Hacker Spotlight: Interview with p3rr0
Based in Santa Fe, Argentina, Hector (or p3rr0 on HackerOne) had no idea what bug bounties were until he stumbled upon Santiago Lopez’ story in a local newspaper. At first, he thought the newspaper article was a joke, but after researching and discovering the community of hackers and their achievements financially, he was intrigued. At the time, p3rr0 was in college, and losing his job made him dive into learning how to hack. In December 2019, he started by reading Hacktivity reports and following the infosec community on Twitter. He learned quickly. In his first two months, Hector submitted 4 reports. This was game-changing for him, especially since he didn’t have any IT or technical experience! Read more to find out how Hector quickly gained his hacking skills.
How did you come up with your HackerOne username?
I don't remember why, but my friends and I began to call each other perro (dog in spanish) as a joke. Then it became a habit so I decided to use it as my username on HackerOne.
How did you discover hacking?
I found out about hacking almost 2 years ago when I saw a notice on a local newspaper about Santiago Lopez having earned one million dollars reporting vulnerabilities via HackerOne. At first, I thought there was something suspicious behind that. I did some research and found that bug bounties were real so I created my account on HackerOne. By that time, I thought that some college degree or IT background was required to succeed on it, so I didn't dedicate much time into it until a few months later.
I lost my job in 2018 and lived off casual jobs, then at the end of 2019 I couldn't find anything else and as a 31 year old with no college degree it was very hard to find something, I couldn't even get a job interview. That's when I decided that I had to do something different. I always had an interest for computers and to know how things work, so I looked back into bug bounties and I found that some of the researchers claimed that they learned by themselves or without a college degree, and no job interview was required! All I had to do was to find an error and report it. I thought If other people can do it then I can too. Maybe I won't make a million, but at least I could make enough for a living. I knew it would be hard, even worse considering that I had no IT background or college study related to computers. Reading Hacker101, reports on Hacktivity and following other hackers on Twitter gave me information about the topics so I could figure out what I had to learn and how to use it. I had 4 reports in the first 2 months; 2 of them were duplicates, but I thought it was a good sign. Then for 5 months I couldn't find anything but I didn't give up. I kept reading and looking for new things to learn and suddenly I was finding 4-5 vulnerabilities per month. Bug bounty changed my life.
What motivates you to hack and why do you hack for good through bug bounties?
When I began to learn, the main motivation was to earn money for living and pay off a big debt I had due to losing my job. Now I keep doing it to contribute to making the internet more secure. I also love to learn new things and the whole experience from learning about a new target and how it works to the feeling when the payload gets executed.
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
The main benefit in Latin America is the possibility to earn money in a currency that isn't affected by devaluation. A few reports of medium severity can be the equivalent to a year of an average salary in local currency!
What do you enjoy doing when you aren't hacking?
When I'm not hacking, I like to do something completely unrelated to being in front of a computer. I like to play video games, for example. I like to go outside, to have a drink or hang out with my friends. I also like to travel, but couldn't do much of it lately.
What makes a program an exciting target?
I like to hack on applications because there is some access to the code and you can take a look at what is happening, so for me a target that has desktop or mobile applications is very interesting. Also a program with a wide scope makes an interesting target.
What keeps you engaged in a program?
I keep engaged when the program shows that they value the time that researchers expend on it, not only by the bounty amounts, but also by how they respond to the reports. When things are transparent and they keep you updated about their decisions, everything works fine.
What makes you lose interest in a program?
When there are questionable decisions like an arbitrary change on a report resolution that isn't backed by the program policy and the justification for it is an excuse instead of a reason. I consider that a serious lack of respect to the researcher and the time invested.
Do you recommend hacking on multiple programs or focusing only on one and why?
I think it depends on how you feel comfortable and about the skills that you have. When I learned about XSS, for example, I would take a look at multiple programs because I didn't even know how to look for something else. I thought I would be wasting my time if I didn't know what I was looking for. If you already have a methodology and the skill to find multiple vulnerabilities, I think it's better to focus on a few programs because you can look deeper into them.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
I like to focus on features of the target. Since I like hacking on applications, for example, most of them have a feature to open the app from a browser URL, so I would take a look at everything that happens related to that feature. Then when I feel like there is nothing more to find about it, I move into another feature that I think could lead to an exploit.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
The first one is HackerOne Hacktivity. I think public reports and write ups are the best sources when learning how to hack.
The second would be pentester land https://pentester.land/; it's similar to HackerOne Hacktivity.
The third is Twitter. I began following some of the hackers at the top of the leaderboard, then learned from their tweets, and then followed their friends. If I had to recommend one to begin with, it would be @stokfredrik and his YouTube channel.
How do you see the bug bounty space evolving over the next 5 years?
Code is written by people, and we can always make mistakes. It will be harder in the future because there is more information available and more people are doing it, but I believe this only affects low hanging fruit or bugs that are easy to find. The really hard ones are still there and will continue to exist and change.
How important do you think collaboration is in bug bounties?
Collaboration is very important. I think it is the next step for bug bounties. Take the hack on Apple for example (https://samcurry.net/hacking-apple/). Five researchers worked together and found a huge amount of vulnerabilities. Everyone has a different approach to hacking. Programs keep receiving reports after years and not only because code is being pushed continuously, but also because hackers keep seeing things others didn't.
Do you have a mentor or someone in the community, globally and locally, who has inspired you? Don't be shy, give a shout out!
I didn't have the luck of having a mentor, but I do have a lot of people that I had read their blogs and reports which helped me a lot. Santiago Lopez is one of them, it is thanks to his achievements on HackerOne that I know about bug bounties. Stok Fredrik is another; his videos have so much information, not only technical but very didactic, but he explains in a way that anyone can understand it. He includes both technical parts and the thinking behind it, which I believe is the most important thing.
What educational hacking resources would you recommend to others?
HackerOne Hacker101 and Peter Yaworski’s excellent book Web Hacking 101. After reading the book and having an oversight of different kinds of bugs, Hacktivity and write ups or blogs are very good resources.
What advice would you give to the next generation of hackers?
Always try to understand what you are doing. I see many people learning that copy and paste payloads or have the problem of finding a lot of duplicates. You need to really understand how something works in order to find how to use it in a way that it isn't supposed to be, and you need to see past the obvious or expected behavior to find what others didn't. It is clear that a lot of technical knowledge is required, but there are many computer engineers or technicians that have this technical knowledge and aren't hackers. I think the ability to see beyond that and find a new behavior on something already known is the real difference and what will make you stand out from the others.
Any last-minute thoughts you want to share?
I want to thank HackerOne for giving me this opportunity and for everyone in the community sharing their research and knowledge because they made it possible for me to overcome a very difficult moment.
Archive
Can we use a photo of you or would you prefer to remain anonymous? If you say yes to this photo, please send in a headshot after submitting this form if you haven't already.
What do you recommend new companies starting a bug bounty program should do?
I think they should get in touch with other companies that already have a successful bug bounty programs and give their program managers some kind of insight or capacitation about how to run the program., I believe some bad decisions are made due to lack of knowledge and not a bad intention from the program, and this could help to prevent them.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
When unfair decisions are made about a report, an arbitrary decision to lower the bounty amount or severity for example, I would like hackers to have more resources to appeal. T, there is mediation, but I think something external would be better to ensure that things are as fair as possible. I feel that we don't have much to resort to in those cases, the "program has the final word policy" and the non disclosure agreements is abused as a means to condone this kind of behavior and the hacker always loses when that happens.
The 8th Annual Hacker-Powered Security Report