I have returned with interesting merchandise sometimes, like a Microsoft Surface Pro 4 with my name engraved on it, an Oculus VR Headset etc. I have also been part of a Facebook and Google combined Live Hacking Event at Facebook’s HQ in Singapore. I have been part of four-five such events hosted by Synack in Las Vegas (2016), Mexico (2017), Bali (2018), Costa Rica (2019) and Tokyo (2020). And of course, you get paid for each vulnerability that you report. You get invited to hack into a client’s infrastructure and live along with hackers from across the world, which also gives an insight into their minds.
Live Hacking Events (LHE) are my favourite. The challenges aside, there are many perks of the job as well. In such a situation, collaborating with another hacker helps. Sometimes, you just fail to break into systems, and that causes frustration. Given the high competition in the field, burnout is also quite common among hackers these days. At times, it starts to affect your mental health. It can sometimes be a period of great anxiety for both parties.īeing a hacker, you have to be really patient and at the top of your game. The entire process from reporting to triaging to detecting vulnerabilities and fixing it and finally getting paid takes three-four days going up to a week depending on the client.
I executed a code remotely on one of their assets and got access to the data of all their customers! Due to the high-security impact and critical nature of the vulnerability, it was fixed by the client within minutes.
Once, I was working on the system of a top European bank. How Hackers Do What They Do and How to Protect against It Jesse Varsalone. Later, I am free to disclose the report while maintaining the anonymity of a client. black box model A model for penetration testing in which. The next step is to send a detailed report to the client whose security team then fixes the vulnerability. attack surface The amount of code a computer system exposes to. I focus on finding and reporting critical or high-severity issues. First, I start the automated tools to scan all the assets, and then start looking into the results for any interesting stuff. It increases the possibility of finding a critical bug.
I enjoy breaking into programmes which have a large number of assets. While signing up for these, you have to follow some strict rules, the first of which is that you can only disclose the details of the vulnerabilities to the client, no one else. Then, there are companies that run independent programmes - including Google, Microsoft, Apple, Facebook - and pay for any vulnerability you detect in their infrastructure. There are a lot of platforms on the Internet, such as Synack, HackerOne, Bugcrowd, Cobalt, Intigriti, that pay for ethical hacking of their client’s systems legally, and help them secure it. It’s not a 9-5 job and I am the owner of my time. Later, I decided to take up a career in application security. Back then, I would find the loopholes on my college website or even government websites and report them.