Earning $100k in a year can be a life-changing experience for anyone. We know that an accomplishment of that level takes hard work, dedication, and ambition. Last year, Hx01 challenged himself to earn $100k in just one year on the Bugcrowd platform. Fast forward to July 2020 and BOOM! Challenge complete! We’re so proud of him!
Most recently, he created a BurpSuite plugin to parse Content-Transfer-Encoding for those who use burp collaborator STMP for conducting tests. You can check it out on his GitHub account here!
We sat down with Hx01 to talk about his Bug Bounty Journey, Tips for staying motivated and his next Bugcrowd milestone. Check it out below!
As a kid, I was always into computers. Back when I was 12, I learned phishing on the internet & I set up a fake Facebook login page and forced my brother to enter his credentials. This was my first exposure to hacking.
Fast forward to 2016. I read Orange Tsai’s writeup about a Remote Code Execution(RCE) where he found in a vulnerability in Facebook & was awarded 10,000$. This drove my interest in bug bounties. I started hunting late 2016 & got my first bounty of 400$ from an external program. I submitted my first bug (Stored XSS) on Bugcrowd in May of 2017, which was, unfortunately, a duplicate. After a streak of duplicates & N/A(s), I was demotivated to the point that I left bug hunting for two whole years. In July 2019, I started hunting on Bugcrowd again & received my first payout in August of 2019!
My handle on Bugcrowd is @hx01; frankly, It doesn’t mean anything; it just popped into my mind.
No, I do bug hunting part-time since I’m still in high school.
It’s usually 10-15 hours a week; however, sometimes I binge on hacking if I think I’m onto something.
I either set a goal to earn over 10,000$ in bounties or at least score 2 P1’s before moving to the next program.
It’s to earn over 500,000$ on Bugcrowd before turning 21!
Bug bounties have a tremendous impact on my life; It has helped me connect with other folks worldwide who share the same passion as mine. Moreover, it has genuinely helped me improve my hacking skills. At last, it has given me a mission to chase in my life.
BurpSuite & Knockpy are the only publicly available tools I use more often. I’ve always admired albinowax and Intidc’s research papers.
Here are some of the Youtube Channels I closely follow:
Nahamsec
StokFredrick
Hakluke
Insiderphd
I spend the (first) whole-day reading documentations & experience the target as an end-user; This often helps in finding complex business logic vulnerabilities that other researchers usually overlook.
Persistence; they shouldn’t get demotivated by duplicates but consider it an indicator of success since a duplicate is also a valid finding. If they’re encountering N/A’s, I’d suggest that they take a break from bug-hunting and spend some time practicing vulnerability classes On Hacking Labs, i.e., PentesterLab.
Playing Games, hanging out with my friends and watching Netflix
Bugcrowd has a solid Triage team and I feel that their SLA Time is better than other platforms. Moreover, their support team is accommodating! If your report is misinterpreted, the mishandlings are usually resolved ~ 2 days.
Follow Hx01 on Twitter @Hxzeroone to keep up with his bug hunting stories!
Stay tuned for more Researcher Spotlights. Want to join Caleb and be part of the Crowd? Join our Discord and sign up for a Researcher Account!