Would I Even Be Here If It Wasn't for the Internet?

i never asked you how to pronounce your last name but i'm going to take a stab oh let's do it i'm going to try it i'm going to try it live we we do this live at besides knoxville ben said degaport oh you got it how are you so decapor yeah yeah yeah so ben is presenting for us uh and if you don't know our our tradition for keynote speakers we don't we don't pick the keynote speakers last year's keynote speaker picks this year's keynote speaker so ben will get to pick next year's keynote speaker so i don't have to do it much easier that way all the best keynote speakers know each other this is

common knowledge all right so without further ado ben is presenting would i even be here if it wasn't for the internet

[Music] all right anyone hear me okay i lost my clicker somewhere but i'll look for it um before i get started i wanted you to say oh you had it you stole it from me thank you turn this off all right um before i get started i want to thank all the organizers uh also sam who was a previous keynote speaker for b-sides in oxfail last year who got me nominated to this year's keynote also a big thank you for all of you guys to take in your friday afternoon to be here and listen to me ramble about bug bounties uh throughout the talks throughout the slides that i'm gonna present i wanna pretty much tell a story about a

ton of people amazing people in the hacking community with a specific focus on bug bounties where most of my work has been done and i want to tell the story of things that they have accomplished and if any of us would have been here if it wasn't for the internet giving us internet points and money for doing what we do um before i get started i want to make sure that um i clear up that i'm not saying bug bounties were the reason why these people were successful they all put in a ton of effort lots of you know one night uh you know staying up all night and getting things done in order to get here

so i wanna make sure i clear that up a lot of these people have done amazing work on their own bug bounties was just an avenue for a lot of them including myself uh to get to where they're at they're at today all right everyone ready all right uh so a little about me uh i'm ben sadigapoor most people know me online as nahamsek i currently work as a vp of research and security for a startup called hadrian we work on red teaming and attack surface management before that i worked at a company called hackerone some of you may be familiar with them i worked with bug bounties i worked as the head of hacker education

where i created content for hackers to learn how to break into bug bounties and hacking i've also hacked into a number of companies like apple airbnb snapchat red bull department of defense but we'll talk about my story a little bit towards the end of the presentation [Music] all right but before i talk about any of that stuff i kind of want to talk about how i learned about bug bounties before i even knew about hacking i knew about hacking when i was a kid but i didn't realize how big of a community was out there for hacking and bug bounties i literally had no clue what i wanted to do in life i went to school

i was doing computer science at sacramento state university if you're familiar with this school i'm sorry if you're not good for you it's not a good school really for computer science at least for criminal justice great but don't go there for computer science uh but yeah i was you know walking down the halls i didn't want to graduate really i had no plans for the future i didn't know what i wanted to do what was i going to do with this shiny piece of paper that cost me you know eight six five thousand dollars a semester that i didn't really learn anything that i was passionate about and to be honest formal education wasn't something that i

really cared for uh i didn't see the point of going in and turning in papers i i there's a class that's required by sac state that uh it's game intro mobile game dev intro whatever you want to call it with java and i felt that class twice until i was able to pass up the third time and then because of that i was put on probation so school was definitely something that i wanted to do what's funny is i was actually skipping class to go to the library and learn how to hack or i was going through class opening up my laptop actually i'm taking notes so i can hack more and uh learn for you know whatever i was trying to

get into and if it wasn't for youtube i would have been able to pass a lot of my courses uh big one is calc one i took calc one three times the first two times i failed because the teacher would have random quizzes and when you're not going to class those quizzes add up when you miss like 90 of them that's like you know 20 of your grades so i found the one teacher that was nice enough to tell us every friday you have a quiz so i would show up on fridays for 15 minutes and then two nights before i would go on youtube and practice whatever i knew was going to be on that

test i would copy people's notes learn him and go on youtube and practice and do my homework and show up to class and i finally got a beat somehow thanks to youtube and passed and i did that with calc 2 and calac3 it was the same teacher we had a gentleman's agreement i show up on friday i show up to your test you leave me alone i pass and he agreed he was okay with it um eventually i got enrolled uh i come school started doing this cute program called cyber security they're still using backtrack so if you're familiar with kali linux you see backtrack they still call it backtrack at my school by the way it's

really that that outdated uh but they were doing these one some month meetups where it was about they would call it kryptonite i don't know why but um they brought up people from there the federal people that wanted to recruit and somebody in that group told me like hey there is something called bug bounce which brings me up to my uh trillion dollar question i'm gonna give you guys a trillion dollars from zimbabwe if anyone knows what bug bounties are

