On this series on career path, Mosimi interviewed cybersecurity profesionals on bug bounty. Bug bounty is a tactical path in cybersecurity that gives security researchers an opportunity to report vulnerablilites in softwares and application that can be exploited. Bug bounty programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. There are various bug bounty platforms that offers bug bounty hunters an oppourtunity to get paid for finding security flaws in applications/softwares. This includes Hackerone, Bugcrowd, Facebook, and Google Project Zero among others. Bug bounty programs promotes responsible disclosure and it is powering millionnaire hackers globally. According to HackerOne, “a critical vulnerability solution can yield a hacker an average of $3,384.”
“As long as there are software vulnerabilities, there will be millionaire hackers!”– Mårten Mickos (CEO HackerOne).
Enjoy the interviews and do check out our previous series on Security assessment and Governance, Risk and Compliance(GRC).
Francis Odeke
Francis is a cyber security consultant with one of the big 4 firm, with vast experience in penetration testing. He derives joy from hacking systems. When he was a child, he wanted to be a medical doctor but then, he grew up. 🙂
What attracted you to this career path?
I have always been intrigued by the craftiness involved in hacking. Watching technology driven American movies as a young child, exposed me to the facinating ideology that no matter how advanced a system is developed to be, it can be broken into. So I decided to go with the path of breaking into systems (hacking) to improve system security.
How has your first few years in bug bounty been for you?
Bug bounty is like mathematics, if you solve a problem you would be very happy and moltivated. If not, you become frustrated. I was met with large frustration as hunting bugs can be quite challenging and time consuming.
What would you wish someone had told you before going into this field?
I wish someone had told me not to be jack of all trade and master of none! The trick to bug bounty is to perfect testing for one or two vulnerabilities, perfect the technique and limit your hunting to just those few vulnerabilities. Focus more on subdomains; the main domains are mostly where everyone hunts at and this is where the organisation’s resources and support goes to, which decreases your chances of actually catching a bug.
What would be an important piece of advice for someone who is considering going into your career path?
- Get this tutorial on Udemy “Offensive Bug Bounty Hunter by Vikash Chaudhary”
- Use “Bughunter University” on how to write report
- Learn how to send follow up emails
- Join Bugcrowd and Hackerone, study each public disclosed report and
- Make Google your best friend!
What advice would you give someone prior to getting a job in this field?
- Attend any cyber security related conference
- Follow bug bounty hunters and cyber security professionals on linkedin and twitter
- Make Cybrary.it your friend
- Make Google and Youtube your best friends
- Join Hackerone and Bugcrowd
Do you have a mentor?
Yes sure, we all need a mentor!!!
Shuaib Oladigbolu
Shuaib Oladigbolu is a CS student at Ladoke Akintola University of Technology and also a bug bounty hunter who helps companies secure their online assets. His work focus specifically on web and android applications security. In his free time, Shuaib enjoys reading and watching movies. Presently, he works as a software and security engineer at Tidepool.
What attracted you to Bug Bounties?
Bounties; the idea that companies are willing to pay for bugs found in their software and that my contribution would also make the internet a safer place.
Was there something you wish you knew when you started?
Yes, bug bounty can be tough; you need to be persistent and not be afraid of failures. Also, being more professional in writing reports can earn you unexpected rewards.
What would be an important piece of advice for someone who is considering going into your career path?
I first heard about bug bounties in the mid of 2015 when a friend told me about it. We had an interesting conversation; companies would pay us for disclosing flaws on their website to them. Since he was already learning at the time, he shared the resources he had been using.
Once my friend snagged his first bounty, I thought it was high time I start studying this too. Then I signed up on the bug bounty platforms I could find at the time, HackerOne and Bugcrowd during the last quarter of the year. I was very much occupied with my academics at the time, so I started studying during the semester break. I got my first bounty in the first quarter of 2016; this was from a private program on HackerOne, and I was so filled with joy when I heard. Ever since, I have worked on other platforms such as Synack, Cobalt, Zerocopter, and tons of website with independent responsible disclosures.
I have not always been successful with all my reports, but I got better over time; even my first few reports were either marked informative, duplicate or not applicable. Then I put more effort in submitting good reports which would be easily understandable and reproducible by the receiving team. Whenever the explanation of an attack got complex while writing a report, I would include a video demonstration and sometimes a script which automates the attack if possible. The later got me my current consulting offer with Tidepool.
My advice for people starting out in this field is to know themselves. Know what works for you, especially how you learn; some learn with books or videos or both. And finally, learn to take good care of yourself.
You can do it!
Do you have a mentor? How important is it to have a mentor in the Infosec field?
Yes, I have people I look up to. It is very important to have a mentor; an experienced individual who has once been in your position or a similar position that will facilitate your growth and success.
What’s the most underrated skill someone needs to have to excel in this path?
This would be paying attention to details, I have been fortunate in finding some awesome bugs in programs populated by a lot of highly skilled researchers and also missed some too. 😀
How do you continuously keep yourself updated?
Twitter and blogs; reading writeups by various individuals in the security industry.
What professional courses would you advice?
I would strongly recommend Offensive Security courses.
Do you have any regrets so far?
Nah!
About Author:
Mosimilolu Odusanya is a cybersecurity senior consultant with experience in IT Audit and IT Security Consulting. She has assisted SEC-Listed organisations with various cyber security projects from Security Assessments, Data Privacy Law Implementation, SCADA Assessments, etc. She have also have worked with various clients in various sectors including Oil & Gas Companies, Financial Institutions, Insurance Companies etc.
One of her goals is bridging the gender gap in cyber security by motivating women to join the Cyber Security Industry. She is also available for a chat/discussion if any lady needs it.
She enjoys travelling and blog about her experience on www.eattechtravel.com.
