skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

Researcher Spotlight: Hx01

Researcher Spotlight: Hx01

Earning $100k in a year can be a life-changing experience for anyone. We know that an accomplishment of that level takes hard work, dedication, and ambition. Last year, Hx01 challenged himself to earn $100k in just one year on the Bugcrowd platform. Fast forward to July 2020 and BOOM! Challenge complete! We’re so proud of him! 

Most recently, he created a BurpSuite plugin to parse Content-Transfer-Encoding for those who use burp collaborator STMP for conducting tests. You can check it out on his GitHub account here!

We sat down with Hx01 to talk about his Bug Bounty Journey, Tips for staying motivated and his next Bugcrowd milestone. Check it out below! 

How did you get into Cybersecurity? How long have you been hunting?

As a kid, I was always into computers. Back when I was 12, I learned phishing on the internet & I set up a fake Facebook login page and forced my brother to enter his credentials. This was my first exposure to hacking. 

Fast forward to 2016. I read Orange Tsai’s writeup about a Remote Code Execution(RCE) where he found in a vulnerability in Facebook & was awarded 10,000$. This drove my interest in bug bounties. I started hunting late 2016 & got my first bounty of 400$ from an external program. I submitted my first bug (Stored XSS) on Bugcrowd in May of 2017, which was, unfortunately, a duplicate. After a streak of duplicates & N/A(s), I was demotivated to the point that I left bug hunting for two whole years. In July 2019, I started hunting on Bugcrowd again & received my first payout in August of 2019!

Why did you choose you Bugcrowd handle? Does it have any specific meaning?

My handle on Bugcrowd is @hx01; frankly, It doesn’t mean anything; it just popped into my mind.

Do you hunt full time? If not, why?

No, I do bug hunting part-time since I’m still in high school.

How much time do you spend hunting bugs?

It’s usually 10-15 hours a week; however, sometimes I binge on hacking if I think I’m onto something.

How do you set goals when you’re working on a program?

I either set a goal to earn over 10,000$ in bounties or at least score 2 P1’s before moving to the next program.

What is the next challenge you’ve set for yourself?

It’s to earn over 500,000$ on Bugcrowd before turning 21!

How have bug bounties impacted your life?

Bug bounties have a tremendous impact on my life; It has helped me connect with other folks worldwide who share the same passion as mine. Moreover, it has genuinely helped me improve my hacking skills. At last, it has given me a mission to chase in my life.

Do you have any favorite tools or resources you use? 

BurpSuite & Knockpy are the only publicly available tools I use more often. I’ve always admired albinowax and Intidc’s research papers.

Here are some of the Youtube Channels I closely follow:

Nahamsec

StokFredrick

Hakluke 

Insiderphd

Do you have any simple tips that you use when you are hunting?

I spend the (first) whole-day reading documentations & experience the target as an end-user; This often helps in finding complex business logic vulnerabilities that other researchers usually overlook.

Do you have any advice for new hackers or people transitioning into bug bounty?

Persistence; they shouldn’t get demotivated by duplicates but consider it an indicator of success since a duplicate is also a valid finding. If they’re encountering N/A’s, I’d suggest that they take a break from bug-hunting and spend some time practicing vulnerability classes On Hacking Labs, i.e., PentesterLab.

When you aren’t hunting bugs, what do you do for hobbies/fun?

Playing Games, hanging out with my friends and watching Netflix

Why do you hunt with Bugcrowd?

Bugcrowd has a solid Triage team and I feel that their SLA Time is better than other platforms. Moreover, their support team is accommodating! If your report is misinterpreted, the mishandlings are usually resolved ~ 2 days.


Follow Hx01 on Twitter @Hxzeroone to keep up with his bug hunting stories!

Stay tuned for more Researcher Spotlights. Want to join Caleb and be part of the Crowd? Join our Discord and sign up for a Researcher Account!

 

Tags:
Topics:

Breonna Burrell

Community Engagement Manager

Back To Top