[Music] yep so i have a literally a trillion dollar for you whenever i'm done you want to come and grab it it's legit by the way it's not a joke it's actually a it's worth 200 bucks apparently uh but yeah bug brownies are pretty much where you find a vulnerability from a company like the ones that i mentioned they have a bug bounty program they tell you the rules you submit to them you get paid just out of curiosity anybody here participating bug bounty has ever submitted anything okay a few people any of you um part of a bug bounty program like managing it okay handful of stuff uh but yeah so it wasn't just uh the youtubers i talked

about youtube and the reason why i graduated but it wasn't just youtube i also learned about bug bounties there are people that are making money and i was on my super duper senior year it was like my second rap around the senior year that i was doing and i heard about bug bounties and i really wanted to get out it was either i say screw all this money that i've spent on school you know it's 30 40 50 000 dollars you've spent on school and i drop out and don't get a piece of paper or i just suck it up and go to school for another two three semesters really focus on learning whatever it is c's do

get degrees get the degree have the paper and put it on my desk and go get a full-time job and i did that i went and did exactly that i learned about bug bounties but i realize a lot of the companies that you want to interview for they want to have a degree or a million years of experience out of college so they you know having the cs degree is what kind of helped me but the bug money thing was great because they were going to pay me if i find something on my free time i don't have a boss i don't have to report to anybody and i thought that was like hey i can do

that i can i can probably hack into a company or two and make some money and learn while i'm at it it was a legit business i saw a lot of people that were making a lot of good money uh yahoo was uh this is post i don't know if you guys are familiar with yahoo's bug bounty program they they were giving away like 20 gift cards at some point and then the internet like went after them cancelled their bug bounty program and then they started paying like a lot of money at this point uh so i really entered the bug bounty phase at a very early age as people were starting to pay more and

more and honestly change everything uh first of all i'm not here to sell you on black bounties i'm not trying to tell you to go do black bounty or your company should do a bug bounty anything like that it's just it really changed my life it really helped me do things that i didn't think i would do it pushed me to the one i wanted to get out of school for someone who didn't care about school it pushed me to want to get things done and move forward with my life and it wasn't just my life that changed um it changed a lot of people's lives the thing with bug brownies it's very global anybody in the world could participate

so i only changed my life it changed at a lot of people's lives including myself and a ton of other people that i have their photos on here uh this is about a hundred people that i could find on the leaderboard of hacker one i'm gonna talk about some of these in a little bit but a lot of people across the world there's people from india pakistan there's people in sweden uh there's people in south africa there's people and you name it any country can think of um they're in that i think with the stats that i got from hacker one it's about a hundred and eighty plus countries that people are participating in bug bombings the only way you can do

bug bounties if it's you're one of those popular countries where they're sanctioned by the u.s so north korea one of the countries i'm from syria and uh kapad a handful but everybody else could participate get paid all you have to do is give them your tax information and throughout the scene that i've seen people come into blog brownies we have different paths and i'm going to talk about that a little bit but this is just a small percent of people that are in the black box this is not everybody this is not every single platform it's just a hundred or so people that i have found that they were on a leaderboard at the time of making this slide itself and

someone should mix the nft by the way i think it'll be a good one and also the cool thing about bug bounty is nobody cares about your background nobody cares if you have a bachelor's degree no one cares if you are just learning if you don't know anything you know everything nobody cares honestly no one cares everyone could get involved it's open to everybody so let's talk about some of these stories before we talk about them there's a number of profiles that i want to talk about and each profile will tell a story about some of those people that fit that profile um it's really important to understand why people do black bounty it's not all

about money you know i know that money is a big driver for a lot of stuff especially with bug bounty a lot of people do it because it looks like this coolest thing that you can make money you can make hundreds of thousands of dollars within a few hours within a few a few days or a few months but there is different reasons also people hack with black brownies and again i'm going to say this one last time i'll promise i'll move on from it it really doesn't matter what your background is some of the people that i'm going to talk about come from a digital marketing advertisement uh well our developers people that were i.t folks that were

working on it team so it doesn't matter what you have done the cool thing with this is that you can learn and also earn as you go so let's talk about these uh for the next few minutes i just want to if you guys see people that you seem interesting to you their handles are going to be the first things that come up uh look upon one look up on twitter a lot of them are very active they still share some other stories they share some of their trips uh tricks about hacking how they have gotten started some really cool hacking tips and things i've gone really good at so the first one i want to talk about is

the full timer the full timer is the main objective is obviously they want to make money that's the person that i talked about they want to pay for their bills and there's uh cases of people that have made hundreds of thousands of dollars and we also have people that have made millions i think the last number i got was one of the hackers his name is eric today is new uh dude has a scanner in vb6 and he has made three million dollars with this this thing that he has written from technology from 20 years ago uh he's very open about it he says it himself like it's really old code that i've built it's the only language that i'm

good at but it's made him three million dollars on hacker one alone i think they just announced his uh three million dollar celebration thing one of the first ones is dog eg uh he's one of my favorite people that i've talked to he's based out of the us on twitter if you type in doggie g he should come up or it's d dog eg maybe but he should be the only one with that name he was actually a black cat he went to prison and served a 13-year term for hacking multiple governments and companies in the 90s and early 2000s one of them was yahoo and he's also made a million dollars from packing yacht

illegally now prior to that he was a chef he had to go do something outside of computers because he was banned from using computers and hacker one has this program called haka one elite where they pick five hackers every year i think he was in the fourth year of the haka one elite where he was given this poster that just says you've been a big part of community whether it's being a part of the community your contribution your critical vulnerabilities or you were consistent what you were doing like i said he was a black cat he started hacking yahoo legally and when i met him and we talked a little bit it's like you know funny thing is i

went to prison for the company that's paying my bills now if 13 years ago bug bounty is what i think i wouldn't go to prison i wouldn't have to you know serve this you know long sentence because i was just dumb and i was a young kid i wanted to hike so it's very cool that he's you know turned his life around and now he's a something opsec engineer or full or a offensive security engineer at a company called briggs and to show some of his stats on the right you guys is right you can see his uh verizon media has changed name like a million times in the past three years there used to be yahoo that turned to

