Paolo Arnolfo, also known as sw33tLie, has always been fascinated by computers and software, but it wasn’t until three years ago he discovered bug bounty platforms. This discovery changed his life, as he realized he could do what he loved full-time… hacking. It’s not often we get to combine passion and income, but for Paolo, he made this dream a reality. Check out how below!
Tell us what you do for a living!
“I try to hack things and, when successful, I get paid for it. Sometimes that works, often it doesn’t…but, failure is part of the process, right? I also enjoy writing security-related tools, and have a few public ones on my GitHub profile.”
There’s no success without failure.
What sparked your interest in hacking?
“I have always been fascinated by computers and software in general. When I was younger I wanted to become a developer, but over time I realized I was more attracted by the security implications of writing code in certain ways. From there, hacking software made by some of the largest companies in the world felt like a great challenge, so I did just that.”
Way to step up to the challenge! 😎
How did you get into Cybersecurity? How long have you been hunting?
“I got seriously into cybersecurity when I realized bug bounty platforms were a thing, around 3 years ago: I wish I had started earlier! It felt great to figure out I could make money doing the things I loved.”
It’s never too late to start. If you’re thinking about getting into Bug Bounty, go for it!
How have bug bounties impacted your life?
“Quite frankly, bug bounties made my life a lot better on multiple levels. The most important thing is that they allowed me to get in touch and collaborate with many of the best hackers in the world. This was (and it still is!) a great opportunity to make new friends and learn new things, some of which you can’t just grasp by reading books or blog posts.”
Making us emotional over here.
Are you a part-time or full-time hacker? How much time do you spend hacking?
“I’m a full-time hacker thus I spend most of my work time hacking. However, “hacking” doesn’t only mean directly attacking a target. It also means reading books, learning new things, writing code, and even randomly chatting with other hunters on Slack. Doing many different things helps not to get bored, and in this field, there are many options available!”
What has been your biggest challenge while hacking? How did you overcome it?
“There are many tough challenges to overcome when doing bug bounties, but one of the hardest ones for me is staying focused. That’s easy when you have a super cool bug you’re working on, but it becomes harder when it has been a while since the last time you had found something interesting. When that happens, I try to hack something else or, if needed, take a small break and come back at it later.”
See… 👀 Breaks are important. Make sure you give yourself time to rest and recharge.
Do you have any favorite tools or resources to learn? Why?
“I really like uncommon bugs. Bugs that you know the other side (triage) will enjoy reading and likely won’t be duplicates. Weird edge cases that nobody had deeply studied before. Any resource from people like James Kettle (@albinowax) or Frans Rosen is good material on that front.”
Save these #BugBountyTips. 👆📲
Do you have any advice for new hackers or people transitioning into bug bounty?
“Read a lot, be curious, and don’t forget to network with the right people! Also, when making the jump, don’t expect to make money from day one (or month one). Always have a backup plan during the transition.”
What’s an important lesson that you wish you learned early on in your hacking career?
“Quick dirty scripts can sometimes work just as well as well-written software. And often, that means saving a lot of time, which is a scarce resource. This has been difficult to accept but it’s one of these things that separates software engineering from bug bounty hunting: breaking stuff doesn’t have to be elegant!”
How do you avoid burnout? How do you take care of yourself and your mental health?
“Thankfully, I’m not one of those people that regularly suffer from burnout: in fact, I don’t think I can say I ever experienced a serious one. However, as I said before, I do lose focus and interest in hacking from time to time. I think the best way to overcome these challenges is to leverage the freedom that bug bounties give us and take breaks when needed: this is why it’s crucial to have some spare money to make that possible.”
Where do you see your journey going from here? What are some goals you have for this year?
“Finding more bugs is always the goal, but more specifically, I want to focus on my automation so that it can find unique behaviors that normal scanners miss. Time will tell if that works or not!”
Why do you hunt with Bugcrowd?
“Like most full-time hackers, I hunt on all major bug bounties platforms as a way to maximize the scope I’m legally allowed to hack. However, Bugcrowd is certainly the platform I enjoy most and where things go very smoothly most of the time. I love the crazy fast triage times for critical bugs, all the good things Bugcrowd does for researchers, and interacting with the people working there.”
We feel the same about you, sw33tLie, you’re awesome!
What does your life look like outside of hacking (family/hobbies)?
“I’m 21 and, apart from spending too many hours in front of a computer, I am not very different from my peers. In my free time, I enjoy playing the piano and hanging out with friends. Life outside hacking can often be interesting, especially when you get asked what you do for a living. Career advice: it seems there are many people out there that would love to hack somebody else’s Instagram account. Instead of the word “hacker”, use “security engineer”…it will help!”
Who is your hero? (hacking and/or life)
“Hero is a big word, but if there’s a person I truly admire in the field it has to be Guillermo Gregorio (@bsysop). I collaborate with him most of the time because it just works well for us, and trust my words, he’s crazy, in a good way. I sometimes ping him at the weirdest times, and he always replies quickly: I’m not sure if he even sleeps! bsysop always has your back. He truly is a good vibes guy and I’m sure everyone in the community agrees on this. Super recommended, but please, don’t steal my collab buddy too much! I feel I will regret these words…”
Bsysop, if you’re reading this, we also think you’re pretty cool. We love to see all of you researchers collaborating, as it will always improve your skills and possibly create long-lasting friendships.