Twenty-one years old. Full-time college student. Mountain biker. Bounty hunter. That’s Gerben Janssen van Doorn, who goes by Gerben_Javado and is ranked ninth on HackerOne’s hacker reputation. He’s found more than 400 bugs and made $2,000 in the past month alone (and that’s just on public bugs).
Gerben’s current bounty crush is Zomato, where he’s found dozens of bugs — some at their top $1,000 level — in the past few months. He’s also identified a bunch of vulnerabilities for Marktplaats, Souq, and Grabtaxi. But what really drives Gerben? Let’s find out!
Tell us a bit about yourself.
Hi! I’m Gerben Janssen van Doorn, born and raised in the center of the Netherlands. I am 21 years old and currently studying organisation design. I live with three of my high school friends during the week and with my parents on the weekends, which is a great mix between fun and independence during the week and being taken care of during the weekends. ;) Besides hacking, I enjoy hanging out with friends and reading books, mainly on the topic of economic psychology/sociology (for example, Malcolm Gladwell) and philosophy.
How did you first get interested in computers and hacking?
At what age did you start hacking?
I was probably 16 around the time I was starting to search for hacking tricks, and 17 years old when I discovered HackerOne.
Did you have a mentor who encouraged your interest?
Haha no. Regarding my parents, I don’t think they knew in the beginning what I was doing and they didn’t mind as long as I wasn’t behind the computer too much. Now they are very proud, and amazed at the concept. Being able to make money from home at a company you have never met in real-life is indeed a new and somewhat strange concept.
What motivates you to do this type of work?
In my opinion you really have to like hacking to become good at it. You have to keep yourself updated on new techniques and methods, otherwise people will gain an advantage over you.
While interest is the main motivation, the money is what allows me to spend (a lot) of time on it.
What types of bugs do you like to hunt?
I like to hunt for atypical bugs, like defeating filters, blind injections, clever business logic bugs and chained POCs.
What’s the one bug you’re most proud of yourself for finding?
A company (with a private bounty program) was using a partly binary TCP connection to communicate with the server for its android app. I manually discovered which hex characters were responsible for the length of the packet, the length of the random token and finally the user ID. Using all this information I was able to get the address, phone, email, banking number and username of any user on that website.
The fact I had to deviate to a binary communication protocol and work a lot with hex decoding to find out what all the characters meant made this the bug I’m most proud of.
Which hackers do you follow closely and admire?
Most of the hackers I admire are the ones that share quality content with the community, and people I met at h1-3120. Especially Olivier Beg, who pushed me to get on Twitter and helped me with my blog. Other names include Frans Rosen, Arne Swinnen, Mathias Karlsson, Ben Sadeghipour, Peter Yaworski, Jobert Abma, Filedescriptor, Edoverflow and so many others.
What advice would you give to other young people looking to get into hacking?
Create your own knowledge, which, I think, takes four steps.
- First, read about hacking and bugs on HackerOne, in blogs and books and apply this knowledge on known bug bounty programs or intentionally made vulnerable software.
- Second, use your knowledge and compare it to other information online to get a full picture of certain bugs. For example, you can use your knowledge on XSS to better understand how postmessage XSS works and how to exploit it.
- Third, talk about your knowledge with other people through social media platforms like Twitter and Slack (https://bugbountyforum.com/ and http://bugbountyworld.com/).
- Finally, share your knowledge publicly. In my opinion sharing will not lead to you giving away knowledge but will result in you gaining knowledge from the interactions.
What’s the biggest bounty you’ve received?
My biggest bounty is $2,500 for XSS on Airbnb.
What’s the best piece of swag you’ve received?
Definitely the H1-3120 participation coin. Being at that HackerOne event was such an honour and awesome, so that coin embodies everything I have achieved through bug bounties.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.