oath and then they became verizon media and now they're called yahoo again but he was the number one hacker on their program and these are all the private uh sorry public programs that you can see on his profile so there's private ones that i can't show but the public programs that he's hacked on the us department of defense is a big one uh he is also going to prison and a part of his uh sentence was hacking the department of defense and now he's one of the top hacking top ranking hackers on the department of defense both on haka one uh senec where they do most of their engagements the next one is mayonnaise i call it my

own eyes it's based on a song really old song i don't know if you know that song he said that's where he got his name from he comes from a i.t and data science no security background at all he just knows how to handle data and if you know about today's age everything we do is data everyone's data is online and uh he used to build crms for you know to make money uh for college and pay for it and then once he was uh looking for new business ideas he discovered bug bounties he's like oh i i can find data i just have to find these paths and look for these different routes and they

would spread out information i know how to do that i've built stuff on top of these apis that's got to look for them and manipulate them to make money within two years he made a million dollars on hakko one and you can see within those two years he was number two on the yahoo program he's hacked paypal department of defense shopify and right now i don't i think he's retired somewhere in the east coast hanging out and keep in mind when i say yahoo the yahoo program has been around for eight years so for someone to come in in 2019 actually more than eight years now uh 12 years almost 10 11 years almost and

for someone to come in at 2019 and become a second place hacker after eight years of the program being around it says a lot that you know if you put in the time you put in the effort you can also make it happen and making a million in two years it's it's incredible uh sam also known as zlz uh he's a very he's very into uh hacking crypto wallets right now but before that he was i met him when he was 16 i want to say 16 15 16. uh he was a freelance developer is what he called himself at 16 and he used to play video games and he didn't know it was called hacking but

he found ways of kicking people out of the game trolling people's uh accounts and then he realized oh that is called hacking i can hack games and make money from it he became a triage analyst at hacker one for a few years i think he was still when they employed them he had companies like apple tesla he actually got a really cool bug from tesla i think 15 000 because he bought a tesla and he put a payload there while he bought it and it fired and they paid him 15 000 and it was all over the news uh he just started palestine it's his own uh consultancy uh he just started that last year year and

a half after we sat down i'm not a part of palestine but a lot of us that were a part of this research for apple they all made it into a consultancy firm now and they're doing pen tests for a lot of companies so you may have seen some of these headlines i think in 2020 october november of 2020 when a group of us hacked apple and we found like 50 60 bugs on apple's program that number's a little bit outdated it was about it was close to 500 000 that was made between six of us so it goes to show again uh he was still young he's still young i think he's barely 21 or 22 now uh at 19 and making

a big chunk of that it's a lot of money and he just dropped out of college i was like nope i'm not going to make the same mistake as you i'm going to go work full time and make money and it worked for him it's also the academic type like if you know not me i don't consider myself one of those i made that very clear but there are people that are doing this just to get better their objective is to learn they're either in school or they want to get certifications uh oscp or swe you know pentester plus whatever you know you want to get they also use bug bounties to do that so they're still again unsure what they

want to do they're very interested in cyber security and if you think about it if you are i don't know 18 19 in college not a lot of responsibilities you have a lot of free time you play a lot of video games more than likely replace video games with bug bounties and if you make a thousand dollars a month two thousand dollars a month which is very easily doable with bug bounty that's a lot of money in college you no longer have to survive on like ramen and you know frozen food you can literally pay for everything you want and i know a lot of kids have done that and to be honest a lot of these folks

end up graduating from whatever the goal was you know they get their certification they do it for one two three four years whatever it is they learn they become really good at hacking and what we call is graduate from doing bug bounties and they go get their first job at a company uh they become a consultant or they start their own companies like sam was doing or a few others i'm gonna talk talk about so uh jack cable anyone familiar with who jack is so he also was very young when he we uh when i heard about him he was uh i want to say 16 when the department of defense launched their hack the air force program

and he was i think the number one number two hacker on that program and later on he got a job through the department of defense he worked for um one of the defense digital services he worked for them and then later on just a couple of years ago he was helping with the election security stuff and his background was nothing with security really he just did development and knew how to code at a young age who was a self-doubt engineer and then he heard about bug bound he's at 15 16 and he wanted to learn how to hack hacked the air force scored his job i don't even think he touches black bounties anymore and

because of all his work he has done he also was accepted to stanford so he went to stanford i think he's already graduated at this point but yeah it's you know he's a prime example of someone who came from a really no security background again he's i understand he's younger 16 15 you have more time but he put in the time and effort and while he was going to school he learned and learned and learned and he ended up being one of the advisors on the all the election stuff that was happening a dc he is another young hacker i'm not sure how old he is i've met him a few times it's hard to tell but he seems very

young his background is a little bit different he was doing a lot of ctfs he was playing ctf's to learn a lot of teachers like we do i'm here downstairs i think secure code warriors doing one every conference you go to they do a ctf and it's a really good place to get exposed to what you like to do in securing cyber security especially the bigger ones when they have web they have crypto they have mobile you get to play them and see okay maybe i like web over mobile maybe i like mobile or something else he did this exact same thing and he became really really good at playing ctf's he heard uh about bug bounties

