Miguel Regala, also known as @fisher, describes himself as “half hacker, half daydreamer”. He is living proof that when done well, daydreaming results in greater levels of creativity and innovation.
Miguel found his first bug while digging around Google Drive, and the results landed him on Google’s bug hunter hall of fame. Since then, he’s reported vulnerabilities to high-profile organizations such as Verizon Media, Shopify, Uber and the U.S. Department of Defense. Miguel also solved our h1-702 2018 CTF and won a trip to Las Vegas to compete in the live hacking event itself, which made history as the highest-paying event at the time.
For Miguel, the adrenaline rush of finding a bug makes the long hours worth it. Most recently, he decided to put his 6+ years of pentesting and research experience to good use and started his own podcast. Check it out here and read below to learn more about this legendary hacker.
How did you come up with your HackerOne username?
Fisher has been my go to name ever since I went online in the 2000s. It's a short homage to one of my favorite characters of all time, Sam Fisher from Tom Clancy's Splinter Cell.
How did you discover hacking?
My first experience with hacking started in an IT classroom at school. Someone discovered a way to send messages between computers, making a command prompt pop up on other screens. I believe it was using something like `net send`. That was interesting and sparked my curiosity. I started digging online, and Backtrack, now Kali Linux, was making its debut. I didn't know what I was doing, but the tools included already allowed for some cool stuff. Around the same time WiFi's WEP had been cracked, so using Aircrack-ng and doing wardriving was lots of fun. I remember hopping in the car with my older brother and driving around the city, looking for vulnerable hotspots and cracking them. A couple of years later the infamous ms08_067_netapi module came along so after cracking the network you could easily gain remote access to a computer. After I did that, I would usually leave a .txt message on the desktop of the victim explaining that they should upgrade their WiFi security to WPA as soon as possible. By that time I still had no idea what I was doing, but it was fun and it kept me interested.
What motivates you to hack and why do you hack for good through bug bounties?
Let me be blunt, I started doing bug bounties because it's profitable. I know most hackers stay shy of saying this, but that's the truth. If the bug bounties industry only had VDPs, yeah, I might hack here and there but I'd probably stick with doing CTFs with a team and having that heated competition going. Thankfully, bug bounties do pay. So combining that AND being fun and thrilling, then it's a winning combo. Obviously, by now and after doing bug bounties for a while, it's hard not to hack on a live target. In fact, if you ask around, people will tell you that if they don't hack for a while they start getting this 'itch', that feeling of wanting to hack. So, paradoxically, if bug bounties dried up overnight, I guess I'd still hack often. Besides all of this, the truth is that when you take a step back and reflect on what you're doing, you really do get this warm, fuzzy feeling of knowing you're doing something to improve the world — hacking for good. Maybe it's not as blunt as being a health professional, but it does help. And I know for a fact many bugs have been discovered throughout bug bounty which were most definitely being used by state actors, so that is an empowering feeling.
What makes a program an exciting target?
For me a good target has a combination of a well defined scope and an appropriate reward incentive that makes it worthwhile to invest time into. I hate doing recon and having to go head to head with hackers who are insanely good at it, so I’d much rather stick to a small scope and go deep into a web app, trying to understand everything about it from frontend to backend.
What keeps you engaged in a program and what makes you disengage?
I'd say the TPM (technical program manager) on a program has a huge influence on what programs I hack on. I know that whatever happens they have my back and do their best to get me covered. Obviously, beside that working with a fair, responsive team from the program side is crucial. It always makes your day when you submit a high or critical severity finding and the program team is surprised or just gives you a compliment on it.
How many programs do you focus on at once? Why?
Right now, I stick to a handful of programs. Literally. Less than one hand actually. I finally LISTENED to the advice of the more successful hackers who tell you to focus only on one or two programs and I have been doing that for this year. It's actually much more relaxing, too, since I hate hopping on a new program, having to compete all over for the first bugs, being anxious to cover everything in a little span of time, etc. This way I'm much more laid back, can focus on the programs I know and build knowledge on them across time, which in turn makes you do associations between features, assets that you wouldn't be able to do otherwise.
