Pedro Worcel, aka @benteveo, has over a decade of experience in the IT industry, including several years as a programmer in Java, PHP, Python and C++. He has developed many software solutions but is most known for his open source tool droopescan. During his years as a security consultant, Pedro conducted penetration tests for a large number of private and government clients, and eventually founded his own company, which he runs with his wife. Since joining HackerOne in March, 2014, @benteveo has found many high or critical security vulnerabilities, including remote code execution, server-side request forgery, cross site scripting, and XML entity injection, among others. He was selected as hacker of the year for Verizon Media, and a top hacker for another private program, along with several invitations to live hacking events. Read our interview with him below for some great hacking tips.
How did you come up with your HackerOne username?
The benteveo is a very common bird in South America. My wife Gabi and I chose it as our company name because it is very dear to us and because we thought that some of the bird’s behaviors as well as its bug-based diet was very fitting.
How did you discover hacking?
I have been interested in hacking my whole life. I can remember a couple of times when I was a child where I used my computer skills to get more points on an online game or obtain access to the DSL modem’s password, which had been changed because of my bad grades at school. I started to get more serious about it around the age of 18, when I started doing hacking challenges. These gave me the final push that I needed to start programming, and also gave me the skills to get my first programming job, which led to my first hacking job.
What motivates you to hack and why do you hack for good through bug bounties?
I hack because I like the challenge. I think hacking is a very broad field and there are almost no limits to the number of things you can learn. To give you an example, you can be a really good web application hacker, but if you start getting into reverse engineering or kernel hacking, you are basically starting again from scratch. Some skills eventually transfer over, but learning is the most important part of any new project for me.
What makes a program an exciting target?
I think there needs to be a good balance between the bounty amounts, the willingness of the company to pay for all kinds of bugs, and mainly the willingness of the company to actually fix the bugs you report. Another important factor is whether the company is well-known, and that they work in an interesting field.
What keeps you engaged in a program and what makes you disengage?
In the past I’ve stopped working on programs because even though they paid for bugs they never fixed any of them, and I started getting too many duplicates due to this. Another issue for me is time to payment, some bounties take over three months to fix and pay which makes it very stressful.
How many programs do you focus on at once? Why?
I only hack on specific programs that I know through experience are good. Looking through my profile, I mainly hack Verizon Media, although I have hacked other private programs. The reason for this is that I believe my way of finding bugs comes from understanding a company’s external attack surface, as well as their overall architecture. Starting a new program gives me less money for my time and takes a lot of effort.
How do you prioritize which vulnerability types to go after based on the program?
Once you find a specific vulnerability for a specific company the chances of finding another bug of the same type increases, so I tend to prioritize looking for similar bugs. This is because certain technologies and development practices tend to fail in similar ways. For example, I found a lot of vulnerabilities of the same type, SSRF, due to the way that a vendor designed their APIs and their network layout.
How do you keep up to date on the latest vulnerability trends?
I think there is a lot of value in keeping up to date, but I try to not get very caught up in what others are doing because there is also a lot of value in doing your own thing. Particularly in the bug bounty space, most publications are out of date the minute they are published. This is because in general nobody is going to publish any research that gives away a potential source of bugs, so they will wait until the knowledge is no longer viable before publishing. For general IT news I read Hacker News.
What do you wish every company knew before starting a bug bounty program?
Having a bug bounty program does not guarantee a hacker will look at your web applications and perform a review of them. In order for a hacker to invest their time, they need certain assurances in terms of monetary rewards and responsiveness.
How do you see the bug bounty space evolving over the next 5-10 years?
Personally, I think right now it’s a great time for doing bug bounties, and I see it getting better. I think competition for talent is going to be more and more fierce, which will result in higher payment amounts and a larger amount of bug bounty programs and scope.
What educational hacking resources would you recommend to others?
I really like hacking challenges rather than courses or more formal training. While it can feel silly to do “make believe” hacking, there is a huge value in doing these challenges, struggling through them, and then coming out at the other end with another skill, another technique. What I find fascinating is that the same techniques that you will be using in these labs are also the ones you’ll use to find bugs if you are a penetration tester or a bug bounty hunter. Personally, I use Pentester Labs as it’s cheap, didactic, and thorough.
What advice would you give to the next generation of hackers?
I’m not comfortable giving advice to people because I’m not sure what I’m doing myself. That being said, my advice would be to focus on being a decent human being and treating others with respect. While finding a bug, getting it published and then released can feel good, this eternal search for external validation can frequently lead to burnout and is a little bit of a rat race.
Another piece of advice would be to not focus on how many bugs other people are finding. Other people have a different availability, other priorities, and a whole other set of moral guidelines. Comparing the amount of bugs you find to the number of bugs they find is comparing apples to oranges in a sense, and it is best to focus on enjoying what you are doing now.
What do you enjoy doing when you aren't hacking?
I love spending time with my daughter, just hanging out with her and watching her grow. I also enjoy spending time outdoors, hiking and running!