From hobbyist to professional, Eduardo is passionate about hacking the world. Hailing from Chile, Eduardo joined HackerOne as @debsec in 2019 and has proven his expertise by diving deep into one program at a time. He is known for this professionalism and talent in both bug bounty and pentest programs and has found 90 vulnerabilities on HackerOne alone. When he’s not spending his time hacking away, you can find him picking up a guitar and practicing with this rock band. Read on to learn more about Eduardo’s secrets to program selection and the best way to choose your scope.
How did you come up with your HackerOne username?
I have been a Debian GNU/Linux user since 2000, with some contributions and participation in debian-security. With little imagination, I created my @debsec alias.
How did you discover hacking?
When I learned about hacking, it was something very different from what it is today. It was more focused on infrastructure. I did my engineering thesis in 2006 on security, talking about standards and scripts abusing public SNMP communities. Can you imagine having hacktivity in those times?
What motivates you to hack and why do you hack for good through bug bounties?
This is a lifestyle. When you find a fault, you generate adrenaline. Adrenaline is a vice, hacking is a vice, and now can we make a living from this? It’s great!
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
High income. With dedication, you can obtain rewards that could only be obtained by being a CEO or entrepreneur.
What do you enjoy doing when you aren’t hacking?
I have a rock band in which I am a bass player. We are creating an album with strong influences from Primus, Mr. Bungle, among others. Also, I like life outdoors, traveling, and recently I discovered the adventure of traveling in a motorhome.
What makes a program an exciting target?
Wide scope, a good bounty table, clarity of its policy, and good team collaboration.
What keeps you engaged in a program?
The technology used, the response times, and the low possibility of duplicates.
What makes you lose interest in a program?
Programs with ambiguous policies, duplicate old reports, and slow response times.
Do you recommend hacking on multiple programs or focusing only on one and why?
There is a saying that I really like, “olives are eaten one at a time.” Clearly it will depend on your position on the programs. Personally, I prefer to know a scope in order to exploit the greatest number of high or critical findings. I am not looking for low hanging fruit.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
What do you recommend new companies starting a bug bounty program should do?
To trust the bug hunters. Time is valuable for everyone, so define fair and clear policies without ambiguity.
How do you see the bug bounty space evolving over the next 5 years?
Undoubtedly the use of bug bounty platforms will become a staple over time; I would not be surprised if it appeared in a CIS control or security framework as a recommendation or obligation.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
It is a rising trend. The synergy generated is a low + low = critical reality. Hopefully more programs will allow collaboration in their programs.
Do you have a mentor or someone in the community who has inspired you? Don’t be shy, give a shout out!
Without a doubt, an inspiration is my great friend @_csal, who is a great security researcher, and worldwide hacker @fransrosen.
What educational hacking resources would you recommend to others?
- Hacker101 CTF
- Web Security Academy (PortSwigger)
- Web Hacking 101
- Hacktivity on HackerOne
What advice would you give to the next generation of hackers?
Study, practice, keep studying and practicing, then repeat it again.