Hacking on Bug Bounties for 10 Years: Insights and Strategies

hey everyone uh thanks a lot for having me today uh I think that I'm I'm uh you know this keynote is quite exciting for me I've never given a keynote before but I know at besides Amad there's been many excellent Keynotes in the past from France Rosen Yen Hussein geek boy and uh I'm excited today to join their ranks and hopefully uh pass on some knowledge that is quite useful to the crowd here today so today I'm going to be talking about hacking on bug bounties for 10 years uh it's been a long journey I can't believe that it's been 10 years already but today we're going to be going through the progression uh the

techniques and the learnings and that's what the presentation has split up into and hopefully you can take some stuff away from today I want to start off with a little bit about myself so I've been hacking on bug bounties for over 10 years um I'm the co-founder of asset note which is the leading attack surface management platform and I've won most valuable hacker twice at hacker one events and also won most valuable hacker at bug crowd events as well so I've been doing this for a long time um but I can assure you that I have very humble beginnings and at the very beginning uh I was definitely not finding that many amazing things and today I want to go into that

as well so um first thing I want to talk about is how bug boun has changed my life and I think many people here uh will also resonate with this because I think it has the opportunity to change anyone's life given enough dedication and time in this field so I want to take a quick trip down memory lane um at the beginning of this journey so 11 years ago I you know I remember dreaming that I would love to work in computer security uh it never seemed like a reality um there wasn't much of an industry back then uh 11 years ago and you know my parents had immigrated to Australia um with a lot of

hardship actually my family is from Gujarat I have a lot of family in Amad I speak Gujarati I'm from Gujarat itself so my family had immigrated to Australia and um really there wasn't really that much opportunity for me back then at all I was working at a fast food restaurant uh the equivalent of Burger King in Australia called Hungry Jacks and I was you know just submitting bug bounties here and there CU I had a deep passion in hacking but I wasn't actually finding much success um I was usually told that my reports didn't actually have much of a security impact at all so what did my first bug Bounty Reports look like well you can take a

look at the screen it's just basically output that I was taken from a a scanner and just submitted to a program at the time 11 years ago 10 years ago one of the first bug Bounty programs was PayPal and PayPal would would just accept reports via email and I would just send through these reports I was 14 at the time so I mean there is still a little bit of embarrassment showing this to to the crowd here today but everyone starts somewhere and I think it's very important uh to to realize that and to understand that so these these reports had no security impact whatsoever and as you can imagine um PayPal said we're not quite interested

in these security reports maybe try again maybe find something with more some some more security impact so this response they they basically said look this is interesting but uh we we can't really pay a bounty for this and you know as time progressed uh being 14 uh there was definitely a lot of cringe involved with this process I started to try and try harder and harder to get bug bounties at the time even though my security reports didn't actually have much security impact at all so you can see I've started to move into the red font and bold and all the sort of other techniques in my emails to try and get them to pay me a bounty But

ultimately my security reports didn't have that much impact in this report I was reporting an admin panel at the time and it's cool that the admin panel is exposed but it didn't necessarily have anything significant enough for them to pay a bounty so again there was no security impact there was no bug Bounty and uh I guess I'm back at my fast food job uh working for $650 an hour um but I you know I kept looking when I had the time I kept looking for security vulnerabilities kept working on this and kept being persistent in this process so this is the maximum cringe email that I have from 11 years ago where inside the email itself I put in

the words very serious bolded them and literally made it like 40 Point font now this is this is me 11 years ago really trying to get a bug Bounty I was failing consistently at getting bug bounties and I was sending in reports that were escalating in terms of the font size and the colors and things like that but ultimately these these reports did not get me the bug bounties I was looking for and I I really had to rethink about what I was trying to do here and go back to the drawing board and understand what I need to learn to be successful in bug bounties but yeah this was probably my maximum cringe moment in

bug bounties when I first started and I just want to show you because everyone starts somewhere um so yeah I got I got paid for some bugs right like I got paid for some issues that probably would never get paid out today for example there was some issues for SSL related things TLS related things that they paid 250 bucks for whatever else but that amount of money was Monumental to me uh even making $250 from bug bounes was incredible because as I mentioned earlier I was making like $650 an hour working at a fast food job and even after working for eight months I had made just under $1,000 and that was hard grueling work I would say harder than

