From full stack developer to full-time bug bounty hunter, Leandro — or @none_of_the_above — from Buenos Aires, Argentina has had an extensive technical career that has set him on a rapid rise on HackerOne. He joined in June 2018 and, after just three months, he found a phenomenal vulnerability in one of the main programs. Since then, he has submitted 272 vulnerabilities, completed 12 pentests, and sits on the HackerOne Hacker Advisory Board to help provide feedback and insights to the company. Read on to hear about his tips to succeed in both pentesting and bug bounties.
How did you come up with your HackerOne username?
I was invited to a Live Hacking Event and I just wanted something that looked cool in the leaderboard.
How did you discover hacking?
In my teens, fueled by my curiosity for hacking online games like MU Online I joined some hacking-related IRC channels and forums. I met a lot of wonderful people online willing to share their knowledge. I continued with that “”underground”” profile through my teens, but as I grew up and responsibilities increased, the interest faded, and later on, I became a web developer.
A few years later, a guy I knew who was working for a local cybersecurity company suggested that I send my resume to the company, which I did, and started working as a Penetration Tester shortly after.
What motivates you to hack and why do you hack for good through bug bounties?
I’ve found that I’m super motivated when hacking becomes a challenge to find new or convoluted attack chains, things that take me a lot of time and effort to find. If I only find common issues like XSS or CSRF I quickly lose interest.
Regarding bug bounty in particular, hacking in BB programs is a nice way to complement my research, as I can test my tools and techniques against real-world targets and kill bugs in the process.
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
If you get a job in infosec in Latin America, chances are you will end up doing boring stuff for a bank or a telecommunications company. There aren’t many companies focused on offensive security here, and most of them require a few years of experience even for entry-level jobs.
Bug bounty platforms have almost no entry barriers so they are a great way for hackers to build a professional career and hack interesting targets, wherever you are located.
What do you enjoy doing when you aren’t hacking?
Spending time with my family and friends. I like to take long breaks to visit family abroad.
What makes a program an exciting target?
When they go the extra mile to provide hackers with documentation, test accounts, and a communication channel with the dev team. I don’t enjoy black box testing much, so the more info I get from the program the more likely I’m going to hack on it.
What keeps you engaged in a program?
It’s usually when I find hidden gems that no one else has looked into. I can spend months in a program until I wipe all the bugs from that section of the scope. That way I can avoid duplicates, which for me are the main source of frustration when doing bug bounty.
What makes you lose interest in a program?
Recently I stopped hacking in a program because they started taking too long to pay and the communication got really bad. I value my time, and I expect programs to do the same. Luckily for hackers, h1 measures response metrics so hackers can avoid those programs.
Do you recommend hacking on multiple programs or focusing only on one and why?
It really depends on your skillset. Some people are really good with automation, and the broader the scope, the better. I’m good with manual assessment and I like to get lost in technical docs looking for stuff that looks off and focus on that. I need to go deep on a single feature to find high severity bugs and avoid duplicates.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
I’m a little ashamed to admit it but I’m a really disorganized person. If I start looking for a bug class and I see a feature that catches my attention I get distracted and lose focus. I need to focus on one type of vulnerability at the time, and if I find something else while doing so I just write it down for later.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
I visit Twitter everyday to keep track of new research and techniques. I would recommend following these great researchers:
Nicolas Grégoire – @agarri_fr
James Kettle – @albinowax
Gareth Heyes – @garethheyes
What do you recommend new companies starting a bug bounty program should do?
I always recommend companies to run a penetration test first if they haven’t done so. This will help wiping most of the existing bugs in their codebase before running a bug bounty program. They should also have a mature process defined for internal triage and remediation.
How do you see the bug bounty space evolving over the next 5 years?
Bug bounty definitely won’t replace other types of assessments like penetration tests, but I’m pretty confident every large company will be running bug bounty programs by the end of this decade.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
Collaboration is key. My best findings have been, by far, the ones in which I got to collaborate with friends. Platforms should encourage this, either by implementing ways to invite whole teams to private bug bounty programs, or by allowing hackers to specify if they are open for collaboration.
Do you have a mentor or someone in the community, globally and locally, who has inspired you? Don’t be shy, give a shout out!
I want to give a shout out to Martin Gallo (@MartinGalloAr). He’s the guy I mentioned earlier who helped me get my first job in infosec. He’s a wonderful person, always eager to share his knowledge, and the first person I go to when I need advice.
What educational hacking resources would you recommend to others?
Books are undervalued in the bug bounty community. I always recommend going for the basics, “classic” books that will help you understand more advanced resources. Some examples are “The Tangled Web” by @icamtuf and “The Art of Software Security Assessment”.
If you had a magic wand and could change one thing on the HackerOne platform, what would it be?
I would add a messaging system to communicate with the program’s TPM and the customer.
What advice would you give to the next generation of hackers?
Currently, there is a growing demand for specialized professionals, so my advice for newcomers is to take advantage of the huge amount of resources that are available online and follow niche fields such as binary exploitation or cryptography.