Ninad is a cybersecurity enthusiast and ethical hacker based in India. He’s been participating in Bug Bounty programs since 2018, focusing on web-apps, mobile apps, APIs, source code analysis, network security vulnerability assessment, and Penetration Testing. He currently works as an Application Security Engineer at ArisGlobal and hunts part-time… for now. When he’s not hunting you can find him riding around on his Dominar400 motorcycle.
Are you looking to make bug hunting your career and don’t know what to do or where to start? If you want to be successful in this field, it’s not an easy path: you need to work at it.
Back in 2013, I was in high school and wondering if I would clear the IIT [Institute of Technology entrance exam in India]. Around this time, I started to gain an interest in hacking. It wasn’t easy to learn since I was living in a hostel. Having no access to laptops or desktop PCs, I spent many hours in internet cafes trying to learn how to hack.
I committed to start bug hunting and move into the cybersecurity domain. I started learning web development since I felt these basics were needed to be a strong hunter. I had heard about Bug Bounty but I didn’t have a single clue as to how it works. After A LOT of Googling, I learned the basics of bugs and tried to exploit them, repeating the process until I figured out how to do it. I began by working towards CEH (certified ethical hacking) certification. I came across VIPs like OWASP and SANS who taught me a lot about bugs. After that, I did labs like bwapp and web goat to kickstart my bounty hunting.
Finding bugs in real-world web applications is hard for a freshie, since most of the bugs I had learned about had already been reported by some elite hackers. But I didn’t give up; I realized that I wouldn’t succeed just by working hard, I needed to do smart work too. I started automating for recon steps and saw better results, quickly getting my first bounty. It was a moment I cannot begin to express, how happy I was to find a valid vulnerability after months of hard and smart work.
Bug Bounty helped me to clear a part of my education loan, get a motorcycle, and even earned me a trip to Amsterdam. After all this, my advice is that it takes time to be a successful bug hunter. But once you get into it, you will be on fire hunting bugs.
How have bug bounties impacted your life?
When I started bug bounty, my friends and I were going through a very delicate and anxious part of life where we were trying our best to secure our future. So when I started receiving the bounties for all the bugs that I hunted, it was a very motivating moment for all of us. As soon as I had enough bounties, the first thing that I bought was my dream bike. I was even able to start saving enough money to pay off my education loan.
Even working full time, bug bounty has allowed me to stay productive in my free time while adding to my knowledge. Not to mention the awesome cybersecurity community that I am a part of. It is extraordinary how everyone in the community has contributed to making this field fun for learning.
Why do you hunt with Bugcrowd?
I think that many hunters would agree that Bugcrowd is the most researcher-friendly platform. Every researcher is treated equally. Other than being a friendly platform, there is a large scope of opportunities for every security researcher out there.
Do you hunt full time?
Currently, I am not hunting full time. But it’s on my bucket list and I will soon move toward full-time hunting. Right now, I am more into freelancing projects in web app-sec, mobile app-sec and network security.
How much time do you spend hunting bugs?
On average, I can easily manage 20 hours per week for bug hunting.
Do you have any favorite tools or resources to learn?
Although you can use any tools available out there to start your hunting, I believe that creating and using your own methodology for hunting can be highly useful in the long run. However, if you ever need any help, I have made a mind map for web hacking resources and tools: https://www.mindmeister.com/1470766611/web-app-pentest
Do you have any simple tips that you use when you are hunting?
Bug Bounty is much easier and productive if you keep yourself updated with the current security issues and try to automate as much as possible. Try to understand the workflow and logic of the application and then escalate the issue. For example, if you encounter XSS, you must escalate it to ATO (Account takeover).
Do you have any advice for new hackers or people transitioning into bug bounty?
Learn the art of searching on google and shodan. Have patience. Everything takes time. Focus more on understanding how the application is made, what programming languages are used, dependencies of the application, etc. Make hacking a passion and see the growth in yourself.
When you aren’t hunting bugs, what do you do for hobbies/fun?
Go on a road trip, watch Netflix, sharing knowledge by writing blogs
Follow Ninad on twitter @ninad_mathpati to keep up with his bug hunting journey!