From Mumbai, India, @geekboy shares his story on how he became an ethical hacker, security analyst, and now co-founder of ProjectDiscovery – an open-source software company simplifying security operations for hackers and developers. Geekboy started his hacking journey in a small internet cafe; not to hack, but to game. A friend who frequented the cafe then exposed Geekboy to ethical hacking and the world of bug bounties. Since he didn’t come from a developer background, Geekboy leaned on the hacker community to learn more about hacking and, with his first bounty of $150, he purchased a hacker conference ticket to get even more exposure and grow his network. It’s been over 5 years since that first conference, and now Geekboy is well-known in the community, ranked 7th in the all-time HackerOne leaderboard with over 900 vulnerabilities found. Read more about his specific hacking tips and techniques in the interview below.
How did you come up with your HackerOne username?
I signed up with my first name as my HackerOne username at the start, and later, when I realized the need for privacy, I came up with “geekboy.” I like it, but nothing special or any reasoning behind it.
How did you discover hacking?
MAC spoofing. Back in the day when I got access to a desktop and internet connection, I learned that I could use other user’s internet connection by spoofing MAC addresses of other local users in our LAN.
What motivates you to hack and why do you hack for good through bug bounties?
I hack because I want to practice my skills and knowledge. If you don’t practice, you will forget about your learnings at some point. I hack because I want to live my independent life with all those bounties 🙂
What makes a program an exciting target?
Quick triage/bounty metrics and broader scope are parameters that make a target exciting for me, but it’s not common.
What keeps you engaged in a program and what makes you disengage?
I prefer to stick and engage with a program where the team is actively communicating about the process regardless of the result and being transparent with hackers.
How many programs do you focus on at once? Why?
A few of them at a time. I prefer to hack on selected programs for the longer term and, once completed, I move to other programs for the simple reason that the more you know about a target, the better you know where to look and hack once you spend adequate time on it.
How do you prioritize which vulnerability types to go after based on the program?
This depends on the program’s selection. If the program has a broader scope, I will start with recon and exploring assets with known vulnerabilities. I usually spend more time around API calls for specific applications looking for permission-related issues.
How do you keep up to date on the latest vulnerability trends?
Twitter and Github because the platforms are very useful. I use them as my primary resource to keep myself updated with the latest trends/exploits/vulnerabilities.
What do you wish every company knew before starting a bug bounty program?
- Set up a team to triage/fix the security issues on time.
- To run a successful bug bounty program, it’s essential to hear and build good relationships with hackers hacking on the programs.
- A data breach is not mandatory before starting a bug bounty program; be proactive.
How do you see the bug bounty space evolving over the next 5-10 years?
I see bug bounty getting more common in practice and moving in a direction where running a bug bounty program is standard for any company.
How do you see the future of collaboration on hacking platforms evolving?
I can say that collaboration in hacking is evolving in general. As far as the platform is concerned, there is room for more controls and features to enable collaboration and make it easier for hackers to adopt it.
What advice would you give to the next generation of hackers?
Spend your time wisely, learn specifics (one thing at a time), and don’t get distracted by others’ success/failures. Respect others and engage with the community.
What do you enjoy doing when you aren’t hacking?
Playing Chess, Counterstrike, outdoor sports, and roaming around the city with my friends. Apart from bug bounty that I’m NOT doing actively in recent times, I’m spending most of my time developing open source projects at https://github.com/projectdiscovery, which helps bug bounty hunters, security engineers, and the infosec community in general ease the security process pipeline.