hacking probably but um it wasn't until a year after that that I found my first critical vulnerability uh and it was an ssrf vulnerability inside uh PayPal's bill me later uh the way that I found this was relatively simple um I was just Google talking one day and I found this endpoint that let me pivot into the internal network of Bill meater now just to clarify on this slide all you're seeing here is uh the flow of requests so there was a page on merchants. bat.com which let you access other internal sites on Bill Me Later and it returned the full hdp response uh inside uh that after that request so this was my first critical bug that I had

submitted to the PayPal bug Bounty and this is something that um frankly changed my life so after submitting that first critical bug um that payout alone was enough for me to never show up at my fast food job ever again and um ever since that payout I've been heavily involved in bug bounties uh it gave me the motivation to continue working on this for the last 11 years and um you know I needed this validation in order to actually really get into this field and you know thanks thanks to PayPal and at that time that that bugs mission that really did give me that validation the thing that I learned from this initial Endeavor into bug bounties was that

persistence was key and Reporting issues consistently was also key in the success of bug bounties so that that brings me to the next thing which is you know what have I been up to for the last 10 years uh right so this this presentation is trying to recap the last 10 years some of the things I've learned some of the things that I've picked up so ever since my first critical Bounty I've constantly been working on finding more critical bugs uh in this space many different companies many different Industries it's been quite exciting and in order to do this I've had to pick up many skills along the way uh back from when I was a

14year old to now today uh there are many different things that I've had to pick up in order to be successful and this really did require uh the ability to plan out long-term goals with short-term execution and we can I can talk a little bit more about that in a little bit and a little bit about the skills that I've had to pick up so the road map for everyone is going to be different but for me I spent a lot of time becoming good at engineering reconnaissance source code analysis and exploitation of web apps now this was the things that I chose to focus on but my advice to people is to focus on the

things that you love and the things that you enjoy because if you don't have passion for it and you don't enjoy it then you may not have the energy and motivation to keep doing it for a long period of time but uh as I said I had to pick up these skills and I realized that even when we built asset note my uh the company I co-founder which is in the tax service management platform that another thing that's very difficult is being a good engineer and I think that many hackers don't actually understand how difficult good engineering is and uh shout out to all the amazing Engineers out there because it is quite a difficult thing to engineer something

that's scalable large big and works reliably but um it was important to have pragmatic Visions about where I wanted to be uh so I could prepare in the short term so this brings us to the first part of the presentation which is the progression and I'm just going to quickly go through some of the things that have happened in the last 10 years uh in my journey and hopefully there's something that you can pick up from it that inspires you or maybe gives you an idea of what a progression might look like for yourself so everyone starts somewhere from 2012 to 2017 which is 5 years um you as you saw earlier my my first few

bug Bounty reports had very little impact and barely got paid and you know I worked very hard to be accepted in the most prestigious University in Australia my my parents actually wanted me me to be a pharmacist uh and I told them no thank you I want to break into computers and uh that was quite quite interesting because I in in every road of my journey I've had to battle with either my family or parents or whatever it may be and not really battle but more convince them that the direction that I'm taking is the right one for me um anyways even though I I joined this University I started working full-time in the information security industry as an

intern I was traveling 3 hours a day every day just to get to work and basically work uh without any pay just to learn about the security industry ultimately after being in the industry for a little bit of time I decided to drop out of University now I'm not saying that this is the best option for everyone out there but at the time for me I really found that the industry was something that excited me more and I decided to drop out of the industry drop out of University to pursue the industry after that I was um working as a contractor for atlassian and um I I found a security vulnerability every day for the day that I was for the days I

was employed which was a personal goal that I put to myself and that was quite quite a a successful goal that I was very happy that I did I joined ernston young after that which is a big four consultancy ey and I got to learn a little bit more about corporate culture and how to navigate that sort of environment um and lastly in 2015 I joined Bishop Fox which is an amazing company uh where I work night ships in Australia for a year uh and got to work with some amazing hackers there doing offensive security work but then in 2017 to 2018 I decided to go fulltime on bug bounties now this might be something that people may

consider to do uh here or anytime in the in the future this is an interesting Avenue to take I did bug mounties full-time for a year I literally moved halfway across the world to krackov in Poland and did bug bounties for a year full-time it can be it can be stressful but at the same time it can be quite rewarding as long as you have a good backlog of bugs you're able to sustain your lifestyle um but as I was doing this um i' built the first few versions of asset n the product that we we we now sell to Enterprises and I wasn't really successful uh at all um my parents wanted me to settle down and get a job

