Firstly, I love HackerOne. I wouldn’t be where I am today without it. However, criticism where criticism is due.

On May 24th 2019 I received an invitation to a private program on HackerOne. This isn’t unusual, but the program name caught my eye. It was an invitation to the “Uber H1–4420 2019” program. Now, I can’t talk specifically about the program details, but after agreeing to a three year NDA with Uber I was able to see everything people invited to the live hacking event “H1–4420” needed, including non-public information. I didn’t, however, receive any details about the event itself. …


I felt like writing today. I don’t know if or when I’ll hit publish, but I needed to type these letters on the screen. I want to show all of my friends my past, every last detail of what has made me who I am today. I can’t do that. I can’t send a message to that person who’s been an absolute gem to me and word vomit my life at them. I can’t send a message to an old flame telling them how talking to them makes my heart flutter, and how I’m still kicking myself for fucking up so badly. I think about the people I haven’t met who will become some of my closest friends, and how they’ll tell me about all the bad stuff that’s happened to them around the time I was writing this. The stuff they’re going through right now. I think about the friends I’ll never get to meet because someone decided they didn’t deserve to live. My mind is a battlefield of emotions. It’s not depression, it’s like a dim star which gets brighter the closer I get, but I spend my life trying to reach it. I want to tell everybody I meet that everything’s going to be okay, and I truly care about them. This isn’t something I can do. It’s not socially acceptable. But I want to. It’s overwhelming to not have a voice. It’s overwhelming to feel alone. There’s so much on my mind. I wish it didn’t take me 10 minutes to write a reply to a friend. I wish I could talk to them for hours about anything and everything and not feel like I’m being too much. I’m not looking for solutions. This is life. …


In this post I want to discuss hunting for bugs, the effect on a hacker’s mental health, burn out, and productivity.

Image for post
Image for post

About Me

Hi, I’m Nathan, and I’m a (now) full time bug bounty hunter. Since 2015 I’ve been participating in bug bounty programs and I’ve earned tens of thousands of dollars in rewards. I’ve worked with some amazing companies and found some really neat bugs, and I’ve also completely burned out and gone months without even attempting to find a vulnerability. …


SMB not required.

Image for post
Image for post

On the 25th of October, 2016, I woke up and thought to myself “How easy would it be to hack the NHS?”. By lunch time I was writing a report.

I started by looking on Shodan for any Internet-facing machines which might be of interest. It came to my attention that the NHS had its own ASN (AS41373 — NATIONAL HEALTH SERVICE) which made my quest far easier. Shodan has an ASN filter to limit results to a specific ASN. After a few minutes I discovered a webserver (194.176.105.219, also known as monitor.nhs.uk) with a simple login form. From here I could have gone multiple routes, but I decided to test for SQL injection first. …


So you think your memes are safe…

Image for post
Image for post

I’ve been meaning to write about this for a while. It all started back in July 2015 when I decided to look for vulnerabilities in Imgur, an incredibly popular image sharing platform.

The reason I chose Imgur was because I frequently visited the site and I was already familiar with how the site worked. After a quick survey, I managed to identify some common vulnerabilities: XSS, clickjacking, and a whole load of CSRF issues.

Reporting the issues proved to be a little difficult. The only way I could see to contact Imgur was through their support system which wasn’t suitable for reporting security issues. Eventually, August 1st, I wrote up a report detailing the issues, shipped an email off to security@imgur.com, and waited. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store