Hackers from India accounted for 18% of the total reports submitted to HackerOne customer programs in the past year, earning $3.5M from bounty awards. One of those hackers is Jenish Sojitra, also known as @jensec, who says bounties made him a millionaire through bounties, crypto trading, and holding by 20.
Jenish mainly focuses on crypto programs and platforms but has also earned bounties for identifying issues with application program interfaces (APIs) and Internet of Things (IoT) devices. The twenty-one-year-old hacker just graduated university with a degree in computer science and plans to dedicate himself to his bug bounty career full-time. When he’s not hacking, he enjoys trading with cryptocurrencies and watching car videos. Read on for more of his hacking tips and stories.
How did you come up with your HackerOne username?
I have merged the first three letters of my name "Jenish" with the first three letters of security "Sec" and I liked the pronunciation so gave it a shot and haven't regretted it.
How did you discover hacking?
One of my friends hacked my Facebook account using phishing but I didn't know how that worked so I got super curious and investigated all the possible ways to hack into a Facebook account, and that is how I came to know about the hacker community and eventually about bug bounties.
What motivates you to hack and why do you hack for good through bug bounties?
The opportunity to work and communicate with security teams and executives globally thrills me. For me, breaking a program's security is a challenge, which creates a great win-win scenario for both hackers and companies.
Although, my biggest motivation to hack for good is for my own data security. I would much rather trust a company running a bug bounty program for security reasons, and specifically those companies which I have been working with to discover security vulnerabilities.
What makes a program an exciting target?
A challenging scope and competitive bounty rewards.
What keeps you engaged in a program and what makes you disengage?
The program team's engagement with hackers and response efficiency attracts me to work continuously on the same program. Paying less than defined in the program policy is something I would hate to experience.
How many programs do you focus on at once? Why?
I focus on multiple programs. Average of five programs per month but I always revisit old programs at a three months interval, and usually come up with new discoveries.
How do you prioritize which vulnerability types to go after based on the program?
Usually, I love to work on crypto programs hence I try to find issues related to Smart Contract, Blockchain and Wallet API. On web targets I focus on logical bugs while on API server side issues.
How do you keep up to date on the latest vulnerability trends?
I try keep up with Twitter feed and PentesterLand but HackerOne hacktivity helps a lot to know about certain attack vectors I missed on my targets
What do you wish every company knew before starting a bug bounty program?
I would say, please do not underestimate hackers as no matter how secure you are, hackers are going to find issues. At the same time, do not overestimate these as a threat because every find was reported in good faith to secure your infrastructure.
How do you see the bug bounty space evolving over the next 5-10 years?
The bug bounty community is one of the fastest growing security communities in the industry. With the higher usage of complex technologies and security threats, I wouldn't be surprised if we see more than 40% of companies with a bug bounty program by 2030.
How do you see the future of collaboration on hacking platforms evolving?
Absolutely great! What could be more amazing than a bunch of talented ethical hackers trying to break and secure the internet in a very good way. Collaboration adds great value to the security community and I would love to see more and more hackers collaborating with each other to share knowledge and make the internet a safer place.
Do you have a mentor or someone in the community who has inspired you?
I do not have a mentor but so many people have inspired me. Huge thanks to hackers who have inspired me directly and indirectly: @prateek_0490, @inhibitor181, @Shubham_4500, @NahamSec, Ryan Pickren and all the Technical Program Managers at HackerOne who all helped me reach this point.
What educational hacking resources would you recommend to others?
I would highly recommend Hacker101 and BugPoc CTF, both of which have greatly contributed to sharpening my skills.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
I find it perfect as it is right now.
What advice would you give to the next generation of hackers?
Know your target! I would surf a target for an hour just before I start hacking on it, which adds great value. Stick to your target for a while. The idea that old programs do not have vulnerabilities is the biggest misconception to me.
What do you enjoy doing when you aren't hacking?
I love spending my time trading with crypto currencies just for fun, and watching automobile videos.
Thank you for the amazing opportunities