The Rock Bottom Theory of a Bug Bounty hunter
Greetings to all my blog readers
I hope you all are doing well and on your feet, but even if your state is on the contrary, i promise that when you are done reading this entire post, you will be re-energized and ready to conquer your fears. Now what i want you guys to do is stop imagining me as a top notch security researcher and just consider this article as a random one you are reading every now and then. I apologize in advance as this is not a post that would boost your technical knowledge because most of my posts are about different Proof of concepts of my findings, however it will give you an insight of where i was two years ago and where my hard work has brought me today. This is the story of me and how i escaped Rock Bottom, some of you may make me the laughing stalk of the community, but this is where most guys like have been and may be one of them can learn how to escape it
If you know me or have heard about me, you must know that i am a Cyber security researcher with specialization in Web application, Wireless Security and Internet of things. I have also been cordially recognized by several organizations for my work, but what most of you may not know is that i come from an academic background that is irrelevant to Cyber security and i had no knowledge of even the basics because i was an engineering student and am now an engineering graduate.
When i started bug bounty hunting i had no clue what i was doing, i was totally unaware of the Web architecture, Basics of HTML, JS etc etc. And the ones who assured to guide me had me running on a wild goose chase, so it would be safe to say that at that time, i was direction-less and knowledge-less. But i had the crave for fame which as expected was going to be the reason for my downfall. Seeing others successfully getting recognized in Hall of fames and earning big rewards was a major stimulus in my learning as it made me more focused on finding shortcuts and illusive vulnerabilities rather than focusing on the real ones.
Overtime, i devised several shortcut methods which i used to report to companies as vulnerabilities and get recognized. You can learn about them from my initial disclosures. But deep down i knew that this method was not correct and one day or another i would face the music. It was not so long when i discovered that management platform’s guidelines had changed and i became from number one to one in millions at the bottom.
That was the time, i had to face alot of criticism from almost every researcher in the community for being a spammer, i was being called stupid, knowledge less and what now and to be true it was all nothing but accurate. In my reports i was told be program owners not to waste their time and to stop reporting, many times i was told by the platform management and warned to be kicked off platform which was also true.
But it was all of this negativity about me that lead to build a decent researcher, I decided to go on a learning break and really make some changes into what i do. I knew that working hard would lead somewhere but had no idea where to start learning from like most of our newbies, so i took the noob’s approach to bounty hunting. As my recommendation to most of our guys out there, i started learning from the work of top researchers in the community, bear in mind i did not copy their work, i learned from it and tried to recreate it in my own way. Hard work does pay off. I starting getting good response, but because of my ruined reputation due to my previous stupidity, i was not taken seriously in the first place, but it required hard work and i was ready for it.
I did what i could do to make it right, i was working day in and day out doing but bearing mind not to go down to the level of trash i had come from. I was at 0 and was moving up from scratch with nothing and i could very slowly see that my hard work was making me earn my respect back.
And i was not getting this response from one but 3 different platforms as well as from independent programs like Firefox’s Bug Bounty, Magento’s Bug Bounty etc. This was actually happening, unbelievably it really was. And this was not only because i was working hard but i was lending a helping hand to those who were once at my place. And then day came when i was recognized by one of most prestigious awards a Bug hunter could acquire, which was Ranking as the third most credible bug hunter around the globe.
The news spread all around the media and i was in every online blog and paper there is as the Ethical Hacker from Pakistan who achieved the third rank in the world
So by now you must have understood that what actually is the power of persistence, I was and possibly still am a nobody but i am better and more skilled from what i was when i hit Rock bottom. I was and am still criticized, but the number of critics has drastically reduced and what is left of those who have no reason. Take it from a failure people, do not pay attention to what others say, some may mislead you, some may misuse as well.
Now to answer the question about how i started and how an you start. Below are some key points for you to start into Web application Security research and Bug bounty hunting
1. Read online blogs of researchers and their disclosures
2. Sharpen your skills on live environment and free programs first, remember it is not the money to go after
3. Online disclosure catalogs such as H1 and BugBountyPOC
4. Google your problems and instead of asking the solution, find it yourself
5. Last but not the least, Do not give up
One thing i have learned is that your past never goes away from haunting you, Checking myHackerone Signal you can easily see that it is a reminder to me of the mistakes i did, and i hope it never goes away because this is my motivation point. People out there may criticize me for my past and i am fine with what they say because i was a failure and the more i am reminded of that, the more i will work hard, eventually moving up to the top again
Last but not the least, Work to Learn, Not to earn. If you have any questions or are stuck somewhere in your journey, ping me at my Email or Facebook
Hope this motivates to go out and get your dreams, Until next time