through a ctf that hacker one hosted and he actually won that ctf and they flew him out to one of the events that i'll talk about those events a little bit but uh he said i reached out to him because i was familiar with the story and i asked him like hey what's the story behind you and bug brownies like he always talked about how much it's helped him so he told me he didn't really rely on bug bounties to get a job or to like use it for his resume but it helped him understand all these technical things that they asked you during interviews better because he was actually on the offensive side now he

was finding his vulnerabilities and when he was doing these uh interviews he was able to answer those questions better because he had a dev background already he know how to write secure code as much as he could but he didn't know how to explain what an exercise was what a sql injection was so he's finding them learning them and then now he's going to interview for different jobs and he's actually a security engineer for get lab the last time i spoke to him there's also what i want to call the careerist this objective is fully and i've seen so many of these people that come through the bug bounty scene or even the pen testing scene is that they just want to

get a job doing something technical with pen testing with offensive security they just want to learn they want to they want to see where they fit in so again the main objective is to score a job they have all the necessary experience they've read all these books that have read these you know i've done all these different challenges i've done ctfs and they want to get past the hr maybe they don't have enough experience and uh i personally could talk about this and i will a little bit i got past hr because of my background experience so you may know how to use these tools but you have nothing to showcase for it's great that

you know how to use burp street but can you show that you can find things with it so we want to talk about this a little bit more i posted this tweet and i asked for two things one was uh is anybody doing full blog bounty hunting which we already talked about a little bit those were the first profile that we talked about and the second one is has anyone gotten a job by doing this and putting uh the bug bounty experience on their resume so jack cable not jacket was sorry jack i don't know his last name finite he goes by he uh found a really cool stored xss on facebook and uh he reported to the write-up the

write-up was amazing and three months later he was hired by facebook he worked for him for four years and he moved on to another uh consultancy big consultancy place to work for but he purely got that job because he hacked on the facebook blog brownie program and that last report that he sent them really get him a job he got him in front of the people that mattered and could have hired had the hiring power to get him on the uh the team uh next one is shubs we will talk about him a little bit more in a little bit but he got his first job i want to say bishop fox uh by putting

some of his bug bounty stuff on his resume and he used some of that money to travel the world albarton he was a student in i want to say australia sydney he got his first gig from even though he was a student at the time he scored a job becoming apprentice on a student visa in australia somewhere and he was able to help his family tom he's a great developer some of his tools that he's put out for offensive security are great he also has gotten three jobs in the past like seven years he's gone from company to company because he made so many great tools for hackers and also his experience with bug brownies as well

random robbie if you're a developer you've probably seen him in your s3 buckets at some point he like wrote to every s3 bucket at some point in his life everyone that was vulnerable and because of that he landed another job and i think he's also at bishop fox as well this is a cool one this is not the person that got the job but one of their number one hackers their number one hacker on their program they reached out to him for an interview they hired him and he was hired at mail.ru because he was just killing it on their bug bounty program and he probably knew more about their platform than the engineers knew because of how

much he stared at it uh so another example of people that have scored a job um by just doing bug bounties then alyssa also did the hack the pentagon a lot uh she currently also was the defensive security engineer same thing if i just wanted to you know put some of these up there's a bunch of them vimeo number one hacker on their program still is but is not hired by them uh douglas stay same thing ranked hacker in their program now he works for them uh been healed same thing he's gotten cvs from buck bunnies that put him on his resume you guys get the point i don't need more screenshots but yeah there's a

lot of people that have done this it just shows that you can leverage your experience if you find a few vulnerabilities who wouldn't want to say hey i've hacked the department of defense you know i've gone to sheldon department defense put on your resume i think a lot of engineers or a lot of hiring people will see that as a good experience versus having actual work experience that you haven't gone in the past four or five years uh some of the favorite stories that i have it's the same thing some of the bug bounty hunters this handsome guy his name is peter yawarski he came into he's also hakka one elite he came into an event so hacker one

hosted those events every year or every few months at least we used to the day used to i'm no longer there but they used to host an event every few months in a random city it would fly everybody out to that city that have done stuff in argentina singapore some stuff in canada all across the u.s and then they fly everybody and put them in a hotel show them the city and then they put them up in the competition and they're doing one next week and they they pay up to i think the the most they paid in three nights was uh the last vegas defcon event that they did i want to say 2.8 million dollars in a weekend

was paid out to about 80 hackers uh he came out to one of them his first time at uh h1415 which is in san francisco and he uh met the shopify team there he hacked on shopify he met the shopify team there he had his first quote-unquote screening at uh the event and then a few months later he was hired by them he just left shopify not too long ago and now he's working at stripe and he is currently ranked number three hiker on the airbnb program you can see he is hacked on a bunch of other ones paypal hacker one itself vimeo github twitter and shopify and starbucks and he's also my favorite canadian

hacker he's a very nice guy and i will talk about him in a little bit more because there's another story i want to talk about uh that will come up in a bit next one is joel aka techno gig techno geek uh he's a very good mobile hacker also hakka one elite uh he has had companies like shopify vimeo paypal github dropbox you name it he's hacked into it mostly from mobile he also got his job because he came to h1702 which is the vegas edition of hakka one's event and during h1702 he hacked on uber found a crazy mobile bug and within the next few months also hired at uber and now the cool thing is we found

