johnk

Hacker Spotlight: Interview with hogarth45

Photo of hogarth45

Hailing from Fargo, North Dakota, hogarth45 — known offline as Jesse Clark — joined HackerOne in December 2014. In the past six years, he’s reported more than 640 vulnerabilities and some 30+ companies have recognized him through Thanks and, with his focus on high-quality bugs, the impact he’s had with his reports can be felt from enterprises to startups. 

Just five years ago, Jesse says he didn't even know what an XSS was. Through hard work, creativity, and a fresh perspective, he developed an incontrovertible knack for hacking, leading him to accept a job as an Application Security Engineer. Read on for more about how Jesse got started, how a knack for robotics impacted his career, and his top tips from his hacking strategy. 

Photo of hogarth45

How did you come up with your HackerOne username?
My parents rented "The Iron Giant" from the gas station and 10-year-old me loved it so much, I wanted to make a Neopets account with the same name as the main character from the movie. Sadly, 'hogarth' was taken, but I added a quick '45' and was in business.

How did you discover hacking? 
Tim Jensen guided me away from a hobby in robotics to a hobby in security, so that he could teach me to fill his CPEs.

What motivates you to hack and why do you hack for good through bug bounties?
Originally, I wanted to learn secure practices to become a better coder in my development career, but now I do security full time and my development career is long gone.

I hack through bug bounties as an opportunity to actually do it without legal or moral issues. I would not hack at all without having that avenue open to me. 

What keeps you engaged in a program and what makes you disengage?
Success will keep me engaged. I do not have the fortitude to beat my head against a wall for hours on end.

How many programs do you focus on at once? Why? 
Just one or two because I like to really try and wrap my head around the focus and business logic of an application.

How do you prioritize which vulnerability types to go after based on the program? 
Start with the low fruit and work my way up. It’s a good way to learn about application behavior while keeping yourself interested.

What do you wish every company knew before starting a bug bounty program? 
Just run an out-of-the-box Burp scan once beforehand.

How do you see the bug bounty space evolving over the next 5-10 years?  
I love the free-market principles we enjoy at this time. A company can pay what they want for a bug and bounty hunters can decide if it is worthwhile. I foresee, either government or platform, trying to cram down a minimum bounty one day, and I believe it will cause many companies to pull programs and just avoid bounties out right. 

How do you see the future of collaboration on hacking platforms evolving?  
Collaboration left to people, choosing to work with friends will flourish. I give pause when I see some of the large groups being created as it takes away some of the fun aspects, since so many of the awards can be funneled by submission manipulation in a group. There will be some growth period, but I think the kinks will be worked out.

What educational hacking resources do you wish existed that doesn't exist today? 
DevOps Security For Dummies

If you had a magic wand and could change one thing on the HackerOne platform, what would it be?  
I would bring back the Red Square notification icon and get rid of the bell!

What advice would you give to the next generation of hackers? 
Take the time to learn mobile, so few are in that arena now, definitely a lot of potential there.
 

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image