What age did you start hacking? Do you have a favourite type of bug or a bug that you were most proud of?
I started learning about hacking in my university years around the age of 23. I love server side vulnerabilities such as Server-Side Request Forgery (SSRF), Server Side Template Injection (SSTI) or code injection bugs.
How did you learn to hack?
Like most hackers, I am self-taught.
How do you keep up to date on the latest hacking techniques, tools and vulnerability types?
I did take a lot of certifications such as Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), for example, and I read a lot of blogs, including Chinese, South Korean and Russian security blogs (I do not want to miss any information).
Do you remember when you found your first bug? What was the type of bug? How did it feel to find it?
My first bounty in HackerOne was from Zomato. It was a SQL injection (SQLi) in a cookie. On Saturdays, I usually spend my time doing physical activities, but on that particular day, I was sick with the flu. Since I am a person that cannot sit still, I decided to start hacking (not advisable!). I decided to try weird stuff and start fuzzing weirdly named cookies. I was shocked that it actually worked. The moral of the story is that if you never try, you will never know! You can find my first report here!
What motivates you to hack for good?
I see hacking as a form of hobby. Plus, the feeling of accomplishment when a company replies with an appreciative message for the work that we do cannot be found elsewhere.
How did your friends and family react when you first told them that you wanted to be an ethical hacker?
Actually, all of them think it’s a cool career path. Hacking today is different from the past where hackers have traditionally been portrayed as bad guys who only seek to destroy computer systems and take down everything who stands in their way. Nowadays, ethical hacking is gaining recognition as a viable career choice that is both niche and desirable.
Are there any hackers that you look up to?
If there was one, it would be @filedescriptor because his reports always require multiple reads to fully understand the attack chain!
What advice would you give to aspiring hackers?
Have an appetite for knowledge or be hungry for more knowledge. Whenever one stumbles across an interesting topic, it is important to also dive deep and do deep work (30 hours) to fully understand the concepts before moving on.
What programs do you like to hack on the most? Or, what type of program scopes do you like the most?
I’m not really good at recon. That is why I prefer programs which have a lot of unique features. Of course, a bigger program scope is awesome for hackers. A bigger program scope means more attack surface and of course more bounties.
Do you expect bug bounty adoption to increase? Why or why not ?
Yes. Bug bounties are getting more and more popular in the cyber security industry and they go hand in hand with penetration testing as a form of defense-in-depth solution.
How long (on average) do you spend your time hacking a day or per week? Would you consider yourself a full time or part time hacker? If you are a full time hacker, what are some of the pros and cons of being a full-time hacker?
When I hack, I hack for about 2 hours a day after work. On weekends, I only hack when I have a challenge on HackerOne. I do have a full-time job as a security engineer.
Any thoughts on how to attract more young professionals to the cybersecurity profession?
I think it is important to market ethical hacking not only as a job that pays well but also a hobby that can be fun and meaningful.
What are your hopes for the cybersecurity landscape in Singapore?
I think the Singapore Government certainly keeps up to date with the industry as shown by embracing bug bounties together with the usual compliance/pentest process. I hope more young students will join our industry and show that Singaporeans can do it too!
Do you think hacker-powered security (aka bug bounty programs) is becoming a widely accepted concept in Singapore? Why or why not?
Definitely. Many companies in Singapore are actually planning on having a bug bounty program but there are also challenges such as budget, legal and the fear of change.
Do you think the perception of hackers is changing? Globally? And how about in Singapore?
There is a positive perception of what it means to be a hacker not only in Singapore but globally as well. As mentioned before, I always receive a positive response when I inform my friends and family that I am hacking as a career. Before bug bounty platforms came about, this was likely to be frowned upon. I think HackerOne has done an amazing job in showing the world that not all hackers are bad.
What are your thoughts on Singapore’s recently announced national initiative for 2020 to build professional cybersecurity talent within Singapore – such as the SG Cyber Talent initiative and the SG Cyber Olympians programme?
Again, the Singapore government has realised that there is a shortage of skilled cyber security talents and I think this is a great move to train young talents in a more structural approach.