thumbnail_1 (9).jpg

1 (9).jpg

How did you get into bug hunting? 
I started working as a pentester in 2023—my first official job. About a month in, after the active projects wrapped up, someone suggested I try bug bounty. I was pretty skeptical at first. I figured if a company is big and well-known, their security must be rock solid. But I gave it a shot—and that's when it took off: a week later I found my first bug, then another a couple weeks after that, then a third, a fourth… before long I was at a hundred reports. That's how I ended up here. 
&nbsp; What is the most memorable vulnerability you've discovered?
Not necessarily the coolest, but one of the first that comes to mind: an SSRF in a browser emulator that let me disclose employee personal data, locate a vulnerable host in the client's infrastructure, and take it over—basically a foothold for further attacks on the system.
&nbsp; On average, how much time do you spend bug hunting each month?
These days, not that much—sometimes a couple hours a day, sometimes just a few hours a week. Early on I spent a lot more time because there were tons of knowledge gaps I needed to close.
&nbsp;What tools do you usually use for bug hunting?
All the classics: nmap, RustScan, dirsearch, ffuf, Nuclei, subfinder, dnsx, SQLMap, plus a bunch of scripts—and of course Burp Suite.