Jarmo Puttonen, better known as “@putsi,” is one of Finland’s most successful hackers who continues to shape the local bug bounty scene as a member of Team ROT — a collective of Finnish hackers who work full-time in information security and bug bounties, and give back to the community by volunteering for security related pro-bono projects.
Besides being a talented hacker, Jarmo is also an avid cat lover and a chilli growing enthusiast. When he’s not spending time with friends or his furry companions at home, @putsi likes to travel and hike the stunning Nordic trails, even during the coldest months. In fact, he truly channels what the Finns call “sisu” — the mindset of seeing challenges as opportunities and embracing a spirit of fortitude and perseverance when the odds are against you. With two hundred days of winter in Finland, Jarmo doesn't wait for a sunny day to go out and enjoy nature. He applies the same ideology to his work projects and his contributions to the hacker community. Read more about him below.
How did you come up with your HackerOne username?
My friend came up with it, it's a short version of my last name so nothing fancy.
How did you discover hacking?
Almost by chance. During my BSc studies, I applied to an infosec-themed internship without really knowing what to expect. I learned some hacking basics there and was instantly hooked.
What motivates you to hack and why do you hack for good through bug bounties?
The challenge and the feeling of achievement are great motivators as bug bounties often require you to give 110% and think outside the box. I always try to learn something new while hacking and seeing my skills improve is really motivating. I hack for good because it's a good way to give back to those in need.
What makes a program an exciting target?
A program that has something uncommon or complex functionality in scope like IOT-gadgets or interfaces for remote controlling other devices. Also, it's exciting to hack in Finnish bug bounty programs since I'm from Finland.
What keeps you engaged in a program and what makes you disengage?
I usually keep hacking in programs that have decent bounties, fast payments, wide scope and good communication. If a program seems really defensive during report communication, it often makes me disengage because such programs often downplay severities or make valid reports out-of-scope.
How many programs do you focus on at once? Why?
About 4-20. I have some programs that I hack continuously and then some that I hack only once and move on.
How do you prioritize which vulnerability types to go after based on the program?
Initially I just mash buttons and see what happens. After submitting a couple of reports, you can see a bit what kind of vulnerability types are common with the specific program and go after those.
What do you wish every company knew before starting a bug bounty program?
"Do a penetration test first and save some money.
Don't start a BB program just to tick a box for a certification.
Remember that the hackers are here to work with you and not against you."
How do you see the bug bounty space evolving over the next 5-10 years?
Bug bounty automation and related scanning services get more popular. Vulnerabilities become less XSS and more logical. Vulnerabilities become more complex to detect and exploit.
Do you have a mentor or someone in the community who has inspired you?
What educational hacking resources do you wish existed that doesn't exist today?
There are plenty of good resources already but I'd like to see more actual published reports and write-ups.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Make all programs public and all fixed reports disclosed.
What advice would you give to the next generation of hackers?
Remember to study, learn and research in addition to hacking.
What do you enjoy doing when you aren't hacking?
Spend time with SO and friends. Walk on trails. Travel. Grow Chilli.