing screenshots. While doing so, he escalated by checking environment variable files and discovered hardcoded AWS credentials with access to the database and broader AWS infrastructure.

The Twist

The next day, the server was completely shut down. The vulnerability no longer existed. But krevetk0 had his screenshots. He extracted the AWS credentials from the captured images, validated them via the CLI, and confirmed they were still active and unrotated.

The triager initially pushed back as the endpoint was down. But he demonstrated the credentials were still valid, the exposure had occurred, and incident response was necessary. The report was accepted and paid $10,000–$12,000.

So don't forget to always capture comprehensive evidence as you go like video recordings, screenshots, saved requests and responses. Vulnerabilities can disappear at any time, but if the exposure was real, the business impact stands.

We do subs at $25, $10, and $5, premium subscribers get access to:

– Hackalongs: live bug bounty hacking on real programs, VODs available
– Live data streams, exploits, tools, scripts & un-redacted bug reports

You can also find some hacker swag here.

Supply Chain Credential Reuse via Third-Party Agency

The second finding illustrates how third-party vendor relationships create a critical attack surface that organizations often overlook.

Following the Breadcrumbs

While testing a HackerOne program, krevetk0 noticed a Terms & Conditions link pointing to a completely different domain, an external agency. Is this agency's relationship to the target?

The Chain

1. Basic recon on the agency's domain revealed Symfony debug mode enabled

2. The Symfony debug panel exposed PHP info with environment variable credentials

3. A log file on another subdomain confirmed the agency managed content for the target organization

4. The credentials provided access to a WordPress admin panel used by the agency for content management

5. Testing credential reuse on the target's main domain, the same WordPress credentials worked

So the result was full content management access on the main domain of a well-known brand, achieved entirely through a third-party vendor that reused credentials across different environments and applications.

As a previous CTBB podcast guest (Mathias Karlsson) noted, everything that flows through your proxy history could be an in-scope asset. Third-party domains, agency subdomains, and microservice integrations often blend into the target's main domain through reverse proxies. Investigate every unfamiliar domain that appears in your traffic.

Research Theft on Bug Bounty Platforms

Here is a problem that affects the entire bug bounty ecosystem: intellectual property theft of security research.

The Timeline

In 2021, Krevetk0 developed an entirely new attack vector, not a single vulnerability, but a novel class of attacks. He verified it across approximately 10 programs on HackerOne and discussed it privately with a top-5 ranked hacker on the platform.

He deliberately never published the research, concerned about the magnitude of potential damage if widely known. He presented it internally at Semrush, built protective mechanisms, and educated the security team on the new attack surface.

Three years later, while managing the Semrush program, he received a report that was word-for-word identical to his original research, including exact phrasing, punctuation, references, and even the claim "I did this research."

The Investigation

When confronted, the reporter claimed ChatGPT generated the report. Krevetk0 tested this: after 10 attempts with various LLMs, none could reproduce his exact wording. The excuse did not hold up.

HackerOne conducted an investigation and identified between 5 and 10 hackers using krevetk0's research as a submission template. The leak likely originated from one of two vectors:

1. Customer-Side Slack Integrations
Some organizations pipe HackerOne report notifications directly into Slack channels accessible to all employees, not just the security team. Marketing managers, engineering leads, or anyone with channel access can read and copy the full report content.

2. Duplicate Report Collaborators
When a triager adds a duplicate reporter to the original report, that collaborator gains full access to the original researcher's work. This happens without the original hacker's consent and exposes full exploitation chains, methodology, and escalation paths.

Protecting Your Research

So here are several practical countermeasures:

• Don't over-detail reports. Include enough information to reproduce the vulnerability, but avoid exposing your full thought process, additional attack paths, or research methodology

• Host exploits on your own infrastructure. Serve payloads through your own server without distributing binaries. Let the program replicate via your controlled endpoint

• Watermark your reports. Embed invisible markers such as zero-width Unicode characters, deliberate unique misspellings, or characters from other alphabets that can trace the content back to you

• Avoid revealing full chains. If reporting a critical chain, consider holding back certain escalation steps that aren't necessary for the program to understand the impact

For bug bounty platforms: krevetk0 suggests that platforms should require acceptance from the original researcher before adding duplicate reporters to the initial report. The current system allows triagers to unilaterally expose one hacker's work to another.

Krevetk0's Hunting Philosophy

• High-signal strategy: every submission targets high or critical severity, no time spent on duplicates or questionable impact

• Leaderboard competition: he selects private programs and aims to surpass the top hackers on that program's leaderboard as motivation

• Program appreciation matters: human responses from program managers (not templates or AI replies) earn significantly more of his effort

• Brand attachment: he gravitates toward programs in health, sports, and finance, brands worth the personal investment

Resources

• krevetk0 on X

• Semrush Bug Bounty Program

• krevetk0's Medium

That's it for the week, keep hacking!