@cache-money comes from a software engineering background and later switched to security engineering. After a year of full-time bug hunting, he has since dove back into the security engineering world with a heavy offensive focus, and he continues to bug hunt in his free time. He’s submitted over 100 vulnerabilities to government-run programs and has found critical vulnerabilities in companies such as Uber, Shopify, GitHub, and Salesforce. He’s reported over 600 vulnerabilities on HackerOne and is currently ranked 31st in the world. Keep reading to learn more about his motivations to hack!
How did you discover hacking?
I think it was around 7th or 8th grade or so when I started messing around with game mods and configs. For example, there were client-side tweaks I could make which would end up giving me advantages over other players. I think that fascination and excitement are what kicked off my curiosity, and lead me to continue learning about computers and security.
What motivates you to hack and why do you hack for good through bug bounties?
I enjoy the challenge of it. I see hacking similar to that of working on any kind of puzzle. Instead of completing a Sudoku, why not try to hack a company? There are a few differences, like not knowing whether a solution exists or not, but that’s made up for by the fact that you get paid if you pull it off. It’s also great to have the opportunity to hack companies with products that I use, so I can feel comfortable about the security of my data.
What makes a program an exciting target?
Having a knowledgeable and engaged security team is key in my opinion. A high bounty table plays a big role for me as well. If your critical payouts are less than the “medium” payouts on other programs, I’m probably not going to bother looking. Working on programs that have wide scopes and products I’m familiar with also plays a large part in my excitement towards the target.
What keeps you engaged in a program and what makes you disengage?
I would again say a big part of what keeps me engaged is how engaged the program’s security team is. Working with a company that genuinely cares about security, and is willing to work with me to escalate and identify the full impact of bugs is essential. Quick payouts are also a huge benefit in my opinion. I usually disengage from programs that tend to downplay the severity of bugs submitted to them. It’s also not great if a program is unwilling to help by not answering questions, or not utilizing their internal knowledge to consider the full impact of a given bug. Aside from that, it’s difficult to stay engaged in a program that’s slow to pay, because of the loss in momentum. A program that’s slow to fix also makes engagement difficult, due to the higher likelihood of duplicates.
How many programs do you focus on at once? Why?
There’s no specific number, it depends on what I’m trying to achieve. If I’m trying to test one bug across a bunch of different programs, then many. If a new program that looks interesting launches, I might spend a couple of hours doing a quick pass on that to see whether it’s worth sinking more time into. If so, I’ll just focus on that for a bit.
How do you prioritize which vulnerability types to go after based on the program?
I ask myself what the company cares about.
How do you keep up to date on the latest vulnerability trends?
By reading about someone finding a bug in something I’ve concluded there were no bugs in.
What do you wish every company knew before starting a bug bounty program?
That it’s going to take work on their end to get the most out of the program. Engaging with hackers and responding to their reports with details goes a long way. Hackers work with programs they trust, and building relationships is essential to keep them coming back.
How do you see the bug bounty space evolving over the next 5-10 years?
I think it’s going to continue to grow, and there will be more companies that will have “bug bounty” as a line item in their security budgets.
Do you have a mentor or someone in the community who has inspired you?
My dude @ngalog is a genius. I’m confident he can find a critical bug in any target he comes across.
What advice would you give to the next generation of hackers?
There’s at least one thing that all hackers have in common, and that’s persistence. There’s a confirmation bias in that you only ever see successful bugs and exploits. Keep in mind that behind each of those, is hundreds of hours of limited success that’s shaped the hacker to be able to find that bug. Keep grinding. Keep learning.