@Samux or Samuel Orellana has been hacking on HackerOne since 2016, but he’s been in the industry long before that. A resident pentester, Samux is also an avid bug bounty hunter, hacking on large companies including Verizon Media, Uber and Spotify. He’s known for his professionalism and dedication to the community and most recently was accepted as a HackerOne Brand Ambassador to be the leader in his local region, Santiago, Chile. We sat down with Samux to learn more about his 5 years of hacking bug bounties and how he’s been so successful. Read more to learn about him!
How did you discover hacking?
When I was studying at university, I encountered a problem with some printers that only allowed a limited number of prints to be printed. With the problem I found, I could print unlimitedly. With that, my interest in hacking was born.
What motivates you to hack and why do you hack for good through bug bounties?
What motivates me the most are the rewards since, thanks to them, I have been able to fulfill many dreams, mainly, being able to help my family,
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
Basically, through Bug Bounty it is possible to get more money than working as a Full Time Pentester.
What do you enjoy doing when you aren’t hacking?
I like spending time with my girlfriend, watching series on Netflix or Amazon. I also like to mix electronic music.
What makes a program an exciting target?
Mainly the rewards. Finding a critical bug in a company that pays a good sum of money is very motivating. Also, the scope. The greater the scope, the more it is possible to learn from the target and then look for bugs.
What keeps you engaged in a program?
Mainly, when a company gives bonuses for vulnerabilities or it adds a new scope every so often.
What makes you lose interest in a program?
When the program takes months to make a payment, or communication with the customer is poor (very slow response time).
Do you recommend hacking on multiple programs or focusing only on one and why?
At first, I would recommend hacking several programs to have different experiences with different companies. When someone already has experience, it is good to focus on a particular program, read a lot of documentation, become familiar with technology, etc.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
I always focus on testing all kinds of vulnerabilities depending on the technology. I like to have my own vulnerability checklist and validate them all.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
For me the most important thing is Twitter, basically following all the people with filters such as Hacking, Bug Bounty, CVE, exploit, etc.
What do you recommend to new companies starting a bug bounty program should do?
I think the most important thing is communication; to be able to debate the severity of problems. Additionally, companies take a reasonable time to pay rewards.
How do you see the bug bounty space evolving over the next 5 years?
I think this will increase much more. For companies, it is becoming easier and more profitable to pay Bug Hunters instead of hiring Cyber Security professionals.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
It is very good to collaborate with other people, because we all have different ways of seeing things. You can share ideas, tools, different ways to exploit a bug, among others.
Do you have a mentor or someone in the community, globally and locally, who has inspired you? Don’t be shy, give a shout out!
The person who most inspired me to start all this was and continues to be Frans Rosen, for me, he is a genius.
What educational hacking resources would you recommend to others?
I recommend the following resources to learn:
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Today, more new public programs start as a private program. It would be nice to see more new public programs to motivate people more.
What advice would you give to the next generation of hackers?
The most important thing is to always be persistent. Sometimes at first it can be frustrating to get a report marked ‘Informative,’ ‘Duplicate,’ or ‘Not Applicable;’ however, these things allow one to learn and improve for the next reports.