Most hackers remember their first bug.
For Jack Cable (@CableJ), it was discovering he could send negative amounts of money to other bank account holders at a financial institution, effectively stealing money from their accounts. He disclosed this to the company at the time and they awarded him a bounty.
A few years later, and as a 17-year old he is discovering dozens of vulnerabilities in major companies and oh yeah, the U.S. Air Force.
HackerOne recently sat down with Jack, who found 30 unique valid vulnerabilities during “Hack the Air Force” bug bounty challenge, making him the top hacker for the program.
HackerOne Co-founder Jobert Abma (left) with @Cablej (right) at H1-702 in July 2017.
Tell us a bit about yourself.
I’m a 17-year-old high school student from Chicago interested in math, computer science, and cybersecurity.
How did you get started hacking?
I stumbled across a vulnerability in a financial site in late 2015 allowing me to send negative amounts of money to other users, effectively stealing money from their accounts. That company operated a bug bounty program and that inspired me to look for more flaws in other companies.
What bug bounty programs do you participate in?
I jump around different programs. I’ve been acknowledged by Google, Yahoo, Uber, and most recently the U.S. Air Force for participating in the Hack the Air Force program.
What attracted you to Hack the Air Force and other DoD challenges?
I was drawn to these programs because they offered a unique chance to disclose vulnerabilities in the U.S. government’s systems. It’s been great to see hackers help improve the Air Force’s security and be recognized for their efforts.
What hacking moments are you most proud of?
I’m most proud of finding 20+ vulnerabilities in one day for Hack the Air Force and winning Rookie of the Year at H1-702 this year for being a top performing hacker in my first year attending the event.
What advice do you have for new bug bounty hackers?
Coding and hacking go hand-in-hand. If you learn coding alongside hacking, you’ll understand vulnerabilities to a much deeper extent. Knowing not only what a vulnerability is but why it occurs makes bug hunting more productive.
Do you have any plans for your bounties?
I’m saving all of my bounties for college.
What resources do you use to learn about hacking?
Reading write-ups from top researchers is a great way to learn. Here's a good list of some of the best blogs.
Subscribe to HackerOne’s Zero Daily newsletter for interesting bug write-ups.
You recently competed in HackerOne’s live-hacking event in Las Vegas, H1-702, and took home a prize. Can you tell us about that?
I had a blast at H1-702 - over 50 of the world’s top hackers got together to find vulnerabilities in three companies. Not only did I get to meet some awesome hackers, but I found one of the more severe vulnerabilities and won two awards, the “Baby Bug” (Rookie of the Year) and the “Assassin” (Highest Signal -- the highest ratio of valid vulnerabilities reported).
What do you look for when you hack?
I look for anything and everything that might be interesting. That ranges from a simple XSS to server-side vulnerabilities like SSRF and XXE.
What does the future hold for Jack Cable? Do you want to study security or make a career of hacking?
I plan to continue hacking and major in either math or computer science in college. Additionally, I’m currently working on launching a security company that performs penetration tests for startups and other businesses.
Anything else we didn’t ask that you want to share?
I really appreciate the opportunities provided by HackerOne with these programs!
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.