at a big company like a Microsoft or a Google but I I used to keep telling them no this is going to work this is going to work please believe me it's going to work out so um you know many people didn't really understand what I was doing uh when I first started building uh my product But ultimately with persistence I found that there was success in that as well and from 2018 to 2013 for the last 5 years I've been building asset note and that's with my co-founder Michael Jus we launched the company we Rew wrote the product and we've had we've had huge Commercial Success with it we defined the attack surfice management space and

um we were one of the first in this space pioneering the direction of the industry so uh it's been quite exciting and I guess my experience as a hacker has been quite important when it comes to running and building a company as well so now that I've gone through those uh the progression that's just a short summary of what the last 10 years has looked like for me now everyone's going to be different everyone's going to have a different Journey but um for me especially I found that uh you know being a hacker going into engineering and going back into hacking has been quite an enlightening process and as I mentioned earlier um learning how to be

a good engineer I found to be very interesting and very humbling when it comes to coming as a hacker going into engineering so um that's my journey and um in my journey I've had to pick up a lot of things uh things that I was mostly interested in things that I was really excited about things like source code analysis or security research or even just engineering whatever it may be and really the key I guess the key differentiator that I think in my journey um you know when assessing it is that I was very very passionate about everything I wanted to do if there was something that I was excited by I would spend weeks months on that single area

just to become the best I could possibly be at it so I'm going to move on to some of the techniques and today I want to talk about some techniques that are practical and hopefully you can take something away from these when you're doing some application security testing you can look back at some of these techniques and think hey I saw this at this presentation I might give it a go so the first technique I'm going to be talking about is just mainly looking at graphql and understanding graphql in a little bit more detail so when you normally look at graphql um most modern applications they have introspection disabled uh introspection is a very useful feature

of graphql that gives you back the schema the schema is necessary in order for you to well it can be necessary for you to fully understand the attack surface of the graph C AP um so this is an example of a graph API that's disabled uh the the the schema enumeration so it's just returning an error saying that introspection is enabled disabled uh you you cannot get the schema so uh how do we get past this well there are three main ways that you can get past this um the first is looking for Dev or staging subdomains which sometimes have introspection enabled uh and this has happened you know recently in a live hacking event

where I did for bug crowd where the dev subdomain had all of the had introspection enabled and you could get the entire schema and it worked one to one on the production schema the second is a tool called Clairvoyance x uh this is uh quite an amazing tool it uses oracles to figure out whether or not uh there are certain uh queries or mutations inside the graph schema um so you can just get this off GitHub and run it across any graph API to see what what mutations and queries exist and then enumerate them further and find vulnerabilities in them and the last one which is and underappreciated is looking at the JavaScript and analyzing it to figure out what the

queries and mutations are in itself um so I want to do a little bit of a case study with Clairvoyance X um so I I work a lot with France Rosen on certain bug Bounty programs and we came across a certain program that had introspection disabled so we used Clairvoyance X to enumerate the schema this was the command that I used here um pretty basic command and um once we enumerated the schema um we found a a bunch of really weird internal graph cure queries that were meant to be for administration purposes but somehow had been exposed inside the schema these apis uh allowed us to go from a name of a user to all of their personal

information and sensitive information um so how does Clairvoyance X actually work that's maybe a good thing to to look into well it basically sends a large number of guesses uh and the API will respond with a large number of suggest suggestions if there is a suggestion so it's just using an article to determine whether or not there is potentially a queral mutation that's possible in this grafal schema so you can see here it's sending a bunch of different English words and in the response it's saying uh we couldn't query uh this did you mean this so that's how this enumeration works and um in this example specifically we found this uh query which let us search organizations based

on a company name and it would return a uu ID after doing that after that we were able to combine this with another query that would return all the pii of the user so you can see in this it's just doing the search orgs query it's returning the uuid and then there's a second query called search memberships which will then let you search all the memberships for a given new uid so when you do uh and when you do this you can then ultimately get all of the membership data uh and that includes all of the pii of the users so at the end it looks something like this uh I guess the reason that even highlighting

it today is because uh graph or apis in general are quite a Hot Topic right now but a lot of people uh sometimes struggle with looking at these apis what I can say to you is that it's like any other API and you just need to be able to enumerate the queries and mutations and understand how to build these in order to discover certain hidden things or or to enumerate them or test them further and in this example we were able to go from uh just knowing the name of a company to searching all of the memberships and returning all the data within all these memberships now I will note that this example that I'm giving

