Please tell us a little bit about yourself and how you entered the bug bounty field.
People know me as @Yappare on Twitter and other social media. I have been an ethical hacker since 2010. I stumbled into bug bounty in 2013. I don’t come from an IT background. I was a chemical engineering student. However, I learned about hacking during my time at University.
It all started in college back in 2008. There was a group of senior students that were keen on ethical hacking. I learned about what it is from them. I would keep asking them questions, but they would dismiss me asking me to Google it and learn by myself. However, I was very persistent. Finally, one of the guys sat down with me one night and taught me how to crack a password. This is what developed my interest in ethical hacking as it felt like solving a puzzle. These seniors then invited me to join their team in ethical hacking competitions, which helped me grow my knowledge base.
So when time came to start working, I found my calling in ethical hacking. One of my seniors asked me to join his company after I graduated and that’s how my journey started.
What are your achievements as a big bounty hunter?
When I started bug bounty, I worked for a year in PayPal’s bug bounty programme. This helped me clear all my student loans. After that, I worked with BugCrowd. I have earned a huge number of points in BugCrowd since 2015 and this has helped me get in the ‘Top 10 Hackers’ list of all time. I am now associated with Synack where I am in the ‘Top 100 Hackers’ list. Another achievement that I am proud of is Google. I have received recognition such as interesting bugs for the week/month a few times. I have also found bugs for Zerocopter.
I partake in international conferences to educate people about bug bounty. Not only does it help my learning, but it also helps other learn and in a way enables me to give back to the community.
Why should companies actively consider bug bounty? What are the advantages of the same, especially for smaller companies?
Bug bounty is extremely critical for small and medium enterprises. The first step, however, for them should be to get penetrative testing done and fix obvious issues. They can then use their bug bounty budget effectively to solve mission-critical challenges.
Bug bounty is a continuous process that can help smaller companies stay on top of security issues and fix problems before they can do damage to their business and spoil their reputation. Also, being a pay-per-bug model means it is very cost effective. This is a big plus for smaller companies as they do not have large security budgets.
Which ethical hackers do you follow and consider your mentors?
I have learned a lot from my seniors and colleagues. I have always turned to them for guidance and advice. Two of them particularly have been always helpful and been significant in my career growth. They are @pokleyzzz and @y0ndi3. I look up to them and follow their approach to ethical hacking.
What is your advice for your younger generation ethical hackers that want to enter the field?
First, do not randomly do testing for any company without permission. Make sure they have a bug bounty programme and only then consider testing through the right channel.
Secondly, learn as much as you can. Undertake extensive training. There are many courses available online that can help you learn. For web, look at PentesterLab and Portswigger Web Academy, and for network assessment, consider Hack The Box, Virtual Hacking Labs and OSCP Certification.
Lastly, do not expect results in your early attempts. They might be a failure but do not give up. Try to understand what you missed that caused the failure and learn from your mistakes in your next bug bounty.