Niv is an OSCP Certified, Penetration Tester, family man, and avid bug hunter in his spare time. He’s been hunting on the Bugcrowd platform for the past 5 years, hunting on NGPT, Classic Pen Test, VDP, and Bug Bounty programs. He has recently published Bug Hunting Stories: Schneider Electric & the Andover Continuum Web.Client on CyberArk in which he details how he discovered three unknown vulnerabilities in the web.Client used to remote access into the Andover Continuum system. (We highly suggest reading his write-up on the disclosure!)
Based in Israel, Niv began his cybersecurity career as a consulting Penetration Tester in 2014, gaining experience with the various security methods employed by different industry sectors. In 2016, Niv became OSCP certified, joined the “Try Harder” club, and began hunting for vulnerabilities with Bugcrowd, motivated by the challenge, curiosity, and his experience as a penetration tester. Since 2019, Niv has been working as a Penetration Testing Engineer with CyberArk after determining it was time for him to take on a new challenge. He strives to find traditional and creative ways to break CyberArk products’ security and suggest robust solutions to fixing it.
How did you get into Cybersecurity and Bug Bounty?
Ever since I can remember, I’ve loved computers. Around the age of 13 years old, I became interested in the cybersecurity field. In the beginning, I experienced difficulties while trying to learn about web applications and their related vulnerabilities as I didn’t have any prior knowledge of web development, nor programming skills.
To practice and get some hands-on experience in the field, I registered to enigmagroup.org, which provides its members with legal and safe security resources where they can develop their pen-testing skills on various challenges provided. The website included many challenges that divided into various categories – basics, reconnaissance, spoofing, JavaScript, XSS, SQL injections, CSRF, Cracking, and much more exciting stuff. Without noticing, I fell in love with this field, and since then, I always knew that this is what I wanted to do in my life.
After serving in the IDF [Israel Defense Forces] for 3 years, I started to focus on my dream – working as a penetration tester.
How has Bug Bounty impacted your life?
Bug bounties have made a significant impact on me. It’s an additional source of income, and the best way to learn and be up-to-date with current technologies.
Why do you hunt with Bugcrowd?
After a few years on the Bugcrowd platform, I can say with complete confidence that the Bugcrowd platform is #1 because of the great team behind the scene. The Bugcrowd team is regularly trying to sharpen the platform by developing new features for the researchers and program owners. Moreover, they always listen to us, the researchers, to make Bugcrowd much better.
Do you have any favorite tools or resources?
In my opinion, the best resource to learn is the awesome researcher’ community. There are many blog posts and disclosed submissions that sometimes gives you an insight into other researchers’ mindsets.
My favorite tool is, of course, Burp Suite.
Do you follow any tips or tricks when hunting?
No matter which web application you are testing, you should always try to understand how a regular user works with the application, what interesting features the application offers, and of course, always read the documentation.
Do you have any advice for new hackers or people transitioning into bug bounty?
First of all, don’t use automated scanners; it’s generally not allowed and make a lot of “noise” for other researchers. Moreover, don’t spend your valuable time searching for obvious vulnerabilities. They’ll probably be marked as duplicates. Try to find unique vulnerabilities that involve out-of-the-box thinking.
How much time do you spend hunting bugs?
I don’t know how to estimate how much time I’ve spent on bug hunting. When hunting, my focus is to find interesting vulnerabilities, no matter how much time I need to invest in it. Usually, I hunt for vulnerabilities in the evenings on weekdays, and on the weekends, I can find myself awake till the next morning. (don’t try this at home )
When you aren’t hunting, what do you do for hobbies/fun?
As a parent of a 1-year-old daughter, there is no such thing as “free time.” When I have some spare time, I mostly binge TV shows – Some of the TV series I liked to watch are Breaking Bad, Bron/Broen, The Wire, Homeland. Besides, I like to hang out with my family and friends.
Follow Niv on twitter @restr1ct3d to keep up with his bug hunting stories!
Stay tuned for more Researcher Spotlights coming soon. Want to join Niv and be part of the Crowd? Join our Discord and sign up for a Researcher Account!
