This week’s Researcher Spotlight is on Mico! Mico ranks #5 on Bugcrowd’s leaderboard with over 1926 kudos points, 266 bugs found, a 91% acceptance rate and an average bug priority of 2.92. In a relatively short period of time we’ve seen Mico climb his way up the charts. Mico can be found on Bugcrowd and you can follow him on Twitter at @bugtest0101.


Take us back to your early days, what got you started with technology?

School! I know this may sound odd but it’s true. It was around 2009 when I first started using computers at school for research. It was around the same time when I first used the internet as well and fell in love with technology. By mid 2009 I bought my first laptop and started learning the basics. At first I thought I liked graphic design so I installed a copy of 3DS MAX and Photoshop, self-studied and became a 3D designer for a while.

How did you get started in security research?

The famous Sony hack back in Nov 2014 really made me curious about security. The idea of being able to impact the world at such scale using just a PC was very thrilling to me so I thought “why not?” give it a try. I did some research on how to become a security researcher and found that I need to know some programming first, so I learned HTML/CSS, JavaScript and some basic JQuery, then I bought the bible (Web Application Hacker’s Handbook) and read it front to back. This process took around 3 months. By early 2015 I felt like I was ready to test web applications, however, I had no clue about Bug Bounties and didn’t know where and how to test applications legally.

Jumping forward a bit, where do you hope to be two years from now?

At the moment I work as an IT Engineer but I really hope to slowly progress toward a Web Application Penetration Testing role.

How long have you been doing bug bounty work?

It was 01/29/2015 when I came across a blog that explained it is possible to sign up for Bug Bounty platforms like Bugcrowd and legally test applications. I was so happy to find out about Bugcrowd so I signed up immediately and reported my first bug on the same day, (It was a simple Open Redirection), however, I stopped for 9 months to attend some personal matters but became active again around October 2015.

Do you have a specific security focus or specialty that you tend to spend your time on?

I try to report whatever I find regardless of how severe it is as long as it’s within the scope of the Bounty. Stored XSS, IDOR and SQLi is what I find usually.

I download vulnerable VM’s and try to learn by PWNing them. (Fail almost all the time, so I resort to write-ups xD). I also try to look for bugs in Google at my spare time as well.


What motivates you to do what you do? What keeps you going?

What excites me is the process of learning, not the outcome. I feel participating in every Bug Bounty program teaches me a new thing and fuels my desire to keep going, plus, that moment when I get an email notification from Bugcrowd saying that your bug has been triaged feels very rewarding.

Any tips or suggestions that you would give to other bounty hunters?

Read vulnerability write-up’s from other researchers and try to learn from them. Download Vulnerable VM’s and test your skills against it. Use Google notification to get an email whenever the word “Bug Bounty” was used in a post on the web. Use twitter to connect to other researchers and follow them. It’s usually a great resource to find about vulnerabilities. Finally, share your knowledge when you come across fun bugs!

Where do you think bug bounties are going in the future?

I think that bug bounties will only get more popular. Enterprise companies will slowly learn that the only way to stay secure is to rely on the crowd power because of the diversity in skillset and mindset.