you is not just some small random company this is a really really big company and this would have been Millions hundreds of millions of users at the end of the day there are some additional graph K security techniques that I would recommend which are looking into things like Idol sqi file disclosure ssrf and RC um these are all things that existing bug classes that may affect graph kill API that you should also test for and um lastly you know graph allows batching and I've written a blog post on this uh that you can follow through this bitly link which lets you understand how batching works but essentially uh if there's like an endpoint that lets you

reset a password with a pin uh in graphql you can do batching via queries or via Json and that will let you uh send let's say 10,000 requests at once inside a single request uh through the batching mechanism so that's another thing that you may want to look into uh and I've written a blog post on that as well the second thing I want to quickly go through and this is probably the hmark of My Success is security research now a lot of people may be a bit confused by what security research actually means in this day and age since it's such an ambiguous term but at the end of the day uh what I'm talking about

is taking apart products and doing some research in order to find zero day vulnerabilities um my opinion is that the real Shadow it is actually vendor software on mostly most of the attack surfaces that we analyze most of the attack surfaces that our customers have the thing that they really don't know about and really don't have control over is the vendor software that they deploy and when I say vendor software there might be any software manufacturer that provides an on premise installation of their software and this company then implements it on their attack surface so really if you look at our blog post we've spent a lot of time uh finding vulnerability zero days inside vendor

software and you know that's one of the things that we're most well known for and honestly it's my opinion that this is the real Shadow it in security research um one of the hardest things is actually obtaining the software and setting up the software so obtaining the software requires a lot of patience I have a number of different techniques to do this I I look for it on GitHub I look for it on Docker Hub gists vendor support portals archive URLs Fiverr even freelancer websit sales calls Google talking and many other ways uh one of the tricky things with vendor software is most companies don't want to give you the installation file without going through some sort of sales process

so you have to get kind of creative in order to find these files and in order to actually set up this software yourself because you're going to need to do that in order to reverse engineer it and find the vulnerabilities within that software um once you've got the software it can be quite tricky even setting it up and sometimes we joke that setting up the software is harder than hacking it um but yeah I covered this more in my talk uh how to do code review which you can find at this link here um when it comes to auditing the software um in order to find these vulnerabilities you have to spend a lot of time reverse engineering the source

and finding from sync to Source or source to sync um what the vulnerabilities are the number one thing that we do is we map out the pre-authentication attack surface I think for people interested in bug bounties that is one of the most impactful things to find things that are pre-authentication um but yeah uh we we end up you know auditing many different languages protocols systems and as I mentioned earlier I do have a link to some slides that I've done in the past which go over this in more detail um but essentially uh the number one important thing to do when you have this software and source code is to map out all of the

different routes and understand what is pre-authentication versus post-authentication and understand where any dangerous functionality may be living so you can investigate further um one of the other things that um might be interesting to you from a bug Bounty perspective is how do you manage disclosure um this is something that we have often had to deal with during our our work at asset Noe as well and if you found a zero vulnerability um and you know you have to disclose it to the vendor first before you can do it use it on bug bounties we do often use zero day vulnerabilities in bug bounties but this is only after we have established communication with the vendor disclose the issue to the vendor

and then we start using it within bug bounties the typical guidelines for this is what project zero follow and also something that we follow as well which is a 90-day disclosure deadline and that 90-day disclosure deadline um is basically uh if it doesn't get fixed within the 90 days we will publish if it gets fixed within whatever time period we'll after the 30 days um so that's essentially the policy we follow and you know once the bug has been disclosed to the vendor it's your choice on this whether or not you want to wait for a patch and then report it to bug Bounty programs or report it immediately to bug Bounty programs this is something that's

really your choice as it is something that you found and uh lastly I want to talk about something that is important from a automation perspective if any of you hackers here are trying to automate these uh these vulnerabilities and finding these vulnerab at scale good research needs excellent capabilities and what I've got here is just a picture uh you know of a clown fish and an amies about the security research team but the capabilities built by the engineering team are really the key to this so if you are building automation then it doesn't matter if you found the best zero in the whole world but in order to capitalize on it you need to have really

