Chinese hacker Terry Zhang, also known as @pnig0s, has over eight years of experience in the security industry, including leading technical teams at large companies in China, such as Alibaba Group. On the HackerOne platform, he’s reported multiple critical issues to some of our largest clients. In his first live hacking event, h1-4420 in London, Terry brought home not one but two awards: ‘The Assassin’ for maintaining the highest signal and ‘The Exterminator’ for reporting the best bug of the event. Read some great insights from him below.
How did you come up with your HackerOne username?
Wanted to be unique so I picked this name. The meaning is a little bit dark and rarely being used. But now I realize it's all about how to remain anonymous on the Internet. Especially for a hacker.
How did you discover hacking?
The QQ is widely used in China, and at my school age, accounts stolen happened quite often. I was curious on how this could be possible and gradually stepped into the hacking space by learning some basic WEB vulnerabilities and pentesting skills.
What motivates you to hack and why do you hack for good through bug bounties?
The bounty is definitely the most important factor here. Having a flexible schedule with a decent income is the lifestyle I’ve been dreaming about. I tried working as a full time bug hunter for about a year and found that I kind of enjoy the "uncertain" life, just miss working with people. What also draws me to bug bounties is the great sense of achievement you get when you find a critical bug on a challenging target, and that’s what motivates me to keep doing it.
What makes a program an exciting target?
Products with rich functionality or complex role and permission models (think about cloud platforms which combine all kinds of service cross different layers). I rarely do massive recon on the targets and prefer to dig into the product to understand every feature and its underlying API and data flow.
What keeps you engaged in a program and what makes you disengage?
Fast triage speed and quick bounty payment. Also I really like to work with a team that has a clear understanding of their own product, so you don’t need to explain every minor thing and they can quickly understand the attack scenario that is demonstrated in your report. I'll quit the program if the team is unresponsive or obviously treats some reports unfairly.
How many programs do you focus on at once? Why?
I always focus on one target at a time. I love to go through the product feature by feature, API by API, and follow up every update of the product. This can give me a great advantage to use net thoughts to draw the whole picture and find bugs that involve multiple features or require multiple-step configuration. As I mostly look for AuthZ issues or logic issues instead of technical bugs, gaining more knowledge of the target is definitely helpful. Also this can minimize the possibility to get duplicates. I'll switch to another program when there haven’t been many feature updates on the target in a certain time period.
How do you prioritize which vulnerability types to go after based on the program?
When facing a new target, I'll try every possible vulnerability class the first time as a baseline test in order to figure out what vulnerability class most likely exists on the target and which part of the application has done really well. Take Facebook, for example, they’ve got a robust protection in place for technical bugs like CSRF, XSS and SQLi, but due to the amount of objects and complex role models, but you can still find privacy issues, logic issues here and there, relatively easier than technical bugs.
How do you keep up to date on the latest vulnerability trends?
I follow many people on Twitter that are active in the community. Everytime there's a new vulnerability pop up, someone will tweet about it. Also I keep a close eye on HackerOne’s public hacktivity and Intigriti Bug Bytes. These resources save me a lot of time versus trying to find information myself.
What do you wish every company knew before starting a bug bounty program?
Hope the company can treat whitehat hackers with respect and see the value in their hard work. Also it's better to have some baseline security testing to wipe out bugs on the surface before starting a bug bounty program, otherwise the budget could be easily blown up. Bug bounty in my opinion is more suitable to enhance the security protection rather than build it from the ground up.
How do you see the bug bounty space evolving over the next 5-10 years?
Personally I think the bug bounty will not replace pentesting in the future, but I believe this "crowd sourced" model will be used in more security domains like pentesting to optimize the traditional workflow.
How do you see the future of collaboration on hacking platforms evolving?
By leveraging more platform features, I believe collaboration can be easier. The platform can provide some ways to let whitehat hackers find others with a proper skill set that they are willing to work with.
Do you have a mentor or someone in the community who has inspired you?
James Kettle's cutting edge research always inspires me. Whenever I am stuck, I'll check his research work, not for a solution but to help me open my mind. Met him during live hacking events a couple of times. Really hope someday we can hack together.
What educational hacking resources would you recommend to others?
Hackerone 101, Portswigger Web Security Academy and PentesterLab.
What advice would you give to the next generation of hackers?
Bug hunting is a long term thing. Never push yourself too hard. Stay casual and stay in this game.
What do you enjoy doing when you aren't hacking?
Hiking or any outdoor activities.