While he may keep a low profile, @Tolo7010 makes a big impact on the organizations he hacks.
Tolo7010 discovered hacking by accident a decade ago when he bought a “Hacker's Hideout” CD thinking it was a PC game. Just like starting a new video game, he quickly became hooked on hacking. When he first joined HackerOne in 2017, he submitted about five valid reports. Since then, he’s managed to increase that number by 54x over the last three years totaling over 270 today. In 2020, he says he has submitted more than 150 reports so far, earning him $100,000 from bounty rewards.
Prior to embarking on his bug bounty journey, Tolo worked as an app content creator for a company providing online cybersecurity training. Learn more about @tolo7010 below.
How did you discover hacking?
I started learning to hack about 10 years ago when I accidentally bought a Hacker's Hideout CD believing that it was a PC game. There was a list of articles for newbies in it, so I began my learning path and searched for more information on the Internet.
What motivates you to hack and why do you hack for good through bug bounties?
If I go straight to the point, I would say that money motivates me to hack and do bug bounties, but in order to be good at hacking, that motivation is not enough. For me, the feeling when I finally find a bug makes me want to hack again and again.
What makes a program an exciting target?
I think an exciting target is one that updates [the scope] or releases new features periodically. Bounty amount counts, too, but what am I supposed to do on a program that has only had static pages for a year without an update?
What keeps you engaged in a program and what makes you disengage?
Good programs are those that care about the researchers.
How many programs do you focus on at once? Why?
I am a pretty slow human machine so I can focus on only one program at a time. I also suck at automation, so I focus on one program for a week or two before moving to another one. I want to learn coding and automation soon because you need to learn anything you can to be a good hacker.
How do you prioritize which vulnerability types to go after based on the program?
I always focus on OWASP Top 10 bug types on every program because they are the most common bugs found world-wide. My favorite bug is Cross Site Scripting (XSS) because it is easy to find, easy to report and gets triaged.
How do you keep up to date on the latest vulnerability trends?
Follow good hackers on Twitter and read every blog post you can. The great thing about infosec is that everyone is willing to share their findings. I suggest you do so even if you are new. You can read some of my findings in my blog posts too.
What do you wish every company knew before starting a bug bounty program?
Before starting a bug bounty program, take OWASP Top 10 bug classes and know how they work. Hire some good security people to decide the severity of the reports and pay bounties according to the impact of the bugs. Be ready to handle a lot of interesting reports from the researchers that you can't see with traditional pentesting.
How do you see the bug bounty space evolving over the next 5-10 years?
Bug bounty will continue to grow and there will be a lot of new hackers. I believe some bug classes will be completely removed from bug bounty space (as they are mitigated by browsers), and new bug classes will appear as the technology evolves.
How do you see the future of collaboration on hacking platforms evolving?
I think, in the future, the bug bounty platforms (HackerOne, Bugcrowd, Intrigiti, Synack, etc) will organize a big event together. It could be a big bug bounty conference or live hacking event (like ESports) where hackers from each platform hack together as a team. I think it would be fun and exciting
Do you have a mentor or someone in the community who has inspired you?
@dawgyg and @nnwakelam have inspired me as I think they are the best hackers now. I know it will take me at least another decade or two to be like them but that's ok. Besides them, I want to thank @inhibitor181 and @jobertabma for answering my questions since I joined HackerOne.
What educational hacking resources would you recommend to others?
PentesterLab, Hacker101, Portswigger Security Academy, OWASP.org
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
Pay bounties on triage for programs
What advice would you give to the next generation of hackers?
Don't cross the line. Remember that you are the white hats.