“Always try to learn for yourself and work for greater good”, says Dipak Das, Security Researcher at SafeHats.
An interesting tete-a-tete with Dipak explains how bug-bounties helps one motivate themselves to work for the greater good and attain recognition.
1. When did you first get interested in Computers and Hacking?
When I joined my engineering, frankly speaking, I was someone who could never see any relation of theory with practical. The most important thing missing was the real-time implementation and eventually it led to lowering of my interests in studies. In my second semester, I was the guy with 5 backs and people commenting at me saying “this guy will never be able to achieve anything in his life”. Time was so bad that in my next semester due to some financial conditions I couldn’t clear my dues and was not allowed to sit for a paper. It was during this time I came in contact with a friend in Facebook named Pranav Venkat who actually changed my mindset and made me move towards ethical hacking. With him as my friend I started reading books, blogs, writeups on the concept of bug bounty and realised that this was the way I could complete my education. The need for money for completion of my studies connected me with hacking for the good and slowly it became my passion.
2. What was your idea of hacking when you first started it?
Term associated with hacking earlier was apprehension. For me, the idea of hacking initially was all about taking over Facebook, Gmail, and Twitter accounts and getting website database. I used to think that hackers are people trying to create havoc in cyberspace, but as I got acquainted with the actual concepts and aspects of ethical hacking, I realized how it can change the world for both good and bad. And the choice is actually depend on each individual.
3. Did you learn hacking from a mentor or are you self taught?
Internet has been my biggest mentor. After Pranav, my next inspiration came from one of my college senior, Rohan Birtia. I used to get surprised seeing his determination of working for the good and gain fame and recognition through reporting of security loopholes and thus followed his path of becoming a security researcher. With the help of social media and Youtube, I started exploring the basics of hacking and learnt everything that I know today.
4. Why Bug Bounty and hacking fascinates you?
For a white-hat and freelance hacker bug-bounties are like the best source of challenges as it helps one upskill oneself in addition to the gain of wealth, recognition and fame. It helps you to hone your existing skills and use your intelligence to find vulnerabilities.You can say bug-bounty is a magnet for any kind of a hacker. Above all it helps to build a persona for the white-hat hacker and also build up a community of such talented and diverse security researchers from around the world in real time.
5. Who are your inspirations?
Frans Rosen, Ron Chan, Zseano are some of my biggest influences
6. What is your personal goal?
I was barely 17 when I started playing around with online pentest tools and stumbled across an article of Blackhat conference. Since that day, after reading about it, I have always aimed to attend and present at the BlackHat conferences. And I hope that the dream will come true soon.
7. What’s the one bug you’re most proud of yourself for finding?
I am proud of my first bug which I found — a stored XSS in Zendesk. Although it was a very simple bug, why this is so special to me is because this issue was closed as “Not Acceptable” initially but then I figured out a good working POC to move the self xss to stored xss and this became the stepping stone for my career. It gave me the confidence and motivation to pursue career in this cybersecurity domain.
8. What kind of security vulnerabilities that you love to hunt?
I feel I love detecting logical bugs , IDOR(Insecure Direct Object Reference), and Authentication Bugs.
9. What is the biggest bounty you have received?
My highest bounty amount is $1500 in a private bug-bounty program followed by $1000 from pebble watches.
10. What advice would you give to budding security researchers?
I believe in constant and self-learning. For all the budding researchers out there I would just like to say — Always try to learn by yourself and keep yourself constantly updated with all the recent attack vectors. Use the social media effectively and learn by follow some good bug bounty hunters on Twitter like Frans Rosen, Ron Chan, Zseano. Connecting and read blog posts in various hacker community is an essential for succeeding in this role. So finally I would just say, Try to learn from every hack and use your skills for the greater good.
Similar to Dipak, many such researchers are now helping organisations around the world detect vulnerabilities in order to make them function seamlessly through the concept of bug-bounty programs.