@Wolf101 has always been curious about the world of technology. It’s no surprise to those who know him that this passion led to a successful hacking and cybersecurity career 15 years strong. What started with Linux became a pentesting career and eventually led to bug bounty hunting. Wolf101 is ranked in the top 25 on the HackerOne Argentina leaderboard. His first valid vulnerability on HackerOne was reported during the h1-5411 live hacking event in his hometown of Buenos Aires back in September 2018. He’s received praise for his work ethic and leadership and, when asked about working with Wolf101 on a vulnerability submission, a CISO said, “Wolf101 has been a great partner showing professionalism, great communication, and friendliness. The reports are thorough and clear." Read more for Wolf101’s perspective on bug bounty programs and recommendations on getting started.
How did you come up with your HackerOne username?
At the end of the 90s, my dial-up provider assigned wolf101 as my email and user id. From that moment, I decided to trust in internet destiny and wolf101 would be my digital ID.
How did you discover hacking?
After finishing high school, I was interested in technical stuff. The first step was to use the Linux system, develop in C/bash and python, and finally to explore how to identify and exploit vulnerabilities in public infrastructures. I started my career as a pentester in 2007.
What motivates you to hack and why do you hack for good through bug bounties?
To be challenged! That is the main motivation from my perspective, comfort zone is not a valid word for ethical hackers. We have to be continuously learning because the community has been growing constantly.
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
To get connected with hackers from other countries and get the chance to hack big companies. Bug bounties give us the chance to interact with different markets and maturity levels. Bounties have a positive economic impact in the region, allowing us to be full-time hackers.
What do you enjoy doing when you aren't hacking?
Read and listen to other hackers and their reports! :)
What makes a program an exciting target?
An open and deep scope. Programs with credentials, different levels of access, and contextual information help a lot to understand the attack surface to be targeted.
Do you recommend hacking on multiple programs or focusing only on one and why?
I highly recommend hacking focusing only on one as the main goal of the hacker is to add value to the program by discovering interesting vulnerabilities and finding those that compromise the business behind the program. Understanding an attack surface and its business context is key in getting to know your target.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
That is a good question, and it depends on the hacker. I see both: good results just being focused on one vulnerability and hackers with an arsenal of tools and vulnerabilities that cover different areas.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
HackerOne, telegram bots that compile info from different sources, and the PortSwigger blog.
What do you recommend new companies starting a bug bounty program should do?
My recommendation to them is to use bug bounty programs to fuel their vulnerability management process. Bug bounty is one of the key sources that a company needs to understand vulnerabilities and exposed risk.
How do you see the bug bounty space evolving over the next 5 years?
I think the number of vulnerabilities is going to be reduced as the customers will reach maturity levels by implementing security by design and zero trust strategies. Vulnerabilities are going to be the result of research, and they are going to be an added value.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
Synergy is the key. Collaboration is the result of the synergy between hackers that have similar skills and different approaches. With collaboration, you improve and increase both the levels of quality and coverage.
Do you have a mentor or someone in the community, globally and locally, who has inspired you? Don't be shy, give a shout out!
For me, the community inspires me — both the old and new hackers. Read reports from skilled people and read reports from people that have started a few months ago with similar levels of creativity and impact to get the true potential of the community.
What advice would you give to the next generation of hackers?
Be proactive, patient and continuously learning. We will wait to learn from them.