Samuel Eng (also known as @samengmg), a 30-year old hacker from Singapore, is one of the top performing hackers on our recent Singapore Government Technology Agency (GovTech) bug bounty program. Like most hackers today, Samuel is self taught and has an extensive bug bounty experience. In addition to government bounties, he has also found critical vulnerabilities on large corporate programs such as those of Verizon Media, Airbnb, Sony, Starbucks and Dropbox, to name a few. Check out our interview with Samuel below to learn more.
How did you come up with your HackerOne username?
My username is actually a short form of my full name. I have a hard time coming up with nicknames :(.
How did you discover hacking?
I had to fix my code in a university project and got hooked onto security. Eventually I started my first job as a security consultant. I started taking up offensive security certifications, and moved onto bug bounties on HackerOne to challenge myself.
What motivates you to hack and why do you hack for good through bug bounties?
I get motivated by the knowledge and the sense of achievement. Monetary rewards are an additional bonus for me. Bug bounties to me are like a CTF but in a more realistic environment.
What makes a program an exciting target?
Big scope with big bounties. I enjoy focusing on the bugs that are specific to their context. If it’s a financial company, I will go after specific vulnerabilities that are used to target financial data like improper access control, or insecure direct object reference (IDOR).
What keeps you engaged in a program and what makes you disengage?
Communication and program transparency. Bounties are secondary. Even if it's a duplicate/informational issue, companies should communicate clearly so as to continue a good engagement with the hacker.
Lack of communication/visibility makes me disinterested pretty quickly.
How many programs do you focus on at once? Why?
I have a few go-to programs that I can always rely on to find bugs. It's like I am an internal employee within the company because I’ve invested so much time there. Otherwise, I tend to be in and out of other programs to get exposure and understand how different companies work.
How do you prioritize which vulnerability types to go after based on the program?
I do not go for a vulnerability type. Context is key here.
How do you keep up to date on the latest vulnerability trends?
I try to read all kinds of blogs (including Chinese/Korean blogs). Twitter is great for getting the latest trends. GitHub issues is a gem for learning how developers deal with vulnerabilities.
What do you wish every company knew before starting a bug bounty program?
Companies need to do their own security assessment. Ensuring a team of security engineers would handle the vulnerability reports, instead of general IT staff, is also important.
How do you see the bug bounty space evolving over the next 5-10 years?
To be honest, that's albeit too far for me to think about. But I have already observed many new hunters in bug bounty programs, and even penetration testers are keen to be involved in the bug bounty world since [bug bounty programs] are like penetration tests on steroids.
How do you see the future of collaboration on hacking platforms evolving?
I'm not really sure because I usually work alone. One day, I hope that people will collaborate with me :).
Do you have a mentor or someone in the community who has inspired you?
I do not have a mentor but there is someone who has inspired me a great deal. I’m thankful to @filedescriptor for his amazing browser/client-side knowledge.
What educational hacking resources would you recommend to others?
https://xz.aliyun.com has many great articles (Chinese). GitHub issues are great for learning how bugs are formed and what difficulties are encountered in fixing them.
What advice would you give to the next generation of hackers?
Be desperate and hungry for knowledge.
What do you enjoy doing when you aren't hacking?
I play competitive squash in my spare time.