Asia continues to be a growing international hub for talented hackers who want to do good. Last year, hackers around the world earned over $40 million in bounties on the HackerOne platform, and approximately 20% of those bounties were paid to hackers in Australia, China, Hong Kong, India, and Singapore. According to the 2020 Hacker Report, China, Hong Kong and India are among the Top 10 highest earning regions for bug bounties in 2019. This speaks volumes to all the ethical hackers around the world who want to hack for good and reinforces that ethical hacking is becoming a viable career for many young professionals.
The timing to be an ethical hacker couldn’t be better than now. According to ICS2, we are facing a global IT security skills shortage over four million. In Asia Pacific, that shortfall is a massive 2.6 million. As organizations seek to keep up with the latest advancements in technology, they are also challenged by an ever-evolving cyber threatscape. With a cybersec skills shortage, security grows harder, leaving organizations exposed to serious threats.
Businesses must therefore be creative and look outside the box for a more diverse set of skills that may not be learned through formal education. Thanks to the rise of bug bounty programs, ethical hackers are helping to fill that gap. Bug bounty and vulnerability disclosure programs are giving promising hackers and security professionals the ability to quickly learn, grow, and contribute to everyone’s increased security. With the absence of formal cybersecurity engineering programs, many young professionals and University-age students are turning to ethical hacking platforms like HackerOne to learn these skills. In fact, Millennials and Generation Z make up most of the hacker talent base on the Hackerone platform; the majority (approx. 87%) of which are under the age of 35, with 42% of hackers between 18-24 years of age. Hackers often get their start in bug bounty at an even younger age, some as early as 13.
Universities throughout Asia Pacific, such as Singapore Management University, are also introducing students to ethical hacking by developing student-run hacking clubs that train students for cyber defense competitions and advocate for the development of cybersecurity skills. HackerOne continues to invest in opportunities to share knowledge with student hacking groups throughout the region.
One thing for sure is that there is no shortage of up and coming and new cybersecurity talent coming out of Asia Pacific. To name a few, check out some of our other recent interviews with accomplished hackers from the region — @samengmg, @kactros_n, @spaceracoon and @bull.
We recently chatted with @jin0ne, a 20-year old hacker and one of our highest performing hackers on the platform. jin0ne has a Signal of 6.45 and is in the 80th percentile of hackers registered on HackerOne. In just one year on the HackerOne platform, @jin0ne has submitted nearly a total of 180 valid vulnerabilities, all self-taught at the age of 16!
Let’s meet hacker @jin0ne
Q. How long have you been a bug bounty hacker? Do you do it as a job or hobby? How much time do you spend hunting for Bugs?
I started when I was a junior high school student. I’ve been hacking for about 4 years. It started as a hobby and then it turned into a job for me. Now I only hack for about 10 hours a week because I prefer to spend my other time playing League of Legends.
Q. How did you get started in hacking?
One of the websites that I often use and follow was suddenly hacked one day. The individual who did the hack left his contact information on the website. I thought that was cool, so I contacted him and slowly began to understand the world of hacking.
Q. How did you learn to hack?
I am self-taught. I learned coding by myself, and then studied security vulnerabilities online.
I like programs that provide a quick response to a bug submission. I also like programs that offer high bounties. In terms of vulnerabilities that I prefer to look at, it would be Server Side Request Forgery (SSRF) and some other server-side security issues.
Q. Of all the bugs you’ve found, what was your favorite/most interesting?
Server Side Request Forgery (SSRF), Remote Code Execution (RCE) and some high-impact bugs because they are more challenging.
Q. How long did it take you to find your most impactful bug?
Only a few minutes, from sudden inspiration, luckily.
Q. What makes you motivated to Hack for Good?
Hacking can be like fishing. Finding a bug is just like when a fish bites the hook. I like the joy and achievement that comes with bug bounty hacking.
Q. What made you want to be an ethical hacker?
"To Protect the world". On one hand, there is a bounty payment, which can increase income, and on the other hand, it is the Hall of Fame, which does provide a sense of accomplishment. It also helps others.
Q. How do you approach a target? What is your recon process like?
I usually use Google first. I search by site syntax and I look for some interesting pages on the site. For recon, my process is based on a script that I wrote myself. The general process is subdomainfinder > nmap > whatweb > dirsearch > waybackurls
Q. What kind of tools do you use to help you look for vulnerabilities? Do you design your own tools to automate your approach?
I usually use BurpSuite. Others are scripts written by myself or some excellent open source tools in the community. Usually I will see some tips for finding bugs on Twitter. Then I will write an automated or semi-automatic script.
Q. What kind of impact/role have bug bounties played in your life?
Bug bounty hacking provides a good income. It has enabled me to purchase my own house. It can also provide for my daily living expenses.
Q. What advice would you give to beginner hackers?
1. Check the disclosure vulnerability reports of HackerOne’s hacktivity.
2. Lab practice vulnerability mentioned through portswigger (https://portswigger.net/web-security)
3. Follow active security researchers on Twitter
4. Read more security blogs
Q. Do you think the perception of hackers is changing globally?
Vulnerability disclosure programs and bug bounties not only provide hackers with income and recognition through a Hall of Fame, they also provide an opportunity to help solve security problems for businesses. They provide a way for hackers to become white hats while protecting enterprise information security and user privacy.
Q. Do you think hacker-powered security (or ethical hacking) is becoming a widely accepted concept in Asia Pacific?
I think so, mostly because more and more companies are willing to accept security problems discovered by hackers.
Q. What do you do when you aren’t hacking?
Play some games like League of Legends.