rijalrojan is a long time bug bounty hunter, student and CTF creator. He is constantly expanding his knowledge whether that’s at California State University Fullerton getting his Computer Science degree or learning new programming languages and stacks online. rijalrojan plays a big part in the HackerOne community due to his willingness to share knowledge with others, teach students and hosting workshops on campus; he’s the epitome of collaboration. Read more on his past experience and get inside his mind on what makes great programs and his strategies.
How did you discover hacking?
I mainly got into hacking trying to understand how applications were made and what made them vulnerable. From there, I got curious on how all the tiny pieces of puzzle combined to form the internet. Understanding those tiny bits and breaking them apart was super fun so I decided to pursue hacking as a career.
What motivates you to hack and why do you hack for good through bug bounties?
I see bug bounties as a challenge to try and learn new things and systems. It is always fun to look into a piece of application or a company that I have never hacked on before. The excitement of finding vulnerabilities and working with companies around the world motivates me to hack. I hack for good through bug bounties because I consider myself fortunate to have the opportunity to do what I like to do from the comfort of my home. I like to pay it forward and help others when possible through the bounties that I get from companies.
What makes a program an exciting target?
There are a lot of things that can make a program an exciting target. For me personally, an application that is hardened or has hurdles to hack makes it exciting. When a company makes it hard to hack, I take it as a challenge and try to find vulnerabilities on them.
What keeps you engaged in a program and what makes you disengage?
I like to have open communication between me and the program. If a program provides feedbacks on reports I am sending or is updating their scope to highlight more of what they want hackers to look on, I tend to stay with that program for a long time. Another factor is the response time, if a company/program is fast on triaging and responding it shows me that they care about the bug bounty program and that it is not just a checkbox on some compliance they needed to meet.
How many programs do you focus on at once? Why?
I focus on 2-3 programs at once. Usually it could even be just 1 program for 3-4 months. I tend to do this to understand the company's architecture. I like to get as much information as I can on my target before I start hacking on them to make sure I am finding 1) valid bugs 2) quality bugs. When I focus on a program for a few months, it gives me an opportunity to map out everything I need to know about them: technologies being used, third party software used, open source projects by the program, common mistakes made when building things, etc. Once I have the pattern established, I start the hacking process and continue from there. Then as I hack more on the program, I increase the attack surface as I improve my understanding of the target. This has helped me find bugs on system/features that were brand new and the security team had not even reviewed.
How do you prioritize which vulnerability types to go after based on the program?
I currently have a set of vulnerabilities that I go after by default. I tend to focus on application security + corporate security so most of my prioritization is done based on what scope I am provided with.
What do you wish every company knew before starting a bug bounty program?
Starting a bug bounty program is a commitment. If a company is starting one, they should be committed to it and have enough resources to properly manage the program. If you take a look at HackerOne's hacktivity, there are certain programs that have consistent hackers and reports coming in, this is because they manage the program well, know what they are doing and dedicate time and effort on that. Bug bounty programs should never just be a way to get reports and pay hackers out, it should be a way to maintain and foster relationships with external hackers.
How do you see the bug bounty space evolving over the next 5-10 years?
We will definitely see new vulnerabilities coming out that were either previously too hard to achieve or something that no one thought of exploiting. We will also see an increase in automation with new tools and services coming out. One thing I recommend we be careful of is that we are not rebuilding the wheel and instead help improve tools that already exist rather than building a completely new tool that does the same exact thing plus a new feature.
How do you see the future of collaboration on hacking platforms evolving?
I think collaboration will soon change to team activities and competitions. We have seen indications of this with HackerOne live events encouraging more team activities. I think in a few years, we will probably even see eSports like hacking competitions held against live targets where teams compete against each other to find quality vulnerabilities.
Do you have a mentor or someone in the community who has inspired you?
There are definitely a couple people I would love to shout out:
- Jobert: Since he was my mentor and helped me out a lot when I first started to work on HackerOne's triage team.
- Johnny: I met Johnny at an event held by Tinder and since then he has helped a lot with both hacking and career advice.
- Yaworsk: he encouraged me to hack on Shopify which honestly I would have never done because I always thought "Shopify is big, they are definitely going to have 0 vulnerabilities". He helped change that mindset by answering questions I had when I was hacking on the program.
- Eduardo Vela has been another awesome person to work with asking him about weird things when I'm trying to hack Google.
What educational hacking resources do you wish existed that doesn't exist today?
I’d like more practical labs with real life vulnerabilities. CTFs mimic some of these systems but some CTFs still focus on making unrealistic challenges that are something that you usually don't see.
What advice would you give to the next generation of hackers?
Be curious, practice and don't be afraid to learn new things.