Yassine Aboukir or @yassineaboukir on HackerOne answered our interview questions from his tent on top of a mountain in the French Alps. It’s clear that this Moroccan hacker was born with an adventurous streak and an insatiable curiosity, and he’s not letting the current tumultuous times stifle his free spirit. To him, the flexibility that comes with being a bug bounty hunter makes the ideal environment for fostering adventure. His urge to explore is what propelled him to rank 11th on the HackerOne leaderboard with over 642 security vulnerabilities responsibly disclosed to over 120 high-profile organizations, such as Google, Yahoo, Twitter, Facebook, and Uber. In his seven years on our platform, Yassine has also made friends with many other talented hackers and gone on road trips together, while hacking between their Airbnb layovers. Check out our interview with him below to learn more.
How did you discover hacking?
It was a cousin of mine who introduced me to hacking at the age of 14 or 15-years-old and it was a fun and challenging thing to do as a teenager back then. I used to find security vulnerabilities in random web applications and products, then report them to their respective vendors. However, I did not receive any compensation, nor recognition in exchange for my efforts and work compared to nowadays. It’s not until late 2013 that I came across a news article about HackerOne and how it has become possible to legally hack a bunch of companies and get compensated for it. I was quite intrigued and immediately signed up on the platform on November 7th, 2013, and that’s how I officially got into bug bounties. Yahoo was the first program I received a bounty from, and the adrenaline rush was real and insane which encouraged me to keep it going for all these years.
What motivates you to hack and why do you hack for good through bug bounties?
Before I made a career out of it, hacking has been and remains a strong passion of mine, something that I deeply enjoy doing. The intellectual challenge is very appealing to me, as well as the pleasure and euphoria you experience when you manage to find something cool or figure out a bug chain. It also makes you feel accomplished when you see your hard work being recognized by these high-profile companies that you coordinate with and get paid accordingly.
Bug bounty has made hacking much safer now from a legal perspective, as well as being more accessible than it used to be. I've been doing bug bounties for a number of years now and I still appreciate the financial aspect of it, as you can live a decent life off bounties if you remain consistent and have the patience it requires.
What makes a program an exciting target?
Before hacking on any program, I take a look at the bounty table to see if it's interesting and would be worth the time and effort I will be spending on it. The higher the bounty amounts, the more attractive the program is. I also enjoy open scopes as it allows me to be creative in my own ways and love to conduct proper reconnaissance. Furthermore, the program's health is of utmost importance, statistics like time to bounty and time to triage offer a good visibility. I assume nobody wants to wait months before getting paid for a bug - some of us do this for a living. In regards to triage, I mostly, if not always, hack on managed programs because of the quick triage, and if anything goes wrong, HackerOne would easily be able to mediate.
What keeps you engaged in a program and what makes you disengage?
It all boils down to the quality of interaction and coordination with the security team. I considerably appreciate it when the team is responsive and have a proper vulnerability management process internally as it's clearly noticeable from how they handle incoming reports.
It's also important that the program is regularly being updated and maintained like adding more items to the scope, better wording for the security policy, gradually increasing bounties over time, as well as occasionally offering promotions to keep us motivated to dig further.
How many programs do you focus on at once? Why?
I am certainly the type of hacker who prefers to focus on one program at a time because I get to spend just enough time on it to properly familiarize myself with the assets in scope, as well as to understand their threat model and what they are mostly interested in. However, what I mostly enjoy about it would be the professional relationship you end up building with the security team and somehow understand each other very well with expectations set upfront.
How do you prioritize which vulnerability types to go after based on the program?
I don't prioritize vulnerability types when I hack. It depends on the functionality or the feature that I am testing and what class of vulnerabilities would be applicable to it. For instance, when I am looking into an APi webhook functionality, I would naturally test it against SSRF vulnerability.
How do you keep up to date on the latest vulnerability trends?
Mostly from Twitter where I follow a number of interesting people and pages involved in bug bounties or infosec in general. I have also joined a few online infosec communities which have integrated RSS feeds and people sharing latest stuff with each other.
What do you wish every company knew before starting a bug bounty program?
I wish every company had a proper vulnerability management program in place with internal SLAs being strictly enforced. Also, companies should at least have conducted some sort of security assessment to get rid of low-hanging fruits, as I have witnessed so many programs run out of budget or get spammed as soon as they launch the program, mostly due to those small security bugs that could have been identified earlier and easily.
How do you see the bug bounty space evolving over the next 5-10 years?
I am very optimistic about the bug bounty space as we see many companies starting to get involved, or at least set up a responsible disclosure page. Furthermore, a great number of companies in the fortune 500 are yet to adopt one but the laws and regulations are becoming more strict when it comes to information security, so that will eventually and hopefully push them to have one.
Apart from that, the bug hunting community is growing exponentially, as we've seen so many newcomers in the past two years compared to when I first started back in 2013. Many of us have even made a career out of it. Online resources are quite available and accessible now, so I believe it shouldn't be too difficult for people with a decent technical background to get involved.
How do you see the future of collaboration on hacking platforms evolving?
I am a huge fan of collaboration! I actually consider myself lucky for being friends with so many talented hackers that I had the chance to collaborate with plenty of times. We've even gone on road trips together while hacking on the road between our Airbnb layovers. The amount of knowledge you learn from each other and the synergy that comes out of it makes it very worthwhile. Bug bounty platforms have also made it quite accessible and easier now by building features that support it.
Great security reports are usually a result of productive hacker collaborations. I've seen it plenty of times during the live hacking events, which I was fortunate to attend.
Do you have a mentor or someone in the community who has inspired you?
I do not have a mentor but I believe it's important to have to properly guide you. However, there are many talented people that really inspire me intellectually such as Orange Tsai, filedescriptor, James Kettle and Tavis Ormandy, to name a few.
What advice would you give to the next generation of hackers?
I'd advise them to have patience and persistence before anything else because of the nature of bug hunting. It's not easy and requires investing a considerable amount of time into it, as well as remaining persistent because you will often be disappointed, it's just part of the package.
Expand your knowledge and stay up to date by reading as much as you can, whether it's research papers, blog posts or disclosed reports.
Don't just blindly rely on automated tools but get your hands dirty every time you hack on a program. These tools are certainly helpful but will never beat manual testing.
What do you enjoy doing when you aren't hacking?
I am an outdoorsy person and I'm literally writing these words from my tent on top of a mountain in the French Alps. I've been hiking on the Mont Blanc tour for a few days now. I also cherish traveling a lot, which I've been doing almost full time for the past two years as a digital nomad until the COVID-19 decided to make an appearance this year and interrupt plans.
I enjoy practicing various sports like running, cycling and strength training. However, when I'm not doing any of those, you will likely find me cruising the streets with my skateboard or photographing with a DSLR camera.