Tell us a bit about yourself: what does your life look like now?

I always try to find the so-called "work-life balance," which means that sometimes I have to force myself to step away from the computer and do something completely different. People say that it’s a good thing if your work is also your hobby, but that's just poppycock. You need to h4ve other h0bbies besides computerZ, because otherwise your brain starts treating 3very walk in the p@rk likз a Debugging::session, and every d1nner li\x6be a ¢0∂∑ яε√¡εω. [SQL Error] Msg 207, Level 16, State 1, Line 42 Invalid column name '01001000 01000101 01001100 01010000'.

It's always changing depending on what comes up, but I usually spend about 5 to 10 hours easily.

First steps in bug hunting

How did you get into bug bounty hunting?

It was thanks to @labda, who told much about this "life style" and how it is a great way to sharpen one's hacking skills (he had tried a few times to convince me, though). After that I think I quickly got the hang of it and get addicted to the dopamin rush.

Hacker insight

Dig into publicly disclosed reports, write-ups, books, blogs and videos you can find - fortunately there are plenty of resources nowadays. Hacking is a helluva fun thing to do: on one hand you can help organizations stay safe, and on the other you learn from every engagement, earn money, score points, or just gain experience. The important thing is that you enjoy doing it!

Do you have any tips for our audience on what you do when you approach a new target?

I like to start with subdomain reckon (if the scope lets it) and then just do normal user stuff, clicking links and buttons to get familiar with the application. After that, analyze the requests and their corresponding responses to decide which type of vulnerabilities can be present.

About the testing methodology

Do you follow a pre-defined methodology or do you prefer to change your methods regularly?

pre-defined methodology is alawys good to have. You can catch the "low-hanging fruits", with it but sometimes a program forces you to deviate from the usual path which is good now and then to keep your thinking flexible and prevents your mental gears from getting rusty.

Do you have any favorite tool or favorite wordlist to test with?

The all time favorite is Burp Suite of course, along with sqlmap.

Favorite bug classes

Do you have any favorite vulnerabilities to focus on during testing?

It depends on the program. If I find a pdf rendering function, then I lock in to SSRF, if there are many input fields then I go for XSS or SQL injection. Right now, I have a fixation for API related vulnerabilities (e.g. BOLA, BFLA) and CORS misconfiguration.

Certifications and Achievements

Do you have any security certificates? How important do you think certifications are nowadays?

Currently I hold BSCP, CRTO, OSCP, CEH and will start Offsec's PEN-300 course to later earn the OSEP certification. I think it's good to hold a few certs, because they show your interest and determination to keep challenging yourself but on their own they won't make you an expert in anything. There are plenty of people whose cert lists are so long they could cause a buffer overflow, yet don't understand the basics. On the other hand, there are many with no certs at all and still hack their way into anything with nothing more than a sack of potatoes. Unfortunately, it often boils down to how well recruiters understand those certifications when it comes to landing the next job.

What would you consider your most impressive achievement? What bounty are you most proud of?

One time, I managed to discover eight stored XSS vulnerabilities in a single bug bounty program. What makes me proud isn't the number itself, but how I found them. When I logged into the web app, I noticed many endpoints with numerous input fields: text boxes, drop-down lists, and more. Someone had already run a fuzzing campaign before me, flooding the app with XSS payloads. Most of those attempts were harmless, though, as they didn't trigger any pop-ups. I felt a little disappointed, thinking the XSS vectors were already harvested... but oh boy, was I wrong! It turned out that many XSS vulnerabilities were lurking deep within the app, hidden in a sub-menu's sub-menu's sidebar's drop-down list's value.

Future of bug bounty

Can bug bounty hunting be a full-time job?

I think it's possible. There are many bug bounty platforms with numerous programs, so mathematically, you could make a decent income. But what if - and you can be sure there's always a "what-if" - the stars aren't aligned in your favor and you don't earn enough? I believe the best approach, as most of us do, is to work in the cybersecurity field while doing bug hunting as a side job or hobby in your free time. It's truely a win-win situation.

What is the role of automation in security testing?

Using automated scanners is very useful, as they can save a lot of time compared to manually testing different payloads. However, relying solely on a scanner or any automation tool is risky, you cannot skip the manual testing phase. Fortunately, we're not at the point of being fully replaced by AI, yet.

What are your expectations of bug bounty platforms?

Have good programs, high rewards, reliable and fair triaging system and quick response.

What is your impression of HACKRATE?

I have only positive feedback for them: triaging is clear and fast, program policies are straightforward, and the staff is helpful. To be able to access Avatao's training platform is a huge deal, which consists of numerous learning paths and modules with various difficulties. I hope this platform will continue to grow in the future. What I do miss, however, is the publicly disclosed reports feature - it would be great to learn more from fellow hackers.