As a 3rd year student at University, Nguyen Tuan Anh aka anhnt1337, began his career path with an internship. After graduating from university, he worked as an Application Security Engineer. Then, found his roots as a Senior Application Security Engineer at Viettel Cyber Security (Viettel Group) for 6 years. Currently, anhnt1337 does Red Team both internally and externally for customers including government, bank, and big enterprise. “I play bug bounty in my free time and this job had already changed my life”. Keep reading to learn all about the ongoing learner and hunter, anhnt1337.
What and/or who first sparked your interest in hacking?
“I learned about hacking when I was in high school. I wondered what hacking is. Then I spent more time learning about hacking. 10 years ago as far as I know, was also the time when the Bugcrowd platform was born. I accumulate experience and knowledge every day and create for myself excitement, passion, curiosity, and conquering difficult hacking target.”
How long have you been hunting?
“I’ve been into hacking for about 8 years, however, I started bug bounty hunting in the last year of 2019 in earnest when I graduated college. I have more time to study and learn. Although I knew and created an account on the bug bounty platform, I didn’t join and hunt before that. I wish I started bug bounty hunting sooner. When I was a student, I hacked really because of passion and to learn and practice skills.”
It’s never too late. Way to go for it! 😈
How did you get into the Cybersecurity space?
“My road to cybersecurity started with CTF competitions when I was a student. I participate and form a team to participate in CTF online and inter-university competitions for information security training every year. I learn from the experience of the brothers who went before me. Then I entered the internship at my company now and started the training process, diving into the job of Cybersecurity.”
Taking on new challenges is how we grow. Don’t let the fear of the unknown stop you from trying.
How have bug bounties impacted your life? Any favorite purchases? Paying off bills? Or, saving for the future?
“Truly bug bounty changed my life. Being persistent, and participating in bug bounty platforms and programs has given me a significant source of income to help support my family. I was able to pay off my parents’ debt, buy a house, buy a car for my family, and have investments and savings. The most special thing that bug bounty gives me is really quality community relationships. I got to know many famous hackers, bug bounty hunters in the world and many top hackers on the platforms. I became more known in the community and built my name. Collaborating on bug bounty is really cool and brings great value to us. I learned how other hackers hunt, know each person’s special skills and share about their food.”
This is amazing. Hard work always pays off. And, to see you continuously give to those around you is an inspiration.
Are you a part-time or full-time hacker? How much time do you spend hacking each week?
“Currently, I am earning bug bounty part time. My main job is still Red Team for my company. But with this job, I have more time and access to many technologies, commercial products, and techniques that bypass WAF. It helps me to recognize the technologies and products that companies and organizations often use in the world. When playing bug bounty I focus on recon and fuzzing the target’s assets.”
What has been your biggest challenge while hacking? How did you overcome it?
“For me, the hardest thing about bug bounty hunting is staying focused and persistent in not giving up on the target you choose. There are thousands of programs from companies and organizations across bug bounty platforms. And choosing a good program to focus on hunting is important. Participating in the hunt for too many programs will lead to distraction and not going deep into the infrastructure and learning the functionality of the applications of those programs. I have encountered this situation and hit a dead end when not getting good results. Choosing a target to hack is already hard, keep hacking on that target is even harder. Because there are not always security vulnerabilities in sight. It needs perseverance, and always keeping an eye on your target for any changes. Unless you can do automation and continuous monitoring.
When I am stuck with these difficulties, I look to friends and colleagues to share and receive advice. Sometimes I take a break to regain my energy. Therefore, keeping positive energy is also very important to have a high concentration, and a comfortable mind when hunting. Sometimes it’s a bit of luck.”
We’re sending positive vibes to you and every hacker reading this. You got this! 💯
Any favorite tools or resources?
“I use Burpsuite as my main tool for pentest. Don’t rely too much on automated scanning tools, they can be useful on a case-by-case basis, but most will yield false positives and duplicates. Or for targets with strong WAF, using automatic scanning tools will get you blocked. I focus mainly on recon and manual testing. In addition, updating information about new vulnerabilities such as 1day, 0day is also very useful. If those vulnerabilities affect large numbers and are critical, I try to do research to reproduce these vulnerabilities as quickly as possible and do mass scans on the targets I have. Updating news, blogs from other researchers also gives you a lot of new knowledge. I highly recommend following these people on twitter: @samwcyo, @Rhynorater, @Jhaddix, @fransrosen, @albinowax, @steventseeley, @rootxharsh, @infosec_au, @GodfatherOrwa, @NahamSec who have contributed and shared a lot of technical exploit knowledge, bug bounty hunting method.”
Do you have any advice for new hackers or people transitioning into bug bounty?