joel while we hosted a ctf and he had he was working at some random company doing mobile pen tests very junior kid no experience really uh he won our ctf he was our first person to solve it was a mobile ctf came to the event met them and now he is uh he left uber to work for tinder and he also openly has talked about this he dropped out of school he was going to uh new york i was going to school and he was just like too expensive i'm already making money i'd have a job offer i have a full-time job offer that i can take i don't want to go to school and he made a

decision to drop off and not continue his school uh the next profile this is my favorite one is the moonlighter the objective is that they want to learn and they want to earn they already have a full-time job they don't need to have another job but they just do it for fun they love hacking they like the community they have a lot of free time maybe and they want to do something with that free time or they just purely want to make extra cash double their salary and i know a lot of guys have done that i have one example of this zyat he used to be a red teamer he just left his current gig to do something

completely different but he came in as a uh qa analyst uh he heard about bug bounties and uh throughout the qa thing that he was doing at work he would do bug bounties at night and before he left he was the managing person in charge of the red team for a big gaming company that's been all over the news with california recently so he was managing an entire team for a while and he went up just because he was doing a lot of bug bounty stuff he was learning how to automate things how to do attack surface management stuff how to you know do hacking to companies and leverage that to go up the ranks as well

he's also won the uber badge for uh defcon twice in a row he's done it back to back which if you're familiar with it it's incredibly hard to get that and also he loves creating puzzles he's big on solving puzzles uh he can't i he's solved one of the biggest content creators mainstream content creators that most people know he did a puzzle a couple years ago and hackers hacked his puzzle he was maybe involved in some way i'm not sure but from what i know he's done a lot of uh puzzles and some really big ones with bitcoin and you know there's a lot of money involved and he's been the first to always um

get involved this is actually a photo of him from an event that hacker one hosted in i want to say new york with the department of defense that's one of the staff he was one of the highest ranking people i was in charge of the dod security program uh shaking his hand saying thank you for one of the craziest bugs i've ever seen he had access to some really really crazy internal stuff that belonged to the department of defense and they were even shocked they were like this should have never happened and he was the person that found it and honestly he's one of the best connections i've made not only we've become really good fans but we've

learned together we have done a lot of crazy stuff together and he's a prime example of someone who has done it all he wanted to go up the ranks at work he did it through bug bounties he wanted to get better at his job he did it with black bounties and he wanted to make money and he i think he was matching his salary uh by moonlighting for uh hacker one and black background and making some money well it hasn't just stopped by hacking i talked about a lot of hacking stuff it's a lot of it is with hacking but there's also content creators who have came out of this entire bug bounty scene you may

have seen this guy on youtube a lot his name is stoke i wish i could do the entry goes hi my name is stoke and he does this you know the peace sign thing in his videos uh he came into another event he socially engineered his way into an event uh and then later on he became a part-time bug bounty hunter he also won one of the events at some point in new york i want to say he creates con he used to create a lot of content with bug bounties now he works at a company called uh trusec he makes a lot of cyber security content with like red teaming for them but a lot

of his exposure came from his black bounty stuff he was putting out videos of how i made fifteen thousand dollars in in one day doing bug bounties it was just one single bug that he had found and now he's you know he's got a lot of sponsorship opportunities from other companies like hack the box try hacking you name he works with him and makes content for them and he's also used those information use those bugs he has found to present in a number of different conferences next one is katie insider phd she does a lot of api hacking stuff uh she also was a mentee i would eventually hosted they bring out people that you

know are very new to the uh to the scene they put him with a hacker top hacker in the scene they learn everything from them she came to a lot of the life hacking events but then ended up going down the path of making youtube videos and now she talks at a lot of uh different conferences she was she was hired from background by buck crowd and she just left the company not too long ago which black is also one of those bug bounty platforms so it just shows went to an event learned some hacking made some videos put herself out there and within a year or two she was hired she's very big in school i think she has her

phd in computer science or something similar and now she's left and she's doing work on her own and i think she's teaching now the university out in the uk the last one is farah i'm not sure if you may have seen her on instagram a lot uh she's a content creator out of india she started making content back in 2020 uh she started helping people on her instagram she talks about different resources on how you can get into cyber security uh hacking tech all that good stuff and she talks at conferences uh the story i wanna talk about with hers is it's again the content creating things she was learning how to do a single sign-on hacking for example she

wanted to learn how to do that she would learn it she'll make a video on it present it and put it on youtube and she has done that with a handful of them and then not too long ago buckrad also hired her and she's now a manager for a triage team in her region within a couple of years so another story to tell about people are creating content i don't think she does bug brownies or actively hacks on anything but just to ask that she wanted to learn she put her journey on youtube for black bounty hunters like herself and she scored her job because she was so good at explaining things and communicating them to a non-technical

audience but it's not just youtube content uh the people that are writing books i know joe's here and under cory's here they're doing books not really super related bug bounties but you guys remember this guy peter so he uh originally before he started doing black bounties full-time or part-time what we want to call it he put a book together with an e-book all he was doing was looking at hacker wants activity so hacker one has a page called hacka1.com activity where every researcher or company can mutually agree whether or not they want to publish a bug that has been found so he was looking at in every single one of them and he was compiling him in a book and

