What were you doing when you were 13-years old? Doubtful you were a recognized Microsoft researcher with Hall of Fame status at Google, Venris and others.
At 13, Ahsan is a curious, committed hacker living and working in Pakistan. We had the chance to talk shop with him about a bunch of topics, including his recommendations for companies that are putting together vulnerability reporting and bug bounty programs.
When did you start hacking?
About 1 year ago.
How did you discover it?
Actually, my own website was hacked, so I started surfing about security and found that I can not only find security vulnerabilities in my own applications, but in others too and I can also get appreciation for doing so! That's where it all began.
What do you like most about it?
Like most of the hackers, the challenge and curiosity. In simple words I try to ask myself, “can you hack it?” and that's the main thing I like about hacking, and obviously, bounties. Who doesn't love getting extra cash? :P
As a security consultant, can you tell us about some of the issues you’ve helped companies with?
I cannot tell much as I mostly prefer private bug bounty programs, but of course, I've also helped public bug bounty programs too! :) Mostly XSS, CSRF and IDOR! And sometimes, business logic issues too!
While you’ve still got your security consultant hat on, let’s talk about vuln reports. What would you tell a company that’s just putting their program together? What are the most relevant or important aspects of the report that they should be focusing on?
Obviously, they should focus more on logistical issues, because if you're just a new program, or if you just have a small team; they can take a reasonable amount of time to fix! Although, low-hanging fruits are easy to fix. AND they should obviously be very careful about communication problems, if these occur; researchers will refrain from your program!!
Ditto for the ideal bug bounty program. How would yours be put together?
Uber and Local Tapiola. Uber and Local Tapiola are my favorite programs! And of course the ideal ones for me. So mine would be just like them.
If a company has – or is starting-- a bounty program, what’s the most attractive thing they could do to attract you to research for them? For your peers?
* Large surface of scope.
* Bounty or half-bounty on triage.
* Fast response.
You are a Hall of Famer in several programs – Google, Veris, and others, and you’re a recognized Microsoft researcher. Are there any other companies you’d like to serve with such distinction?
Yeah, my current goals are Apple and HackerOne security Hall of Fame.
Can you talk about the DoD vulns and what that experience was like?
Yeah, DoD was an awesome experience, I reported around 15 vulnerabilities, including LFI, which was duplicate, and now SQL Injection, Multiple XSS, email manipulation, Info disclosures etc., are triaged.
What other things besides researching do you enjoy?
Music, football, playing with Beyblades, and soon I am also going to be a YouTuber, so filmmaking too!
And now for the big, probably most boring question you get asked, but we’re gonna go there anyway! ;) What do you see yourself doing in five years?
Well, I am just a learner, so I think (I’ll need to learn) much more about ethical hacking in the next five years, I am also interested in entrepreneurship, so I might also be starting a business related to infosec too! :)
What advice would you give to young hackers that are just getting started in bug hunting / hacking?
New hackers? Yes, Don't think that all systems are secure now, or just don't think things like 'now, there are more good hackers then us, how can we hit the infosec industry' etc. But, instead, never give up! Keep learning and enjoy hacking, don't do it for the cash, do it for passion and bounties will come after you! And don't hesitate to ask anything that you don't understand from experienced hackers.
Anything exciting on the horizon for you? What can we expect coming from Ahsan? :)
I'll try to increase in my reputation, haha! :P ...and a new startup related to info sec!
Bonus question: What’s the best piece of swag you’ve gotten to date?
The swag that I received from Microsoft.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.