Hacking veteran @ralamosm has been in the business of bug hunting for 20+ years. An MVH-earning hacker and constant presence on the Chilean Leaderboard, ralamosm is an inspiration to anyone who has a passion for breaking things and a willingness to learn. When he’s not hacking, ralamosm spends time with family, reads comics, and rocks the table tennis game. Read on for advice from ralamosm on living up to your hacking potential and making it in bug bounties.
How did you come up with your HackerOne username?
It's my name :)
What motivates you to hack and why do you hack for good through bug bounties? *
I'm simply doing what I love the most in terms of self-expression. Fortunately for me, it happens to pay very well and gives me full independence, which makes it even nicer.
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
Bug bounties give hackers in Latin America amazing opportunities to reach heights you won't get to through regular jobs.
What makes a program an exciting target?
Their responsiveness with the hackers and obviously the bounty table.
What keeps you engaged in a program?
A program where you can tell your reports are being taken seriously.
What makes you lose interest in a program?
Slow response times and holding bugs unfixed for several months so duplicate reports keep coming in.
Do you recommend hacking on multiple programs or focusing only on one and why?
It all depends on your own style. I tend to keep one main program and try to learn as much as possible from them as possible. At the same time, I keep a couple of secondary programs I re-visit from time to time.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
I'm interested in high/critical issues, which may vary from program to program. But if I happen to find some lower issue, I'll report it anyway.
What are the top websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
Hmm, I'd say reading HackerOne Hacktivity and following as many researchers/bug bounty hunters on Twitter.
What do you recommend to new companies starting a bug bounty program should do?
Run a pentest on HackerOne before starting a bug bounty program so you can remediate any low-hanging fruit.
Do you have a mentor or someone in the community, globally and locally, who has inspired you?
I've been hacking for a long time so I'd just like to say thanks to the hackers who wrote in Phrack or the Spanish ezine SET more than 20 years ago. It was your content that hooked me into this beautiful activity.
What advice would you give to the next generation of hackers?
I'd tell them the same thing that previous generation of hackers told us 20+ years ago; we used to have very few resources to learn from but there's plenty now. Use it, practice, and you will make it.
Any last-minute thoughts you want to share?
One last piece of advice to my fellow hackers: one thing that has impressed me the most is that many hackers don't try to reach the heights of bounties paying 5 digits because they think it's too difficult or impossible for them. Please don't. Mentally allow yourself to do it and work like mad to reach those heights. You may not reach them, but without a doubt you will improve your results. This same idea allowed me to reach those heights and even earn my first MVH, a thing I thought to be impossible when I first started attending HackerOne events