he was explaining how these bugs were found why was the reason why this blog worked how did it work what was the impact and he put into an e-book like this and people were buying him for 10 or 20 dollars and then a few years later he was a published author uh for the book real world bug hunting a field guide to uh web hacking purely from bug bounties i think the book still uses some of those reports from what i remember but just to show before he was above country before he was hired by shopify he was doing this book uh part time and he you know gave him a lot of opportunities because he

was putting something really cool together and then later on it became this book uh vicky lee is another author i'm not sure if you guys are familiar with her her book is very good i would really recommend it if you're especially true bug bound if you're new to it it's a great book to read both of those together but she was also the same kind of concept she was working as an optic engineer she's a great blogger if you go to her blog it's wikilea.medium.com the way she explains technical things it's incredible i wish i could communicate the way she does in technical terms but she started making security content on her site she has some youtube videos

and then later on she also came out with this book which covers a lot of vulnerabilities that are very common in bug bounties and also you know it's being which is a published author with something related to black brownies itself there are also courses and trainings there's a ton of them uh this guy was a very smart uh hacker who did a lot of cool stuff with his content his name is zeeshano he's a hacker based out of the uk he was uh the top hacker on buck for a while until he got banned unfortunately he was very well known for hacking amazon and tripadvisor and he also makes uh content on youtube you can look him up at zisano

he sat down one year and he wrote his entire methodology into a form of a book and he thought he could sell an e-book online on the internet without it getting leaked unfortunately uh being on the internet everything gets sleek including his book but then he pivoted he created this thing called the uh it's called bugbountyhunter.com where he's created a fake infrastructure and he personally asks you to find vulnerabilities just like a bug boundary program you write a report to him in some cases he pays you for those reports that fake vulnerability is not a real company but he pays you for it and he tells you what to do to get your reports to be better and he has i want to say he

has created black bounty hunters a dozen of them at least that i know of because he has spent this time to do it with them it's a one-time fee to get on his website but it just goes to show a hacker who has hacked you know verizon media uh some gambling sites hyatt zendesk dropbox paypal put it on our website he's just full time doing this and investing his money in trading cryptocurrencies right now and making more money just to go to show he's taken that knowledge put on a website created a resource for people and people are he's paying people to learn and also they're taking that knowledge taking it somewhere else and making money from it

there's also udemy courses there's hundreds of thousands of them people have made tons of courses on bug bounties or web hacking it's a big part of it but again it there's another entire avenue of making money with this there's startups that have been created by bug bounty hunters either by them or for black bounty hunters a great example is this guy that i talked about shabs shabham shah he is the founder of a company called asset note and i'll talk about a little bit he's also another hakka one elite he is and i don't know how this guy's brains brain works he knows how to rip a application on infrastructure in a heartbeat and he has made tons of money

from it i think he's close to a million if he hasn't passed a million dollars uh he was doing it as a moonlighter at first before he founded his company but he was doing it as a part-time he was working full-time and at night he wanted to get better he had the time and he was making a ton of money especially not at airlines they were giving out miles and i want to say he had maybe 10 million miles at some point to the point that he was saying i don't know what to do with these like there's so many pets that can fly first class that i can use all these miles and i

think he still has a ton of them and he still hacks them but going back to his company he founded this company called asset note the entire team is a bunch of bug bounty hunters they've no vc funding backing them at all everything has been done by him and his team i think from what i understand and they pretty much have put their brains together especially shobs as brain into a methodology of how they find these different assets and how they automate to make money or actually find vulnerabilities for their customers and then on the side they use the same technology to scan other block boundary programs are not their customers in hopes of becoming a customer also making

more money from it so he was one of the first to you know take his knowledge and take his money he has made and put it into a company and investing in himself and hopefully they'll make something beautiful out of it geekboi he's another hacker out of india he was uh he was an ex-hacker one triage member he was also a hacker won a lead he has had companies like yelp udemy rockstar games att uh a bunch of other ones but he just left hacker one one day is like nope i'm done i want to start my own company not only i want to do it for the enterprise side but i also want to

do it for the community so a lot of the tools that you may be familiar by a show of hands anyone know the tool nuclei for you okay so nuclear is one of the tools that a lot of the offensive security people use that fingerprints uh every single asset that you scan so you find an asset it tells you this is what it runs they wrote that they open sourced it the entire community contributed to it there are other tools like httpx subfinder naboo dnsx a ton of other things and everything again is on github if you go to github.com project discovery i think is their handle everything is there you can use them they also created this platform

project discovery.io i haven't seen it myself it's on it's a demo right now it's been in a demo for three years but every day they release target listings for bug bounty hunters so for example yahoo and google are a bug bounty program every single asset owned by yahoo is indexed on chaos for free to download and if you have an access or api key they give you more information and i think they're hoping to go to enterprise route to get customers to onboard and sign their data but wait there's more we're almost done i promise i talked a lot about you know content creators i talked about bug bounty hunter i talked about asset no every different avenue that people

have made money but i don't want to leave it there as like this you know glorified things are like look everyone's making money doing business and doing these things people have done other cool things i just wanted to ask like hey did you do anything more meaningful than investing in yourself uh people starting a charity uh getting married paying for their wedding uh you know i talked about uh dog eg did the same thing he turned his life around seen was able to travel a lot he's uh he calls him safe hey what is a nomad he's seen like almost every country that's out there in the world he's hiked somewhere weird like he's done it all

