Vulnerabilities Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter
The Making of a Bug Bounty Hunter
Youssef Sammouda, a Tunisian security researcher, has made a name for himself in the bug bounty community by focusing on vulnerability assessments and hacking competitions for some of the largest companies in the world, including Meta and Google, while also working as a security consultant for start-ups. His journey into the world of bug bounty hunting began at a young age, as he started programming when he was just twelve years old. However, at that time, there were limited opportunities for legal hacking, and bug bounty programs had not yet formalized the legality of ethical hacking.
Legal pressures and challenges still exist for researchers in this field, as demonstrated by a recent incident where a journalist discovered social security numbers embedded in plain text on a Missouri state website. Rather than being rewarded for responsibly disclosing this issue, the journalist faced potential criminal charges for hacking. These legal threats can have a chilling effect on researchers, causing them to seek alternative avenues for honing their skills.
Sammouda turned to Capture the Flag (CTF) competitions to further his knowledge in web and mobile application security and avoid legal issues associated with bug bounties. Over time, he gained the expertise necessary to choose between freelance work and joining a company as an application security engineer. It was during this period that bug bounty programs emerged, offering researchers like Sammouda the opportunity to earn a living while continuously learning and working with various companies.
The Personality of a Researcher
Curiosity is a key characteristic of successful researchers like Sammouda. It is their curiosity that fuels their drive to challenge themselves and the programmers who develop code. Contrary to the stereotype of a solitary hacker in a dark room, Sammouda emphasized that researchers do not necessarily choose to work alone but often do so due to the nature of their work. This isolation is a result of the work chosen, not a requirement for success as a researcher.
Sammouda also questioned the importance of a formal education in cybersecurity research, as he dropped out of university and self-taught himself through reading, forums, and analyzing published proof of concept exploits. While a formal education can provide valuable knowledge and skills, Sammouda’s success demonstrates that a passion for learning, practical experience, and staying up-to-date with industry developments can be just as valuable.
Approach and Earnings
Sammouda’s success as a bug bounty hunter stems from his meticulous preparation and planning. He treats bounty hunting with the discipline of working for a company, investing time in understanding program policies and estimating potential earnings. He emphasizes that the quantity and quality of bugs found in a year determine the income earned. By constantly staying informed and learning from previous experiences, he has become confident in his ability to find bugs efficiently.
In terms of earnings, Sammouda has made around $400,000 per year from bug bounties with Meta and Google, and closer to $900,000 in the last twelve months. Over his career, he has discovered approximately 140 bugs, with the majority found in Facebook and the remaining in Google and other prominent companies. His success can be attributed to his thorough preparation, extensive knowledge in security, and dedication to continuously learning.
The Temptation of the Dark Side
While some researchers may be tempted to sell discovered vulnerabilities to criminals on the dark web, Sammouda strongly believes that there is no longer a need to resort to illegal activities to make money. With bug bounty hunting and similar programs, researchers can earn significant revenues legally. Sammouda maintains a strong ethical code and feels obligated to protect users with his skillsets. The lure of the dark side, as he puts it, doesn’t make sense when legitimate opportunities to make millions exist.
Regarding the impact of geopolitics on the distinction between black hat and white hat hackers, Sammouda believes that bug bounty hunting can be done from anywhere in the world. He resides in Tunisia and has never felt that location has hindered his ability to participate in bug bounty programs. The rewards are reasonable, and payments can be made in cryptocurrency, making bug bounties accessible worldwide. While some researchers may choose to work for their government in certain areas, the choice to do the right thing always exists.
Ignoring Bounty Schemes and Responsible Disclosure
Being ignored by bounty programs is occasionally considered a reason for selling vulnerabilities on the dark web. However, Sammouda has never experienced this situation himself. Companies with bug bounty programs are generally responsive to critical bugs. In the rare instance where a company refuses to fix a bug, Sammouda advocates for responsible disclosure and contacting third-party companies or developers directly to push for resolution. Full disclosure, while a last resort for some researchers, is not preferred by Sammouda.
Advice for Aspiring Bug Bounty Hunters
For those aspiring to become successful bug bounty hunters like Sammouda, he suggests starting by learning programming, as cybersecurity research requires the ability to understand how programs work. Familiarity with programming languages specific to the area of interest, such as web or mobile applications, is crucial. Sammouda recommends playing Capture the Flag (CTF) competitions for at least three years, consistently practicing and gaining experience before embarking on bug bounty hunting.
Staying informed through news, security research, and whitepapers is also essential. However, Sammouda believes that inherent curiosity is the driving force behind successful bug bounty hunters. It is this curiosity that leads to continuous learning and a natural progression in the field. Additionally, he emphasizes that bug bounty hunting can be a part-time endeavor rather than a full-time job, offering flexibility and the opportunity to earn a significant income.
Conclusion
Youssef Sammouda’s journey as a bug bounty hunter exemplifies the evolving landscape of cybersecurity research and the potential for individuals to earn a living while contributing to online safety. His success is a result of meticulous preparation, continuous learning, a strong ethical code, and a deep-seated curiosity. Sammouda’s story also highlights the challenges and legal concerns researchers may face and the importance of responsible disclosure and communication with companies to ensure vulnerabilities are addressed. As the bug bounty industry continues to grow, aspiring researchers can learn from Sammouda’s advice and experiences to pursue a rewarding career in this field.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Ransomware Wreaks Havoc in Industrial Sectors: Report Reveals Alarming Rise in Attacks
- Tempur Sealy Cyberattack: A Wake-Up Call for Corporate Security
- Exploring the Importance of Data Security Posture Management (DSPM)
- SpyNote Android Trojan Campaign: European Bank Customers Face Targeted Attacks
- Space Pirates: Unmasking a Cyber Campaign Across Russia and Serbia
- Potential Chinese Malware Threatens US Systems: Delicate Countdown to Disaster
- China’s Volt Typhoon APT: Unearthing Deeper Threats to US Critical Infrastructure
- Election Security: Progress and Challenges Ahead for 2024
- CISO Conversations: Insights and Expertise from Field CISOs at VMware Carbon Black and NetSPI