good capabilities in order to scale this out and be able to scan a very large number of things uh very efficiently and very accurately um so this is something that you know our research team relies on at asset note we have an amazing engineering team that we spend a lot of time with in order to find these vulnerabilities at scale um so this is something that's important as well one of the things that many security researchers find is this graph here where initially you start off with hope you have no bugs maybe a bug the bug was a fake and understanding the system read to a real bug but the bug is not even reachable in in a default

config so this is this is something that happens all the time when you're doing security research and you might have to spend weeks and weeks and weeks in order to find something that is exploitable in a default config or in pre-authentication state I do want to drop a quick zero day as well uh which is an office web apps for read ssrf so you can uh this you know this was reported to Microsoft but they refuse to uh issue a CV and I'm not even sure if it's patched in the latest version of Microsoft Office web app server but essentially you can uh host the python flask script with the following uh which basically is just a

redirector and you can have a um HTTP request that looks something like this which uh while it's hitting an Excel XX file um it's actually going to redirect to an arbitrary location the only filtering that Microsoft was doing on this was confirming that the file ended with the term xlsx with the extension xlsx so this leads to full ssrf uh this is an undisclosed vulnerability feel free to use it I'm sure that there's many office web app servers out there that are vulnerable to this one of the other techniques that I quickly want to talk about today is finding viable ssrf candidates um maybe people here have come across an SSR of vulnerability but haven't been sure how

they can exploit it or how they can prove impact uh this is something that's you know often a tricky thing to do uh often when there's intended functionality to use uh some sort of Link unfilling or to to preview things or do do web hooks or whatever you may struggle to prove that there's impact to the security teams at any company you're reporting to um so I I want to recommend this tool that we created earlier this year and it's quite a basic tool but it does the job it's called surf um I've used it on several live hacking events and I've been pretty much shocked at how easy it is to escalate ssrf vulnerabilities through this tool what

it does is quite simple it takes a list of assets it sends a request to all of these assets from your your internet connection and it and it uh and it checks which assets are not responding in any way or form the the key here is that we're finding assets that have an external IP address that are not responding from your internet connection uh we can obviously see all the internal assets as well through the DNS records but what we're looking for is for assets that have an external IP address that are not responding from your internet connection and and the reason why is we have very complex Cloud environments today these complex Cloud environments

there's all sorts of Security Group rules there's all sorts of networks and firewalls that you may not know of but in reality a lot of the SSR filtering functionalities in this in this day and age focus on internal assets they focus on blocking internal IP ranges they focus on blocking internal internally internally facing assets they're not usually focusing on the externally facing assets so what this tool will do is will return a list of assets that are external uh from an IP perspective but are not responding from your internet connection and this has led to a lot of different vulnerabilities that I found in the last few live hacking events uh led to really big payouts as well where

the security team had no idea that the ssrf let us access certain things that it shouldn't so it doesn't have to be hard to to prove impact on ssrf you can just basically use my tool uh grab all the data from it and then pipe it into your ssrf to see what comes back um so this is an example where we have uh the tool running on PayPal corp.com and at the end it spits out all the IP addresses that are internal and external you could then pipe that into to Intruder or you can PPE that into any of the other tools to to see whether or not your ssrf does lead to some level of

security impact and yeah here's an example so uh there was a target for one of the live hacking events where they had this functionality inside a knowledge base which basically scraped the the the websites that you had provided and return data with surf I found a bunch of externally facing IP addresses that weren't something that I could hit with my internet connection I put it into this knowledge based thing and essentially it crawled all the websites and it led to me accessing internal tools of this organization that really I shouldn't have been able to access so surf is something that's quite powerful when it comes to uh looking at uh externally facing assets that may be

viable ssrf candidates and yeah segregating traffic in Cloud environments is quite difficult um as any large organization will know uh Cloud environments are quite tricky and you may have different security groups and firewalls that these ssrf vulnerabilities can completely bypass and uh the last technique I want to go through today is about I now I I've talken I've talked a lot about IAS in in my career IAS is one of my favorite Technologies to hack on uh and the first thing I want to say is uh don't skip the blue page when you see the blue page there's something there don't skip the blue page please there's something there they don't just deploy I servers that are blank for no reason

there's something there you've got to find it it can be difficult to find I agree with you but do not skip the blue page that's probably the the one of the best advices I can give you just you got to keep working at it do some more reconnaissance and hopefully find what you need to find in that that that server so you may be asking like why should I love love hacking is servers well there there are several reasons why you should love hacking I servers you can get rce quite easily through local file disclosure via view States you can use local file disclosure to download all the dll files inside the bin folder to all the source code you can you know

