@arnswinnen started hacking when he was 14-years-old but his bug bounty career didn’t officially begin until five years ago, when he hacked on an Instagram program while on vacation with his girlfriend. He says things really took off for him when HackerOne invited him to join the platform, and he has since dedicated himself to bug hunting full-time. Arne appreciates the flexibility of making his own schedule, while enjoying quality time with his son. Arne is also passionate about giving back to the community. He recently used his experience to further fuel the Hack for Good mission by organizing The Cyber Security Challenge Belgium (CSCBE) — a national competition between students, which aims to raise awareness and interest for cyber security in his home country. Read on to discover more about why Arne hacks for good through bug bounties.
How did you discover hacking?
During my Computer Science education at the University of KU Leuven, the course "Secure Software" caught my interest. From thereon, I joined the University's CTF team, which was pretty active at the time. In my final year I did an internship for a security-oriented firm and was hired by that same company after graduation as a Junior Penetration Tester. This is where I really deep-dived into practical hacking techniques, both from colleagues and certifications.
What motivates you to hack and why do you hack for good through bug bounties?
I've always enjoyed being challenged, ever since I was a kid. The thought of finding a loophole really motivates me and pushes me to dive deeper, which often leads to unexpected outcomes. I believe I naturally like the challenge that is required for hacking.
Four years ago I switched from pentesting consultancy to full-time bug hunting, since it allowed me to become independent and do the same technical work without being occupied with sales. Being able to work from home and make my own schedule is also a big plus with a 2-year-old. Four years ago, remote work was not heavily adopted yet in Belgium, but that has somewhat changed due to COVID-19 now. I still do some freelance pentesting on the side, which is the perfect combination for me.
What makes a program an exciting target?
I prefer hacking on Core (web) applications instead of doing wide recon, so the more complex the main application of a target is, the better for me. You could say that I like targets with a large Core app attack surface. When I already came across the target or was an active user before they launched a bug bounty program, it is extra interesting, since this gives you a head start.
What keeps you engaged in a program and what makes you disengage?
The smoothness of the triaging process of bugs is a big one for me. I appreciate quick feedback and payouts. Additionally, I'm easily triggered by regular time-limited promotions or a new scope (e.g. new features or acquisitions).
How many programs do you focus on at once? Why?
I always focus on one application at a time, often for weeks or even months at a time. This allows real deep-diving and often gives you an edge after a while, because of all the acquired knowledge of this specific target.
How do you prioritize which vulnerability types to go after based on the program?
I typically focus on server-side issues, since they naturally interest me most. Depending on the program, I might focus on certain server-side vulnerability classes, e.g. IDORs, if I see incremental integers coming across or SSRF if there is a lot of functionality that allows callouts to external addresses, etc.
How do you keep up to date on the latest vulnerability trends?
Mainly write-ups of bugs published via Twitter and/or Hacktivity. I also typically investigate new research being published at conferences such as Defcon.
What do you wish every company knew before starting a bug bounty program?
Every hacker needs their own pair of credentials :-).
How do you see the bug bounty space evolving over the next 5-10 years?
I believe that bug bounty will absorb a decent chunk of the (remote) pentesting space, hereby continuing the fast growth of both programs and hackers of the past years.
How do you see the future of collaboration on hacking platforms evolving?
Personally, I think collaboration is something that will mainly thrive during both Local and worldwide (Virtual) Live Hacking Events. The combination of a competition format and being in the same (virtual) room with like-minded hackers is the perfect environment to work together towards a shared goal.
Do you have a mentor or someone in the community who has inspired you?
I didn't really have a mentor, but all the research that Frans Rosén shared publicly during my bug bounty journey so far has always really inspired me. Inti De Ceukelaire is also someone who I admire, both for his super creative hacking and presentational skills.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Having the ability to send a report or question directly to someone of the program's security team. Due to the complexity of some of my bugs, it becomes a real challenge to explain how to reproduce a bug exactly to someone without inner knowledge of the target (e.g. H1 triager).
What advice would you give to the next generation of hackers?
The more time you spend on a target, the more bugs you will find, period. Don't give up too early and invest time in learning how each product works exactly. That is something AI will never be able to replace completely.