Gal Nagli has been working as an AppSec Engineer for the past two years after finishing his mandatory military service at the C4I and Cyber Defense Directorate. Researcher Nagli first began his career at a small startup named Enso Security and later followed to a big corporation at Salesforce. Apart from the full time job, Nagli has been engaging with bug bounties and developing automation to identify AppSec-Based vulnerabilities in scale.
Nowadays, Nagli has started his own Application Security B2B startup named shockwave.cloud, which is on its early stages. The company is based on Nagli’s automation and methodology he’s been researching throughout his bug bounty journey. Keep reading to stay inspired!
What sparked your interest in hacking?
“I was always interested and curious about the Hacking world, especially with Application Security and bug bounties because it doesn’t require any prerequisites to pick up a target and to start digging in to find vulnerabilities. It feels a little like ‘Super Powers’ to find critical severity with massive business impact on major corporations.”
Hackers 🧑💻 = Superheroes of the internet 🦸
How did you get into Cybersecurity? How long have you been hunting?
“I tried to study on and off in my childhood but wasn’t consistent. Since moving to my final role in the military I started picking up things more seriously starting with an Open Source course at Stanford University named CS253 – Web security, it’s pretty technical but I liked going over the slides and 20 hours of videos as first glimpses to Application Security. I’ve been actively hunting for ~2.5 years now.”
Improving your skills is always important if you want to become a more technical hacker. Follow in Nagli’s footsteps and start learning. 👣
How have bug bounties impacted your life?
“I didn’t expect the bug bounty side gig to explode as it did. My automation has picked up pace, especially after the Log4J vulnerability craze, which helped me score some nice bounties. Mostly now I don’t worry financially because I save all my bug bounty earnings and live based on my full time job paychecks. Also, the opportunity to travel the world and meet new friends globally is fantastic – in only 2022 I flew to 7 different bug bounty competitions across multiple continents – Dubai, Paris, Denver, Austin, Vegas, Singapore, Barcelona.”
Benefits of hacking: fulfilling a passion, making money, securing gaps, traveling to new places, and meeting new friends! What are you waiting for?!
Are you a part-time or a full-time hacker? How much time do you spend hacking?
“I still consider myself part-time, although its pretty much over my head every hour in the day checking my Slack notifications for any new vulnerabilities that my automation has picked up – It’s also a big hobby for me so I spend quite some time everyday hacking.”
The best part of hacking is when you get to consider it a hobby and a job. 😍
What has been your biggest challenge while hacking? How did you overcome it?
“After doing pretty well in a certain month or quarter and seeing the leaderboards all square up to the starting point, it can be stressful and challenging to keep the same pace and consistency of finding bugs. When you have some “dry” periods it can be mentally challenging. However, it’s good to keep yourself distracted on other activities such as gym, hanging out with friends, Fifa, Netflix and to remember that the whole ‘Gamification’ of bug bounties are just arbitrary numbers.”
We’ll see you in a Fifa match soon, Nagli. But, better watch out! Our defense is the best. 😉
Do you have any favorite tools or resources to learn? Why?
“Twitter feed all day long. I can spend hours just scrolling down the feeds checking for new techniques and keeping up with the latest additions in the Bug Bounty space.”
There are some excellent tips on Twitter, but remember to scroll with control.
Do you have any advice for new hackers or people transitioning into bug bounty?
“Pick up practical Udemy courses from instructors who have rich experience in bug bounty, who actually find bugs, and who are doing well themselves. Focus on a small set of bugs and try to execute it across many programs. Read write-ups and document everything online by typing (without copy pasting).”
What’s an important lesson that you wish you learned early on in your hacking career?
“Always remember to surround yourself with like-minded people who share the same values as you. If you feel some friendships start to become toxic or money driven, it’s probably better to let it go nicely rather than clinging into it.”
Read that again ^
How do you avoid burnout? How do you take care of yourself and your mental health?
“As I said earlier, mainly distractions which does not involve me sitting in front of my computer : )”
Where do you see your journey going from here? What are some goals you have for this next year?
“Hopefully I’d love to continue with my consistency in finding impactful bugs and helping other companies close their security gaps, whether with my latest startup product offering or just occasionally through the platforms. Also, I hope to keep the same relationships I’ve created this last year with many people across the industry, whether if it’s doing collaborations together, meeting up at Live Hacking Events, or just by chatting few times a week in Slack.”
You’ve done some amazing things already and we’re excited to see where you go next! Slack is also a good place to share your milestones, connect with others, and share educational resources. 💬
Why do you hunt with Bugcrowd?
“Bugcrowd staff is very open to feedback and researcher friendly. The standout things for me when I hunt on Bugcrowd without a doubt is the excellent formula for triaging P1 issues in matter of minutes, 1 day maximum, and the “Make it right fund” which came in clutch for me in few occasions and is very appreciated.”
What does your life look like outside of hacking?
“I like to travel the world, big fan of Arsenal in the premier league (going to couple of games every year) and hanging out with friends playing video games. Also, since March I’ve started hitting the gym 4 times a week which became a routine for me, good for distraction and healthy lifestyle : )”
Who is your hero?
“I don’t know if to call it a ‘hero’, but I really admire Justin (Rhynorater) consistent work into finding bugs, he is one of the smartest hackers I’ve met and collaborated with – very consistent with his Live Hacking Events performances under high pressure, mostly for the fact that his bugs vary between Web, API, Mobile, IOT, Hardware and his openness into chatting and collaborations!”
Keep inspiring other hackers, Rhynorater! 😎 Thank you, Nagli, for sharing your bug bounty journey and tips with all of us. We look forward to watching your startup business excel and know we’ll be cheering you on every step of the way!
Want to stay caught up with all things Bugcrowd? Follow us on Twitter and Instagram and don’t forget to join us on Discord! Are you ready to join the hunt? Sign up for a researcher account today and start hacking!