Harsh Jaiswal or @bugdiscloseguys has been an avid HackerOne hacker since he signed up in January 2016. Since he originally discovered hacking from Facebook, he has sharpened his application security and bug bounty skills, landing him security engineer positions at Zomato and Vimeo. Most recently, Harsh and his friend Rahul Maini were inspired by Sam Curry and his team’s blog post on their three-month stint hacking Apple. They proceeded to focus only on critical findings and ended up finding an 0day on Apple too. Check out their write-up and see how they made $50k by hacking Apple’s Travel Portal. We had the opportunity to virtually sit down with Harsh and hear more about his bug hunting strategy and his point of view on vulnerabilities. Keep reading to learn more!
How did you come up with your HackerOne username?
I’ve been asked this by many in the community. TL;DR My friend (Rudra) and I started our journey in hacking together. We created the same account and wanted to disclose our findings so we named it “bugdisclose” + “guys”. We soon realized that’s not how disclosures work. We never went back to change it as it reminds us of our start.
What motivates you to hack and why do you hack for good through bug bounties?
I take hacking as my passion. I enjoy my time breaking web applications, doing source code reviews and diving into web apps from security standpoints. If I could use this to earn some good money and help secure well known companies, then why not 😉
What makes a program an exciting target?
As I prefer to focus on business apps, a program with a complex web application with a lot of functionalities is my go-to. I know that’s what I’m good at.
How many programs do you focus on at once? Why?
One or two sometimes, I like to dedicate my time to one program at a time. The simple reason is: This helps me learn more about their application, backend, and Infrastructure. It helps me easily identify if there’s a new feature, the pattern of vulnerabilities. Cool findings often also impress the team on the other side, it’s very useful for future employment. I’ve found my best bugs this way and even got a full-time job at Vimeo!
How do you prioritize which vulnerability types to go after based on the program?
I like to focus my time on server side vulnerabilities (SSRF, RCE) or authentication/authorization (OAuth issues, IDOR’s). These vulnerabilities generally lead to good impact.
When I hack on a program, apart from hacking itself, I also want to impress people who read my report. That’s been a big motivation for me, so I try my best to report an impactful or creative bug.
What do you wish every company knew before starting a bug bounty program?
Understanding the community. Infosec and especially the bug bounty community has evolved over the years. Before you start out, have someone who understands this community to help reduce the gap between the program and the researcher.
I think @ziot has done a great job on this question in his Hacker Spotlight Interview: https://www.hackerone.com/blog/hacker-spotlight-interview-ziot.
How do you see the bug bounty space evolving over the next 5-10 years?
I believe bug bounties will become the primary way of hiring in AppSec. I’ve seen numerous examples, where a program has asked their researcher to apply for an open role at their company and it makes sense. You can see their AppSec skills right in your inbox and they already know your product very well as an attacker.
More products are being built every day and being launched at godspeed, more private data is being put online, and it’s no wonder, all this requires world-class security and Bug Bounty has proved its value numerous times. So I believe we’ll definitely see more programs launch in the coming years. With that, competition in monetary rewards will increase and we’ll see how bounty amounts will evolve over time. Some companies now such as Apple, Facebook, Zoom to name a few are already paying $50k-100k for high impact web bugs and I’m sure more companies will catch up with them and follow these bounty tables.
How do you see the future of collaboration on hacking platforms evolving?
Collaboration is definitely a key way to get good at bug bounties. We already see it being recognized by platforms by having bounty split or collaboration features. Some even get bonuses during live hacking events because of collaboration.
What educational hacking resources would you recommend to others?
HackerOne Hacktivity, Hackthebox, Hacker101, The Web Application Hacker’s Handbook.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Two Factor Auth, it takes ages to login. I’d love to fix it.
What advice would you give to the next generation of hackers?
Enjoy the process, don’t rush it. It takes time, keep learning!
What do you enjoy doing when you aren’t hacking?
Going on walks, listening to music, and trying my bad sketch skills.