Table of contents
Note that during these interviews I also moderate thus quality may vary.
Profile π
- Kevin aka Rhok
- Been doing bug bounties for 4 years
- Works at Okta
- Hacks a couple times a month
- First program: Uber
- First vulnerability: Sensitive Information Disclosure
- First bounty: $3350
- Best purchase: provide money for parents
- Favorite bug type: RCE
- Mentor: Peter Yaworski
- Favorite tool: Burp
- Hobbies: gaming
Timeline π
- During junior year in college he signed up to drive for Uber and found a PII bug
- Signed up for HackerOne to report bug to Uber private program
- Received couple thousand dollars and started to look more into bug bounties
- Signed up for HackerOne to report bug to Uber private program
- Bug bounties landed him his first infosec job at Synack as security analyst
- Currently works at Okta
- Provided him with vendor side insight wrt bug bounties
- SLA etc.
- His role is to code review new functionality
- Provided him with vendor side insight wrt bug bounties
Live hacking events π
- First event he was invited to was h1702
- Didnβt know what to do went in head first
- met Peter Yaworski
Collaboration π
- What does it mean to you?
- Motivate each other
- Everyone has a different mindset
- Often collaborates with
- ZephyrFish
- Zseano
- Jaworski
Learning π
- Reading things from hacking activity
- Going on YouTube or just googling things
- Talking to people in the community, e.g. on Twitter
- Once did 120 bugs in 120 days
- Read article by Shubz doing 30 bugs in 30 days https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/
- Wanted to challenge himself
- Lessons learned
- Really get to know your target
- Started following bug bounty hunters on Twitter and their blogs
- Peter Yaworski
- Frans Rosen
- Matthias
- Jack https://hackerone.com/wkcaj
- How to learn new things
- Do research
- How did they go about it
- Whitelist vs blacklist
- What tools did they use
- A lot of reading
- How did they go about it
- CTF
- Helps you think outside of the box
- Promotes collaboration
- Do research
Programming π
- Codes with Python
- Not required for hunting but helps, especially with code review
- Helpful for automation
Advice π
- Be patient
- Donβt constantly ask for updates as itβs immature
- Donβt be lazy
- Donβt immediately reach for tools such as SQLMap
- Try to understand how it all works
- Donβt immediately reach for tools such as SQLMap
Methodology π
- Recon
- Understand what the product is about, what they have to offer
- I do more vertical recon opposed to horizontal
Links π
Enjoy my content?
You can support me in a couple of ways:
Buy me a Coffee or share it with your friends
Select links throughout the site are affiliates. They give me a small kickback, don't cost you anything extra and are always curated.
Hive Five newsletter
Sharing what matters in security. Every week I curate the InfoSec news, so you can focus on securing web apps and earning bug bounties.
As a thank you, you'll receive 85+ InfoSec RSS feeds.
No spam. Unsubscribe at any time.
What does it look like?





