Ethical hacking can be lucrative but there is no guarantee of income.
As such, inexperienced Bug Bounty hunters must above all practice patience and persistence if they are to reap the potentially significant rewards, according to the subject of our latest hunter Q&A.
‘Xel’ – real name Raphaël Arrouas – is well placed to judge: he’s fourth on YesWeHack’s all-time rankings at the time of writing and boasts an ‘impact score’ (average points per report) surpassed by few others.
But, reassuringly for struggling newbies, even Xel admits full-time bug hunting “was not easy” when he started four years ago.
In the second writeup in this series (other videos are published on YouTube), the ethical hacker reflects on the challenges of finding the right work-life balance as a freelance white hat, enthuses about his most impressive bug finds, and offers advice to his fellow hunters.
XEL ON GETTING STARTED IN BUG BOUNTY…
I’m a cybersecurity engineer and following my studies I worked as a penetration tester. During my time as a pentester, I [became] interested in Bug Bounty Programs and I tested myself. I tested participating in one, in two, in three Bug Bounty Programs.
And eventually I thought: “Wow, this is a great opportunity that I should not miss!” So I quit my job to do Bug Bounty hunting full-time.
I joined YesWeHack’s platform with a very interesting program at the time, Swiss Post. It was very interesting for me because I live in Switzerland, so I invested some time into the program, and then into the platform, and got to meet the team. So yeah, I’ve been a regular of this platform!
ON WHAT IMPRESSES HIM MOST ABOUT YESWEHACK…
It’s always hard to say, but I would say the team. Really, it’s a top-notch team!
They are very friendly and reachable people. What I like is they spend a lot of time explaining their philosophy to their customers, and so it makes the whole process very agreeable.
I like their programs a lot. I think they have expanded their customer base in every continent these last years, so I think it’s more and more interesting to hunt on YesWeHack.
ON THE CHALLENGES OF BEING A FULL-TIME BUG HUNTER…
At first, being a full-time bounty hunter was not easy because, well, I needed to get results and there are no guidelines about how to do that.
So I had to develop my strategy, I had to develop my contact with the platforms, I had to see how it would fit into my schedule, my social life, and then my family life. So it had many challenges, but I would say that these challenges are kind of the same as the ones that entrepreneurs have.
ON THE THREE WORDS THAT BEST DESCRIBE HIS TALENTS AS A HACKER…
I would say curious, persistent and focused.
ON THE MOST CRITICAL BUGS HE HAS FOUND SO FAR…
I think the most critical vulnerability I’ve ever found was an unauthenticated RCE on a firewall orchestrator. I think I would have been able to take control of maybe 50 firewalls or something – I could have caused a lot of damage!
I have [another] vulnerability I was proud of: it was an RCE in an e-banking [application]. I was kind of limited in terms of length, and I had to do a server-side template injection in less than 100 characters or something. It kind of looked like a CTF challenge to me, so I was very proud of this one!
HIS ADVICE ON HOW TO BECOME A SUCCESSFUL BUG BOUNTY HUNTER…
You need to stay creative, you need to see what exists and you need to come with your own approach. You need to familiarise yourself with all the basic security concepts.
You need to start doing it really – to start hunting, even when you think hunting on public programs is hard and so on.
You really need to start doing it and invest some time in it – and don’t give up! After some time, you will get more and more vulnerabilities coming in and you will get better at Bug Bounty hunting.
It’s a job where you need to invest some time in it to be proficient, I would say.
Interested in emulating Xel? Register as a hunter on YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and hacking techniques on our blog.