@meals has been hacking since September 2014 and has uncovered 926 valid vulnerabilities on HackerOne, ranking 6th on the HackerOne all-time leaderboard. He has an extensive background in penetration testing and found his way into bug bounties contributing to programs like Verizon Media, Shopify and AT&T. Read on to learn more about his strategies and expertise!
How did you discover hacking?
Back in middle school, some of my friends and I wanted to learn how to hack into computers and I was the first one to figure out how to do it.
Do you have a mentor or someone in the community who has inspired you?
I got into bug bounties after watching @Agarri_FR conference talk on about receiving large bounties and thought that was pretty amazing. I dove right in after watching that, reported a handful of dupes and N/A's, finally submitted a valid bug (SQL Injection) and the rest is history.
What motivates you to hack and why do you hack for good through bug bounties?
I like the challenge of hacking into companies as well as the reward. The experience I've gained as well as the money I have earned have been life-changing!
What makes a program an exciting target?
Fresh new targets, large bounty tables, and a responsive security team.
How many programs do you focus on at once? Why?
I usually focus on two or three programs at a time. If I focus on more than that, I will spread myself too thin and potentially miss out on bugs.
How do you prioritize which vulnerability types to go after based on the program?
I like finding injection type bugs: SQLi, RCE, XXE, SSRF, etc. Those are the most fun to exploit and they also generally have larger payouts.
What do you wish every company knew before starting a bug bounty program?
It’s beneficial when companies have some type of open communication channel with the hackers they are inviting to the program. This way it’s possible to clear up uncertainties or questions the hackers may have. It's always better to start with a smaller group of hackers and then grow over time so as to not get overwhelmed.
How do you see the bug bounty space evolving over the next 5-10 years?
Continually growing. A lot of companies are seeing the benefit of having continuous security testing as opposed to just annual or semi-annual time-boxed tests.
How do you see the future of collaboration on hacking platforms evolving?
Continually growing as well. I have seen first hand that collaboration leads to better bugs as well as quicker exploitation of bugs. The faster you can get the bug reported the less likely you are to get a dupe and the quicker you can move onto another bug.
What educational hacking resources do you wish existed that doesn't exist today?
None, the amount of resources available to teach people how to hack now makes it hard not to learn.
What advice would you give to the next generation of hackers?
Do not focus on bounties initially; focus on finding and exploiting different bug classes whether it's on a vulnerability disclosure program, bug bounty program, or a purposely vulnerable system. You need a foundation before you can start collecting money consistently.