Julien Ahrens, aka @mrtuxracer, comes from a small town in northern Germany and started hacking at 15, when he had to creatively solve the problem of not being able to play Starcraft 1. After school, Julien spent a decade in IT security, refining his skills in all areas including network engineering, security consultation, penetration testing, security engineering and security compliance (PCI DSS). Today he is a full-time bug bounty hunter, exploit developer and freelancer, who enjoys traveling and attending live-hacking events all over the world. Even though h1-3120 live hacking event in Amsterdam was only his second live-hacking event, @mrtuxracer crushed the competition and won The Exalted (most reputation earned), The Assassin (highest signal) and The Most Valuable Hacker (MVH). In his free time, Julien blogs as a way to give back to the community. Check out his recent posts on his website and our interview with him below to learn more about his exciting journey.
How did you come up with your HackerOne username?
I love playing Tux Racer ;-)
How did you discover hacking?
That was almost 20 years ago. As a teenager, I barely had any money, but I still wanted to enjoy all those nice video games - Starcraft 1 is still one of the best games! Unfortunately, you usually needed a nasty serial number or some inserted CD-ROM to install and play games. So I thought: how do I get around that, to play those games?
What motivates you to hack and why do you hack for good through bug bounties?
It's all about being able to break things legally and get paid for it. This feeling when you hack on an application for days and finally find that one critical bug that crushes a whole system made by smart developers or even entire teams, is priceless. So why not combine the thrill of hacking with securing companies that are part of our daily life?
What makes a program an exciting target?
I do love programs with smaller scopes but complex applications and ideally connected thick client applications, because I like to deep-dive into such targets. I've been hacking on a popular video conferencing application for over a year almost exclusively, and even after months of hacking them, I've still discovered new functionalities and endpoints on that program that led to new fruity findings.
At some point, you'll learn how the developers work, and this could be an essential piece of knowledge to have, especially if you discover bug patterns.
What keeps you engaged in a program and what makes you disengage?
Some programs are super transparent and communicative during the entire bug submission process. Those programs also tend to be very fair in the rewarding process, which shows that they appreciate my work.
There's nothing worse than programs being intransparent about duplicates, payouts, or trying to force you into very adverse NDAs. That's not how to properly build up trust and make me leave immediately.
How many programs do you focus on at once? Why?
1, max 2. I'd like to go deep rather than wide, which usually yields more bounties for me.
How do you prioritize which vulnerability types to go after based on the program?
Server-side bugs first! Those are the ones that are usually paid the highest bounties (and yield the most fun :-) ), which is why I focus on them. This does not mean that I don't care about client-side bugs, but I usually only report stuff like XSS if I accidentally stumble upon them.
Speaking about thick client applications, I mostly focus on RCEs through various vectors like, i.e., memory corruption issues or custom URI handlers.
How do you keep up to date on the latest vulnerability trends?
Twitter is the best of all sources. All new vectors are sooner or later somehow disclosed and discussed there.
What do you wish every company knew before starting a bug bounty program?
- Value research time by paying appreciative bounties. Hackers sometimes spend days to get a nice chain of vulnerabilities to work, just to show some additional impact. This work should be rewarded accordingly without getting stuck on reward ranges or similar. Why not add a bonus or paying out-of-range, which makes the hacker happy to hack on?
- Make sure you have dedicated personnel being able to handle bug reports. There's nothing more frustrating (for all sides) than someone who has a thousand tasks, plus managing the bug bounty program.
- Be supportive and communicative. Help hackers wherever you can with maximizing impact. The hacker is missing a small piece of information to complete their chain, why not help them out?
How do you see the bug bounty space evolving over the next 5-10 years?
Since bug bounties provide a very cost-efficient way to extend the security strategy of any company, I believe that there will be an exponential increase in companies launching bug bounty programs. However, there might be more conservative sectors like finance and insurance, which might take longer to adapt to it.
How do you see the future of collaboration on hacking platforms evolving?
There will definitely be an increase in collaboration features because this usually increases the number of vulnerabilities found, which makes all sides happy - the companies will be able to close more gaps, and the hackers will earn more bounties.
Do you have a mentor or someone in the community who has inspired you?
Definitely @filedescriptor! I do rarely see people having so much knowledge about a single topic.
What educational hacking resources do you wish existed that doesn't exist today?
The internet is full of educational hacking resources nowadays and even growing day by day. I cannot think of a single technical resource that I wish existed but doesn't exist.
What advice would you give to the next generation of hackers?
Learn the basics first and learn them thoroughly. Don't believe you can jump in as a beginner and make thousands of dollars within the first month without even knowing what SOP stands for.
Becoming successful in the bug bounty space requires a lot of dedication and, more importantly, experience. You will grow over time, so be patient.
What do you enjoy doing when you aren't hacking?
Usually, traveling the world, but since that has been kinda paused right now: board games!