From when he was 14 years old, Joel — better known as @niemand_sec on HackerOne — has always been passionate about hacking and the community. After studying engineering in university, Joel proceeded to become a pentester and has grown his career to now be an independent security consultant and system engineer. Since joining HackerOne in 2016, he has found over 224 vulnerabilities and hacked on top programs including U.S. Department of Defense, Grab and Glassdoor. When Joel’s not hacking, you might catch him watching sports, enjoying the outdoors, spending quality time with friends and loved ones, or trying new food. Read on for more!
How did you come up with your HackerOne username?
“Niemand” is a nickname I have been using since I started to hacking professionally, and it means “nobody” in German. Before that, I used to change it from time to time depending on the hacker forum or game I was playing at the time.
How did you discover hacking?
Back when I was 14/15 years old. I remember that I used to be part of multiple hacking forums that were famous at that time and I even ran one myself for a while. Nothing fancy for sure, but it helped me to get into the basics of exploiting, web hacking, and programming. Good old times programming in batch :)
What motivates you to hack and why do you hack for good through bug bounties?
Every time you face a new application, program or target, you end up discovering new things and improving your skills. This is one of the characteristics I love the most about hacking.
New challenges always attract me and there are endless things to learn. I’ve been following the same approach since this whole path began and it helped me to always stay motivated, active, and interested. Believe me when I say that being bored is not even in the equation when you are testing your skills against certain given targets.
Despite being a place where I can challenge myself, I find bug bounties are a great way to get a monetary reward for all the invested hours (both on learning and testing).
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
Despite the place where you are working from, this is an incredible opportunity since we can choose companies or scopes that you would not have access to when working for most companies. As I mentioned before, I always enjoy challenging myself and trying to hack every single set of technologies that companies use. Well, that's where bug bounties come into play, as they are one of the greatest ways to accomplish this.
What makes a program an exciting target?
There are two things that I always look for when I get an invitation. First, how big the scope is, and second, how challenging this very same scope technology and architecture is.
Recon is something I love to do. There are countless techniques to try when discovering new assets and they are mostly automatable. That is why I love programs with wildcard subdomains; those legacy servers are always out there waiting for us :)
What keeps you engaged in a program?
The diversity of applications and assets in scope. I love having the opportunity to switch from testing web applications to reverse engineering binary code from time to time. So, if a program has both things in scope, I'm definitely in!
What makes you lose interest in a program?
I usually put a lot of effort into showing the real impact and risk that a particular bug might have for a company. It is disappointing to see when programs are not mature enough and do not properly recognize and value this.
Do you recommend hacking on multiple programs or focusing only on one and why?
For people that are just getting into bug bounties, I would recommend staying on a particular program and try to learn as much as they can about their applications and technologies in use. It is not that weird to see many programs that have been public for a very long time and no one looks at them anymore because they think that everything has been reported. However, you may be surprised!
Of course, it is normal to spin around until you find a program where you feel more comfortable and you can learn and have fun while trying to discover some new bugs.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
There are, of course, particular bugs that I always look for when testing an asset, such as SQL injections, XXE and SSRF bugs. (I obviously don’t limit myself to just those, but they are always a reliable example when talking about this.)
Furthermore, I always try to focus on high and critical-impact bugs, no matter what the type is. I know this is not an easy task but this has always pushed me to learn new things and find interesting edge cases or bugs that nobody else has found yet.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
Twitter is one of the main places where I look for news. I can definitely tell that it is a great place to find talented researchers, as long as you blacklist all the political things from your feed beforehand :) However, when it is all about learning a particular topic, I prefer to approach a book for deep reading rather than scrolling through social media.
What do you recommend to new companies starting a bug bounty program should do?
Starting slowly is key when you are new. Take your time and try to identify what you have before kicking off your program. This approach will help companies avoid including all their assets in scope at the same time. Just think about how overwhelming this would be for the development teams.
Every time a new program is launched, and depending on how many hackers get invited to participate in it, triage teams are going to get tons of reports that may or may not be valid bugs. Knowing and understanding what assets you have marked as in scope will help you not only to save your time and resources while processing the reports but also to understand what is being reported and the risk involved in that particular issue.
How do you see the bug bounty space evolving over the next 5 years?
I believe that collaboration and automation will be the main areas evolving in the upcoming years.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
The best bugs are usually the outcome of collaboration. Do not be afraid of working with friends or other researchers; you will quickly realize that ideas are much cooler when working together. I believe that collaboration should be one of the key points of the cybersecurity world.
Do you have a mentor or someone in the community, globally and locally, who has inspired you? Don't be shy, give a shout-out!
As a pentester, I had the opportunity to work with amazing people that turned out to be sources of motivation for my learning path. Nico Waisman (https://twitter.com/nicowaisman) and Andres Blanco (https://twitter.com/6e726d) are examples of what I just mentioned. Also, Leandro Barragan (https://twitter.com/lean0x2f) is another great researcher with whom I truly enjoy collaborating with.
What educational hacking resources would you recommend to others?
Solving practical exercises is the best approach to consider in my opinion. Playing and investing good time with vulnerable Virtual Machines, Capture The Flag events, and challenges where you can get your hands dirty and build up your hacking mindset is a great way to learn.
In my case, I remember spending a lot of time on HackTheBox trying to own as many boxes as I could. It has been a very enriching experience.
What advice would you give to the next generation of hackers?
Nowadays, there are countless resources online that will help you to learn and develop almost any topic you are interested in. Use those resources to learn the foundations.
However, I would also recommend researchers take their time to experiment with everything they read on their own. It is really common to see that a new technique or attack gets public and everyone tries to replicate this on every available program, without even looking into the internals of the bug.
Again, take time to read and understand what the bug is and how the attack works. Analyze the proof of concept, modify it in order to make it work based on your needs. Maybe you might need to identify possible bypasses for the fixes and you will end up discovering a new way for exploiting the bug! This approach will help you in the long term. Trust yourself and you will be able to find the very same kind of cool bugs that you always read on Twitter.