How do you prioritize which vulnerability types to go after based on the program?
It really depends on the program, the type of features, services, backend they have, etc. I might go for a stack-based approach or a feature-based approach, i.e. testing a feature for every type of bug instead of focusing or prioritizing one over the other. But overall I try to focus on the high and critical bugs first and then do the other stuff when I'm more tired.
How do you keep up to date on the latest vulnerability trends?
Either I don't (that is, staying away from Twitter for a while) or I stick to a couple of resources: Stok's Bounty Thursdays, Intigriti's Bug Bytes curated by the phenomenal Pentesterland and Twitter feed. If I'm really into it, I can descend into the madness that is #bugbountytip or #bugbountytips on Twitter.
What do you wish every company knew before starting a bug bounty program?
They should be comfortable with awarding big monetary values. The human mind works in funny ways and the bug bounty space is still a new thing, so it's weird for people to be paying researchers for work. Other than that, they should be ready to respond, triage, award and mitigate the vulnerabilities, especially in the first couple of weeks. But honestly, before that they should do one or two pentests (which HackerOne now offers) and mitigate the vulnerabilities found there before moving on to opening a program.
How do you see the bug bounty space evolving over the next 5-10 years?
Not sure. I know it's definitely going to keep blooming and growing, with more programs and rewards getting higher too. The competition is also getting fiercer and as security problems might get remediated on a framework or even browser level, things will be harder. So I feel there's gonna be a gap between really top elite hackers, and the low entry, beginning hackers. That's not to discourage, it's more of a heads up that in order to be successful it might be best, especially in the beginning to focus on one technology or one type of bug and really master it.
How do you see the future of collaboration on hacking platforms evolving?
I see it becoming the standard of the space. It's great to hack solo, but nothing beats hacking with a mate or a team. I always describe it as each of us having a number of pieces of a puzzle. After a while, you start building that puzzle together and deliver some bugs that only that collaboration can foster, because of the motivation, associations, joint effort and knowledge that different people bring to the table. I feel very fortunate that I had the pleasure of always hacking along someone, especially during the live events, starting with André, then team BlazeIT and now DISTURBANCE. I think we did some trailblazing on this front, as we showed the potential that a team of highly motivated and skilled individuals can have. This helped normalize the team concept, and more teams followed, either officially or not in LHE and outside, always yield spectacular results (just read Sam's write up along with Ben, Ziot, Tanner and Sam) - mind blowing stuff. Overall I believe all of this helped push the need for platforms to officially support the team concepts and functionality, which thankfully are under development now 🙂.
Do you have a mentor or someone in the community who has inspired you?
My first shout out goes to everyone from the DISTURBANCE team - 0xACB, Stok, Rhynorater, Spaceraccoon, TomNomNom, Corb3nik, Europa and Teknogeek. We had so much fun hacking, remotely and in person. I love these guys and I hate that we didn't get to spend time together this year because of the pandemic. I need to give a shout out to the Blazers - Donut, Zlz, Yassine, jllis, and ramsexy. Other than that there are so many people in the space that inspire me and that I have a blast hanging out with including Inti, Arne, Preben, Ron Chan, Ben, Frans, cdl, fd, yaworsk, naffy. Not to mention all the HackerOne staff, from the community team, Jessica, Luke, Jenn, Ariel to TPMs and triagers, Shlomie, Joaquin, Allan, Prash, Jobert is gone, patrik, pomme. Yep. I could go forever 😅
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Privacy options to hide my profile 😊
What advice would you give to the next generation of hackers?
Follow the advice of the top hackers. Like, do it. Don't just read or listen to it, actually do it. The advice is usually the same - stick to a program, start with a specific bug, go slow, keep at it, read, learn, practice. Also practice hacking with other people since it can give you that extra step you might need to crack the first bugs.
What do you enjoy doing when you aren't hacking?
Ooof. I love animals so my cat and dog are the go-to stress relievers. Besides that, I dabble in online games, pretend to know how to surf, Airsoft and work out so that I get bigger than Pete.
Any last-minute thoughts you want to share?
Stay awesome, stay safe!