Our success relies on the efforts of our expert ninja bughunters, and we like to profile them in order to get some tips, trick and cool stories.
Today’s profile is on Manish Bhattacharya
Check out his Bugcrowd profile here : https://bugcrowd.com/introvertmac
How did you get into bug hunting?
I was interested in hacking before I had computer, back since high school. Then I got admission to my degree in computer science engineering and somehow bought a laptop.
They used to teach languages like C, C++ but I was more interested in web applications.
One day I was in the college library reading an article in some computer magazine which had a heading like “Rankmyhack.com Rank Hackers on the Basis of Their Hacking.” I visited the site and I saw it was an Indian on the top, Vaibhav Khatke, including his Facebook ID. I sent him a friend request. His profile was full of security stuff and I met my lost love! Now he is software engineer. So that’s how I got into this stuff.
Truly speaking bug hunting for me is a part time job, not like a hobby. I can make money in my free time (if I get lucky).For me, I earn in dollars and spend in rupees, which almost give me a 60 times profit. So I consider this as my part time job.
How long have you been hunting bugs?
I actually don’t remember but my first Hall of fame came from Microsoft in december 2012 for a XSS. After that I used to do hunting in my summer holidays. I was not a regular. But now when the Bugcrowd list came along, it was quite handy, and I search for bugs in my weekend.
Technically I have been active in this field for a year with some breaks in between. Now I am listed in more than fifteen halls of fame.
What’s most memorable bug you’ve discovered?
Memorable!? I’ll go with Facebook – I had reported two clickjacking issues, and was not sure whether they would pay or not for them. I thought $500 each max but they gave me $5000 for them.
What do you like about bug bounties?
Bug bounties have changed my life. I got into engineering with an educational loan and was always tense about that. But now the amount I earned in last 10 days is 3 times of my father’s annual salary. I just can’t explain in words what these bounties mean to me.
And it is the same for my friend Arul Kumar who got $14000 from Facebook… In Asian countries these amounts are life changing.
There are many bounties out there. If there was one thing you could suggest to improve the way bug bounties are run, what would it be?
The only thing I hate is big companies like Yahoo are still not interested in bounties, bug hunters find and report very dangerous flaws and what they get in return is a t-shirt 🙁
It must be disappointing, though it seems that Yahoo has just now made changes on their process. We’ll see how that changes things.
What is your methodology?
Most of the time I use OWASP black box testing but if there is a bounty I use my own methodology. After all, a complex logical bug can make you rich.
Thank you Manish Bhattacharya for being interviewed for the blog! 😀