Maxim is an Offensive Security Certified Professional (OSCP) in his work as a Bugcrowd Triager by day and an excitable and innovative Hacker (@m-qt) by night. What’s the difference, you may ask? Well…mostly log-in credentials.
At just 21 years old, Maxim joined the Bugcrowd team in March of 2019 as an Application Security Engineer. Since then, he’s provided immense value to hundreds of customers and researchers alike, while working to make the internet a safer place!
In his free time, Max is currently working towards earning his Offensive Security Web Expert (OSWE) certification alongside his contributions as a moderator to a Penetration Testing Lab called Wizard-Labs.
Max has partnered with Bugcrowd to launch an exclusive Capture the Flag challenge to celebrate the announcement of our next LevelUp Conference! If you’re interested in taking the challenge, click here!
How did you get into Cybersecurity? How long have you been hunting?
Computers have always been a passion of mine. My first job was working the IT help desk at a company of around 150 employees. As good luck would have it, they had recently overhauled their IT team, meaning that the only people on my team were two superiors and myself. One of my superiors was a wealth of knowledge and I was very blessed to have the opportunity to work with him. He guided me and I was exposed to a great number of various technologies at that job.
What brought you to Bugcrowd?
After leaving the help desk job, I wanted to take some time to relax and brush up on some skills, so I’ve found bug bounties to be the perfect opportunity to do so. After spending time learning various web concepts, such as browser security & application misconfigurations, I started hunting from time to time.
When it came time for me to find a job, I saw that Bugcrowd had an opening available and felt it would be the perfect opportunity to build an even stronger foundation for my security knowledge.
What’s your favorite program to Triage on? Why?
It’s hard to have a favorite, but I’ve really enjoyed triaging on the Dell program. Dell Technologies has a wide-open scope so you will see a lot of interesting stuff along with the Program Owners being very responsive and on top of things. They receive very interesting bugs anything ranging from Open Redirects to Remote Code Execution via Deserialization.
I also enjoy working on one of our private hardware programs. I’ve gotten to see some very low-level bugs and esoteric bugs that you would’ve never imagined possible!
Do you have any favorite tools or resources to learn? Why?
I love playing CTF’s to brush up my skills. A lot of CTF’s are built with heavy inspirations from real-life scenarios. Some CTF’s are more like “puzzles” than others, and sometimes you have to use a very obscure payload due to certain quirks in the way the application is built. They are still great practice, as it builds perseverance. They teach you how to do 99 things the wrong way, so you can do 1 thing the right way.
Do you have any simple tips that you use when you are hunting?
I look at hunting as a way to garner experience and knowledge. I don’t tend to look my success in the amount of bugs I’ve found or how much money I’ve made, but rather what I’ve learned. There are times when you will go for a long dry streak not finding anything, or it seems like every single one of your bugs is a dupe. However don’t forget that a lot of websites are built very similar in the way technologies are used, coding habits, etc.
By spending the time doing Recon, you will come across rabbit holes. The next time you experience something similar, you will know how it works and whether or not it would be a good vector to explore!
When you aren’t hunting bugs, what do you do for hobbies/fun?
One of my hobbies is building vulnerable boxes for people to then test their skills by trying to hack into them. I like to build many types of varieties of boxes with cool attack vectors I’ve seen in the bug bounty world and blend it with concepts from network pentesting. Overall the general theme is realism. Apart from computers, I’m an avid fan of MotoGP and F1 racing.
Do you have any advice for new hackers or people transitioning into bug bounty?
If you’ve never worked a job in IT, I would strongly recommend to do so. In order to break into something, you need to understand how it works. If you try to skip building the foundation you’ll find yourself running in circles and being frustrated. While some IT positions are not the most glamorous, you will find that even the most minuscule details you learn will go far and help you potentially score you a bounty in the future.