“3 years ago I am also a newbie to bug bounty, I started researching unique vulnerabilities that are not published on internet, playing VDP bots to earn first points. From there you may receive invitations to some private programs. Focus on high-level and critical vulnerabilities, not on low-hanging fruit stuff. Because if you do things that many other people can do, like scan existing nuclei, you will have a very high duplicate rate or low impact vulnerabilities. Choose for yourself the best programs that respond quickly, pay quickly, and are fair to researchers. It is important that you keep your passion, active hunting bug bounty and try to interact with people in the bug bounty community more, create a good network and collaborate together. Always read the rules when hunting on the programs and keep the ethics of a professional hacker. What makes the difference between hackers comes from their hacking mindset. Everyone has a different mindset. You need to train a mindset about hacking, and think out of box when hunting.”
That’s some excellent advice right there. 👆
What’s an important lesson that you wish you learned early on in your hacking career?
“Learn to automate, monitor the assets of your goals, and program your own tools. I have seen many successful people with automation who are top hackers on bug bounty platforms with auto subdomain takeover techniques, monitoring and very fast warning when a misconfig vulnerability appears over time or There are new domains created and changed. I think the inevitable trend of bug bounty is to automate things easily and quickly at scale. If you do this well you will have a passive source of money without much effort from bug bounty.”
How do you avoid burnout? How do you take care of yourself and your mental health?
“I and other hackers experienced this burnout when for a while there was no new report on the platform. That really stresses me out playing bug bounty. I consider myself a person who doesn’t take good care of myself when my lifestyle is not in moderation, I often have to stay up at night due to the difference in time zones. I often joke with my friends in the bug bounty community that when I wake up you go to sleep and when I go to sleep you wake up. Because most of the new private program invitations on Bugcrowd usually open between 18-19h UTC which corresponds to 1-2am in my time zone. There are nights when I sit up waiting for the program to open and hunt but it does not bring good results. At that time I really wanted to close the computer and go to sleep. Or there was a good program I had to stay up until morning trying to find the most bugs. Because with bug bounty you have to be the fastest or really good to compete with other hackers. Now I don’t stay up as much at night as I did when I first started playing and have a good source of bug bounty income, maintain a steady state so I don’t have a lot of burnout. I strongly advise bug bounty players to take care of their health. Health is the most important thing. If you suffer from burnout try to find something to entertain yourself, stop hunting and take a break like watching movies, traveling, jogging, or talking with friends.”
We agree. Take care of your health and your health will take care of you.
Where do you see your journey going from here? What are some goals you have for this year?
“Bug bounty is really a long and wonderful journey for me. I’ve had 3 years of ups and downs with bug bounty. Especially this year is a memorable and successful year for me. I got Live Hacking event invites from 2 big bug bounty platforms. There is a regret that I cannot attend these events in person to meet and interact with international friends and hack with them. I also gained more popularity and found myself great collaborators, and quality bug bounty programs from big companies that I was very excited to hunt. For me those are the goals I achieved with this year’s bug bounty. I was able to buy a house early and a car early with my bug bounty earnings, helping my family, my friends something I didn’t think I could do so soon when I first started playing bug bounty.”
Why do you hunt with Bugcrowd?
“Bugcrowd is my favorite platform and spends most of my time hunting on corporate programs. I like the triage team with people who really leave an impression and respect like Tal, Timmy, Codingo and Vortex. I like the responsiveness, fast support for critical P1 vulnerabilities and quick interaction of the platform with customers, respect, fairness between the platform for professional hackers. In addition, I also spend time on some of my favorite programs on other platform for large-scale searchable vulnerabilities with more scope of targets like other hackers to help maximize the income from bug bounty.”
Go Triage team! 🔥
What does your life look like outside of hacking?
“I don’t have many friends outside, most of them are colleagues in the cybersecurity industry. I just got married a few weeks ago and it’s a new life for me. I need to spend more time with my family. Sometimes I play games, watch movies and travel for more life experiences.”
Who is your hero?
“There are so many good people in the cybersecurity industry that I really admire their talent like my colleagues. But for me, the person who gives me the motivation to try to do a good job is my mother. My mother is a real hero in my eyes. My mother worked hard to raise me and send me to school like any other child. When I have difficulties, I often confide in my mother to explain and listen to her advice. She teach me to do the right thing. My mother is my spiritual support. I want to say that I love my mother very much.”
Shoutout to your mother. 🧡
Feeling inspired? Us, too! Thanks, anhnt1337, for sharing everything about your journey from being on Red Team and hacking with Bugcrowd to your life outside of work! Keep up the good work out there.
Want to stay caught up with all things Bugcrowd? Follow us on Twitter and Instagram and don’t forget to join us on Discord! Are you ready to join the hunt? Sign up for a researcher account today and start hacking!