Table of contents
Note that during these interviews I also moderate thus quality may vary.
Profile π
- cofounder HackerOne
- 29 years old
- started hacking at 11 years old
HackerOne π
- Genesis when 13 years old
- Visual Basics book
- Website got defaced -> learned about hacking and perform hacking
- Started company after graduating, worked for Dutch government and companies etc.
Workflow π
- deep dive
- read docs
- ask questions
- always be learning
- take a lot of notes
- whatβs interesting -> defenses that are in place
- read up on company -> what is impact for bug besides technical
- look for one bug type at a time (a lot of work)
- helps you go deeper on each iteration
- better coverage
- use knowledge for continuous integration
Tips π
- Never stop learning
- Be eager to understand what youβre looking at
- Focus on learning to keep you motivated
- Focus on one target -> leverage information to find more
- Use what you know
- GitLab uses similar stack as HackerOne
- Pay for features once you feel confident in bug hunting
- Mention it in bug report for clarity and perhaps reimburstment or bonus
- Attack surface not always in new additions but in deleted ones
- IDOR
- Donβt use existing IDβs authorization is already in place
- Beginners
- Hack your own code
- sunny day vs rainy day
- write test with random input for example
- sunny day vs rainy day
- Try all the things that you expect to go wrong
- Try to break it
- Think outside of the box
- Structure it for yourself and focus on learning
- Hack your own code
- Security is thinking about defensive programming - anticipate tampering and how you handle these cases.
- book atomic habits
Tools π
- Burp
School π
- Learned how technology works
- Spend 10 weeks on IP stack
- Learned more about software dev and architecture
- Made him a better hacker
Certificates π
- Not needed
- Forces you to learn a particular thing
- HackerOne profile > certificate
Links π
Enjoy my content?
You can support me in a couple of ways:
Buy me a Coffee or share it with your friends
Select links throughout the site are affiliates. They give me a small kickback, don't cost you anything extra and are always curated.
Hive Five newsletter
Sharing what matters in security. Every week I curate the InfoSec news, so you can focus on securing web apps and earning bug bounties.
As a thank you, you'll receive 85+ InfoSec RSS feeds.
No spam. Unsubscribe at any time.
What does it look like?





