With the recent launch of the Bugcrowd Ambassador program, we will share stories from our global hacker community. This week we’re putting the Spotlight on Arne Swinnen a Bugcrowd Ambassador in Belgium.
Feel free to follow Arne on Twitter @arneswinnen
When Arne was around 12-years-old he became interested in computers and video games. He would constantly try to figure out ways to beat a game, leading him to automate elements that would help beat the computer opponent.
Early in Arne’s career he held an internship at Verizon on their pentesting team, which would turn into a full-time role. Outside of work, Arne would read Reddit to find the latest tools or resources for pentesting, which is where discovered bug bounties. His interest was piqued! In fact, in 2015, Arne took a week-long vacation just to hack on Instagram. He was hooked – the flexibility and freedom of a bug bounties were a perfect fit.
A year later, Arne connected with Bugcrowd at Bsides SF and began to seriously consider taking his hunting full time. Come 2017, it’s now a full-blown career.
Learn more about Arne’s story in the full Q&A below.
How did you get into Cybersecurity?
- I studied Computer Science at my university KU Leuven, which had a specialization “Secure Software” at that time. To promote this specialization, they had a very welcoming Capture the Flag (CTF) team, which allowed students to easily get in touch with security. This is how security drew my attention. I graduated and worked for four years as a security consultant hereafter, mainly conducting penetration tests for clients in the financial and governmental sector in Belgium and abroad. I got started with bug bounties in 2015, after reading yet another write-up of the Facebook bug bounty program on reddit.com/r/netsec. At first I only knew about Facebook’s program and had a good look at Instagram, which also allowed public disclosure of discovered issues on my personal blog as a nice perk (shameless plug: https://www.arneswinnen.net). Not much later I discovered all the various platforms that exist in the bug bounty ecosystem and made the transition from employee to full-time bug hunter.
How do you manage your personal life, work, and bug bounties?
- I’ve been doing bug bounties full-time for 2.5 years now, with a bit of freelance consulting on the side. The main merit of full-time bug hunting is the flexibility to work whenever you want, wherever you want. The main disadvantage is that your income is not stable and waiting for a long time on bounties can be stressful at times.I would strongly advise everyone considering to hunt full-time to first build a decent financial buffer to overcome the first months, which is how I re-invested my first bug bounty money from Facebook as well. After that, it has been super fun, challenging and rewarding at times for me personally.
What are a few of your favorite hacking/security tools? Why should others use those?
- My very first purchases with bounty money were a new laptop and an accompanying Burp Suite Pro license. I cannot stress enough how awesome Burp and their development team over at Portswigger is. I often find myself using a well-hidden Burp feature, an existing Burp plugin from the BApp store, or occasionally a self-written one to automate certain tasks which would otherwise take a multitude of time and be less intuitive. Apart from this I also use the typical recon tools such as Amass, Subfinder, Aquatone and the like.
What is a quick hacking tip or technique that you recommend?
- I absolutely love the Burp Collaborator Client, which allows you to generate a subdomain to catch and visualize any incoming DNS/HTTP(S)/SMTP requests immediately. It has helped me in so many blind injection cases, ranging from RCE, XXE, SSRF, and more. Apart from that, good old SQLmap is still an awesome tool which remains remarkably up to date and effective against blind SQL injection vulnerabilities. Finally, there are more and more ways to escalate SSRF vulnerabilities via cloud environment API’s such as AWS and Google’s metadata endpoints (see Jason Haddix’s list at https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b), internal Kubernetes API (see CVE-2018-1002105), etc. I often use this to significantly increase the impact of an SSRF vulnerability.
What advice would you give to someone who is starting out as a beginner in bug bounties?
- I would highly recommend reading both The Web Application Hacker’s Handbook and Web Hacking 101 books. I still consider the former as the WebAppSec bible. The latter is a compiled list of recent publicly disclosed bugs where I personally learned a lot from, beautifully curated by the famous Peter Yaworski himself.
How have bug bounties impacted your life?
- I’ve been able to manage my own work-life balance freely for the past 2.5 years since I became a full-time hunter. This has proven invaluable to me, certainly since I became a father.
What do you like to do in your free time, when you’re not doing bug bounties or working?
- I have a one-year old son who certainly knows how to keep me busy when not bug bounty hunting. Besides that, I enjoy watching the occasional soccer game and spending quality time with family & friends.
Thank you so much to Arne for his time and for his great contributions to the bug bounty community!
Interested in becoming an ambassador? Apply to become a Bugcrowd Ambassador today! If you have any questions, please Twitter direct message @ChloeMessdaghi