With over 400 vulnerabilities submitted, it’s no secret that @dkd is an awesome hacker. His testimonials and Thanks received including being ranked #1 on Mavelink’s program speaks volumes to his work ethic and professionalism when finding and submitting vulnerabilities. Dkd is generally private but he agreed to share his story and experience hacking in this blog post. Read about what keeps him hacking all these years!
How did you discover hacking?
Having been in IT for more than 10 years, security was one of the untouched fields from a learning perspective. In 2016 I read a news article about someone who was rewarded for finding a bug by Facebook. Then I became curious to know more about security and started learning.
What motivates you to hack and why do you hack for good through bug bounties?
The primary reason I hack through bug bounties is to improve the security and privacy of users and help companies to secure their product. In exchange for our services, bug bounties help financially too.
What makes a program an exciting target?
Exciting targets contain well-defined policies and good bounty ranges for different categories. Once you submit a report, communication is the key between researchers and programs.
What keeps you engaged in a program and what makes you disengage?
Good communication is essential for the programs. It keeps me engaged throughout the program’s life. Sometimes I still hack on certain programs even when bounty range is not good when communication is the best. I disengage from programs when their communication is not proper or the program doesn't address concerns.
How many programs do you focus on at once? Why?
I focus on 1 to 2 programs at a time. The reason is to give full attention and find as many vulnerabilities as possible. To understand the application better, I need to dive deep. It helps to understand overall application flow.
One private program has excellent communication and I really love the way they work with me. In case of disagreements, the whole team is so helpful. They involve senior analysts and even the program manager to help explain the scenario.
How do you prioritize which vulnerability types to go after based on the program?
I always prefer one step at a time. To keep this in mind, I focus on all vulnerability types. Based on the program’s interest and severity range, I look into everything from critical to low severity. But certainly I go after critical severity to get paid a good bounty reward.
What do you wish every company knew before starting a bug bounty program?
Companies should be well prepared to handle the lifecycle of bug bounty. It includes sufficient staff, bounties, communication, and triage time for reports and more.
Programs should write well-defined policies, scopes, and bounty ranges. They should be very open in communication.
How do you see the bug bounty space evolving over the next 5-10 years?
I am very optimistic about the bug bounty space. It is going to keep blooming and growing. In addition, the bug hunting community is growing exponentially to help the programs to secure their products. Each and every company should start a bug bounty program or at least set up a responsible disclosure page according to their capacity.
How do you see the future of collaboration on hacking platforms evolving?
The future of collaboration is already there. We have seen this with live hacking events and even programs have opened the space in reports. There is always an opportunity to learn all the time. There are times when you get stuck in one place, but, with help and collaboration, you will see the best output.
Do you have a mentor or someone in the community who has inspired you?
I do not have a mentor but I wish I did. However, there are many talented people that really inspire me intellectually such as Orange Tsai, James Kettle and Frans Rosen, to name a few.
What advice would you give to the next generation of hackers?
The Internet is full of resources. One can learn from free to paid resources. Read, learn and practice. I would highly recommend Hacker101.
What do you enjoy doing when you aren't hacking?
I enjoy playing badminton!