he's bought a house uh big cork has bought a car saw a regular trade of donations bought his uh uranium 23.8 he's bought his house he's bought his parents a car and just recently he he said he was investing in a business and that business has actually came up and it's running for his parents as well bought their parents house saving for college bought a lot of pizza and just name it there is but this is one of my favorite stories because these two brothers they came out of india and they both were one of them was in school one of them was in i.t and they both helped their parents retire and not only retire

their parents so one of them i don't remember their names i haven't seen them in years but the younger one goes to college and they both find about find out what bug bounties are he drops out of college to do bug bounties full time and then they're supporting their family and each other and then the brother quits his job and joins them and they full-time do bug boundaries out of india and they really entirely just gradually uh retired their parents and brought him at home and anything that they could have done probably in the next 10 15 years they would be able to do it in a few years by just doing bug bounties and my favorite one is i actually

hosted a conference very focused on bug bounties and we ended up raising uh 52 000 and donated every single dollar of it to leukemia lymphoma society and i want to say a large majority of the donations at least half of them came directly from the black bounty hunters our mention in the story and the other half was from corporate sponsorships and people that had a bug bounty program and it all went to a good cause of the good research all right now let's bring it full circle i think i have like five more minutes to finish this i'm going to go through this very quickly so there's time for a qa i talked to a lot

of people i didn't talk about myself i want to keep that for the ending to kind of show you uh why i told you all this stuff that i did um so would you like to hear my story yeah okay cool because the next i was going to say too bad if you said all right uh so i'm not saying i mentioned i i go by no homestick online i didn't know what i wanted to do i've i'm also hacking one elite i've had all these different companies talked about a little bit i barely knew anything about the web in college i've done hacking but it was like copy pasting payloads didn't know what it did really i just knew xss

existed um i spent a lot of my time in college and digital marketing advertisement and i wanted to i've gone from every profile that i've mentioned from the moonlight to careerist uh to the person i want to learn the learner i've done all of them and i've created some business because of bug bounties if it wasn't for that i wouldn't have been able to so i originally got my first real engineering job at hulu because i found a vulnerability in one of their assets submitted it to them a year later exactly i interviewed for a position and i worked for them for nine months helped them build a bug bounty program and then i wasn't a big fan of hacker

one i criticized the crap out of the company on twitter for a while and then they killed me with kindness brought me over to their office and i ended up being an intern there i worked on the triage team i moved up to customer success you name it and towards the end i ended up working as the head of hacker education for them and now i'm the vp of a brand new startup but i realized that i really enjoyed hacking but i want to have an impact on people's lives i want to do more than that i wanted to be able to share my story with other people i started creating content so i have a

youtube channel and twitch uh i pretty much let people look over my shoulder so they can learn how to hack and i know a handful of people that have reached out to me and i'm like hey i watched your streams a couple of months i got my first pen testing job i have a guy out of uh i want to say new york he was he was a cook for a fast food chain every sunday he would watch my streams as he's working and then within six months he messaged me saying he got his first pen test gig that went from 12 an hour to 45 an hour uh he was working hourly and then he

also messaged me not too long ago he said i just got my full-time job and i'm making the most amount of money i've ever made in my life because i watch people do things and i put in the time and effort to get out of what i was doing already but that wasn't enough for me i wanted to do more i want to get into public speaking so i started going to conferences i've talked at a handful of b-science conferences appsec shellacon i've had the pleasure to work out where i work with def con i help with organizing red team village and opsec village now so he wanted to get really get out there and do more

when conferences were shut down and during the pandemic i was really bummed that i couldn't go to any conferences i try to go to every conference i can i would pretty much say never say no to a conference i unless i really can't go to it so i started the two conferences versacon which we did in 2020 unfortunately for coven it was literally whatever the entire world got shut down and there was nothing happening that weekend verse icon was planned for that weekend and everybody came and watched it which helped out and i also created no hong kong which no homecoming actually uh turned three this year i just did uh our last edition last month and

we had 9 000 people playing our ctf across 3 000 teams and companies were you know helping us put it together and some other people that i showed for example shops zlz there were also speakers at the conference what i'm trying to get to is that everything that i've mentioned in the past couple of minutes that i've done was purely because people on the internet were brave enough to trust other people on the internet to find bugs in their assets and they you know in their products and pay them so all of this said if you want to get into bug bounties it's not late it doesn't have to be bug bounties alone it could be anything you want to do it

could be anything with hacking again the good thing with the commuting hacking is that you could do anything you want you could you could be anywhere you want in your life it doesn't matter you can get started today some of the people that i've shown that were in the 30s 40s i know people are in their 50s are still getting started so it's never too late to get started with this whether you want to get into red teaming you want to get your first certificate uh whether the bug bounties hacking whatever that is so quick bug boundary resources i showed these three books uh the two are the same i would definitely recommend getting the

last two for bug bounty specifically they cover a lot of stuff that you need to know um i know there's two other people that i have from the same publishers that have books downstairs also highly recommend them uh they touch on things that you can use for black bounty hunting as well but those two were the ones that really stood out to me and i can actually talk about them there are three different websites you can go to the first one is called hacker 101 it's a platform owned by hacker one they have a ctf you go do the ctf on their platform if you solve enough ctf levels they give you an invite to a private program where

