Cosmin (@inhibitor181) was born and raised in Romania but has been living with his wife and two dogs in Germany for the past six years.
When he was a university student, he decided to attend the HackAttack seminar in Hamburg, and that sparked his interest in hacking. In late 2017, while working as a full-stack developer, Cosmin immersed himself into the bug bounty world for the first time, and he hasn’t looked back since.
He says he learned the tricks of the trade by following those on HackerOne's leaderboard and reading HackerOne's disclosed reports on Hacktivity. His hunger for knowledge and prolific reading and research empowered him to go from a negative signal to a million-dollar bug bounty hunter in just two years on our platform! Because of his consistent ability to churn out great work and march to his own beat, Cosmin was also crowned The Assassin at the h1-65 live hacking event in Singapore and secured the title yet again in London at last year's h1-4420 live hacking event. Even though his journey has been nothing short of spectacular, Cosmin is humble and keeps himself grounded. Read more below to get inspired.
How did you come up with your HackerOne username?
The "inhibitor" part is actually from a sci-fi book trilogy written by Alastair Reynolds called "Revelation Space" that I enjoyed reading some years before joining HackerOne. The 181 part is mainly because "inhibitor" was already taken and it represents the date 08.11 a bit more indirectly.
How did you discover hacking?
I have known the basics about hacking since my first job as a software developer (about 10 years ago) because I was supposed to not write vulnerable code, but I never did anything offensive, it was purely defensive. On the other hand, I discovered the existence of bug bounties in mid 2016, after attending a practical hacking seminar, and it clicked really fast for me.
What motivates you to hack and why do you hack for good through bug bounties?
The main motivator for me is the money I earn and that was also why I switched to full time bug bounty hunting one and a half years ago. Don't get me wrong, I absolutely love doing this and I would not do it if I did not like it. Also, not having fixed work hours or a boss was something that I have always wanted, and bug bounties helped me achieve this.
What makes a program an exciting target?
For me it was always the payout ranges and a pretty decent scope. This is because I have always thought that higher payouts attract better hackers, which raises the bar even more, so the competition is higher. As I have a competitive nature, this has always been a good motivator for me. Of course there are exceptions here, but this was my general way of thinking.
What keeps you engaged in a program and what makes you disengage?
If I feel that I am appreciated on a program, nobody tries to evade anything, and there is decent transparency, I remain engaged in the program. There are some things I do not care much about like how fast I get paid or how fast my bugs get triaged, which is very important for others. On the other hand, I am pretty volatile and if I feel that someone does not respect me, tries to evade payments with idiotic reasoning, or fails to answer any questions I have with decent reasoning, I will simply write an "Ok" and I will never touch them again. It happened with a few programs and even with a platform.
How many programs do you focus on at once? Why?
Only one program. I think that deep diving in a program is what advantages me. It is a decision I made after trying to attack everything in the beginning and having bad results. After switching tactics I had better results and I continued doing it like this. Also, I do not use a wide variety of tools, nor do I have any wide scope automation, so I feel that I am unable to be competitive in this area. The tools I use are mainly written by me and have extremely specific and narrow jobs, but in my experience so far this was what really gave me a plus.
How do you prioritize which vulnerability types to go after based on the program?
I mainly have the same route for the programs I attack. If I have devoted more time to a specific program, I will see what's important and what’s not, and will focus more on what is. Usually the policy + experience is enough for me.
How do you keep up to date on the latest vulnerability trends?
This is a minus for me because I am investing a lot of time in a specific thing and I pretty much miss on various other things. Twitter has always been a goldmine for me and I usually read articles posted / retweeted in my "free" non-hacking time. If I find something interesting, I take a screenshot and come back to it for a more deep understanding. Also, HackerOne's Hacktivity and PentesterLab have helped me gain more knowledge.
What do you wish every company knew before starting a bug bounty program?
Know your assets, know you budget, know what you want and do not overextend. I think that each company needs to tailor the program to their own needs, but they are the ones that know what's important.
How do you see the bug bounty space evolving over the next 5-10 years?
I think that the trend will continue (maybe not so steep after this period) and we will see more competitive programs appearing. We see that more and more things are put online so the integrity and confidentiality of everyone's online data should be that much more important, hence the continuous rise of bug bounties. This is a pretty unique market that pays on results so I think that everybody wins when a company has a bug bounty program.
How do you see the future of collaboration on hacking platforms evolving?
I think that some people will find that it's in their advantage to be part of a team, and some people will see that it's in their advantage to do it solo. More teams will appear, some will disappear, but I think that the general trend will be towards more collaboration.
Do you have a mentor or someone in the community who has inspired you?
The only "mentor" I had was everybody. I was always inspired by many people that made me thrive for more, made me jealous at first, or simply made be feel stupid. This combination of feelings that came in general from the community and not from just one person helped me become better and has always kept me motivated.
What educational hacking resources do you wish existed that doesn't exist today?
As I am fairly new to offensive hacking, I cannot think of anything worth mentioning. I had my ways of learning and I would not change it. I think I simply evolved with this world and I cannot imagine a significantly better way I should have done it before.
What advice would you give to the next generation of hackers?
Know that bug bounty is not something you learn in a few months. It has an extremely steep learning curve, so be prepared to invest much time in doing it. Keep yourself motivated with your own ways and do not give up hope. I think that bug bounty is pretty unique for each individual so try to gather as much knowledge or input from many different people, but in the end pick what works for you, not what X or Y says it's good.
What do you enjoy doing when you aren't hacking?
I really like climbing mountains and visiting different places, so I try to do it a few times per year. I also like playing PC games, binge-watching or walking with my dogs.