you can make money and you can start building your resume with them and get invited to more programs uh website academy by port sugar incredible i highly recommend it it teaches you how to use burp suite and also teaches you a lot of good stuff for hacking and then hackerone.com activity you can see other people's research that have been publicly disclosed on hacker one uh bug bounty hunter that i talked about pentester lab is a great resource i think it's about 14 a month if you if you want to have a structured course try udemy i don't recommend it even to have a course myself i still don't recommend you that you do uh stick

to one of the other platforms like try hack me hack the box panters to lab and bug bounty hunter and the reason why i don't recommend udemy is you learn things in theory if you need that great go sign up for your demi course well the hands-on things are what teaches you the most especially with try hacking they have rooms and they have paths that you can learn to build up your skill sets so if you know nothing about cyber security to have a prerequisite class that you can take and then it tells you now that you have done this through the basics of networking basic self-hacking web app and you can just keep going down those

rooms uh twitter is a great resource i dropped a lot of names on there honestly go on you if you're shy you don't want to tweet go on twitter and follow a lot of people uh jason haddax is a good example he does threads every day about how to do x y and z it's a new one every day uh youtube there is no shortage of content creators nowadays you can get a ton of different people creating content to learn and then go on github github has a lot of github pages that have a lot of resources in them and last but not least if you did enjoy the stories that i told you every sunday

i mentioned i do a stream i bring out some of these top hackers or people that have done something in the community that the story they want to tell our interviewer was every sunday on twitch and you can come hear more about them and learn hands-on from them and i think that's all i have thank you for listening

yeah absolutely i would love to anybody he has any questions i will run the mic to you ah i see one

uh hi that that was really interesting um my question is do you think bounties are bounty's going up or are they going down because it seems like as more people get plugged into this it'll be a race to the bottom so maybe there won't be these career paths because bounties will just be lower on the other hand as more companies start programs then we have to attract hackers so we have to like pay commensurate bounties so which way do you think it's going from what i have seen it's going up more just like you mentioned just like there's more hackers coming up there are more companies being open to doing bug bounties apple would never pay for a web

app vulnerability they just started doing that a few years ago i think it's going up as much as there's more hackers coming there's also more programs being launched and i've seen the bounty amounts go higher and higher and higher and higher i know they're getting harder and harder to find but also the money you're getting the average money you're getting paid is becoming higher and higher from some of these companies i think verizon media went from like average of 10k for a critical right now they paid 20 25 000 so that average has gone higher and higher as we you know more companies come through anyone else yeah

so for a beginner do you think it's better to do ctfs or start to try to find bugs and programs or just do a vix of both a mix of both i would say definitely try you know pentester lab hack the boxer unfortunately they're not free they cost a little bit of money but it's not a you know it's not as expensive about oscp you're paying 20 bucks a month depending on how much time you spend you can learn a lot and i would honestly say go hack on loan disclosure programs those are companies that don't pay they just accept your vulnerabilities a lot of these top hackers aren't going to waste their time on those and i mean waste

because they want to make money but i personally have that's what i started as well i went on these you know dod has a program that's free gm ibm they all have programs that can go hack on and learn i would say focus on those until you have a methodology of how you look for bugs and then you can go to a bug bounty because this way you can get experience on how do i look for xss what is recon what is this a lot of the top hackers aren't going to spend time on these free programs because they're not going to make money from it so it's a really really good place to go do these ctfs

learn specific things and take that knowledge and hack on these programs like dod and find bugs on them

does it seem like more companies are starting to offer bug bounty programs is there some type of data that they're seeing companies that offer bug bounties are having less uh malicious attacks versus companies that don't offer it i don't think there's ever going to be company selling less malicious attacks but the question is like no one's going to stop hacking your company you know black cats are always going to go after your products why not let people do it legally and then they can help you uh prevent it i can't say bug money is well prevented in any way but there has been times i've seen vulnerabilities come out that could have caused a lot of issues

for a particular company that would have probably not been found uh through a regular pen test and these companies are doing multi-million dollar pen tests also uh nothing against pentester vitals i'm just saying like with people that are working as freelancers they're not getting paid by the hour they have to get their return for their time so they go for the maximum impact versus looking for you know os top 10 that sort of stuff if you're a pen tester please don't come after me they're both great things to do it's just it's different hi i was just curious how often is it that you have to haggle over the severity when you do find a bug

in order to get a bounty that you know you deserve for me personally my experience is not a lot it's happened a few times it depends on the company first and also as a hacker i get way excited like this it's got to be a critical the moment i find it then the more and more they explain it makes sense there's been times when i've offered like hey can we go on a phone call where i can explain to you why i think it's a critical vote versus a you know a high but also we have cvss i know it's not the best tool to use out there but we've seen this as you can calculate and say why it's a

critical and i would break down why i think you know the the confidentiality integrity are high because of these reasons so i really tried my reports if i know a company has never worked with me in the past or i feel like i'm not going to get paid i will try and break down why i think it's you know more impact than they can tell but also sometimes these companies don't know their own products you know the engineer just started last month they have no idea what this asset does so explaining those things has helped but it still happens you just have to be able to get have a given the benefit of the doubt

uh going with good intent and usually i want to say 9 or 10 times i've worked with me

all right another hand for ben that's our keynote [Applause]