C is a fun language to audit it's quite easy straightforward it really cleanly decompiles um shells can be dropped in various different formats in web config files in zaml files and ASP or aspx files many different formats and I short name gives you partial file names and folders there are no other servers in this day and age that are that leaky as I compared to everything else getting the partial file names and folders is quite phenomenal in my perspective and the last last thing is I directory to Virtual host routing now that's that's the one thing I'm going to cover today because everything else in this slide has been covered in detail by other people uh in other conferences or uh on

blog posts and things like that but I believe that this last Point has not been covered in detail and I want to just go through it really quickly uh to to kind of bring bring you all up to speed with something that I've been doing in the last few months um when it comes to hacking I servers so what what is I direct to Virtual host routing how does it actually work well it's quite simple you have different virtual directories different directories that are routed to different internal hosts so you can see in this diagram here you have a directory called SSO or enus or admin and they're all routed to different internal servers um really the the

number one fundamental flaw with this is due to directory traversal so what can happen is you can have something like SL SSO do do percentage 2f and go to this specific endpoint that leaks all the credentials for example now this is something that happened to me for a really large Aviation company and it it led to many critical findings where I was pivoting into a specific internal service server and going back a directory and then accessing things that I shouldn't have been so what's actually happening behind the scenes well behind the scenes uh what's actually happening is when you go to/ SSR it's going to 10.11 1 and then it's going to the directory SSO on

10.1.1.1 when you go to/ SSO percentage 2f tools monitor config settings what's happening is it's going to 10.1.1.1 and it's traversing back one directory and then accessing things that you probably shouldn't be able to access so this is a this is a technique that I think isn't really spoken about much it's again it's a secondary context technique which is something that Sam Curry is quite famous for for for working on but this is something that I found on many servers that is quite interesting and you know sometimes hard to enumerate from an external perspective but once you find it it can be quite impactful now with all the tech stuff aside and I I hope that some of it was

valuable to you I know that I've just run through it I want to quickly go through some of the learnings that I've had in the last 10 years and wrap up all of this in in a minute or two um the first thing is be careful with who you collaborate with I think this is a very sound advice to give to people that are starting off in this industry um I wish everyone would treat you equal but not everyone does and I think that you know I've written about this in the past but sometimes even showing someone a vulnerability or technique they'll assume that they have ownership over it they can use it themselves or whatever

it may be so you have to be quite careful about who you share stuff with you have to build a a a group of trusted friends and networks that you can trust and you can work with so when collaborating with others also be upfront with what your terms are and what your conditions are if you want an equal payout or if you want more whatever it may be before you even share any information you should be quite upfront with what you want from this um in my opinion equal splits are the best way to do bug bounties uh I I tend not to do any bug bounties that aren't equal splits um with respect to everyone's

times and time and effort and the next advice I have is build real relationships I think that one of the things I've learned in the last 10 years is you're you're only as powerful as your network and relationships and these relationships are they go much Beyond just the bug Bounty aspect they are people that today I'm you know happy to call some of my best friends in this industry um the people that I collaborate with are also people that I have deep connections with Beyond just the bug Bounty space we take care of each other we talk to each other we always look out for each other so that's something that's quite important one of the other things that I

think is quite important is hack because you love it not because of any other reason you know ground your roots and your passion it's what's going to keep you going at the end of the day um if you follow your curiosity and you enjoy your time hacking you will naturally be led to amazing places and in the community and in bug bounties if the reason um your hacking is due to your passion um you won't experience much burnout to be completely honest uh you might have some down periods you might have some time that you won't be able to work on things but at the end of the day you'll get back up and you'll

keep working on what you love and that's my opinion especially on this in this field if you love what you're doing you're going to enjoy it a lot more and you're going to be able to last a lot longer so hack because you love it and um you know sometimes it's not always a profitable Venture sometimes security research is not just about making money it's about the Curiosity and what you're interested in so surround yourself with people that love hacking as well next one is pick your Niche so one of the things that you can be quite powerful at in this space is there's so much space for us there's so many niches for us if you find something that's very

specific that you're very good at you have a likelihood of doing so much better than other people um so you know there are many opportunities uh and becoming very good at something is quite amazing as you've seen in the last you know few years the web 3 space has been really taking off and there are many people in the web 3 space that have amazing talent there but similarly in application security there's all sorts of different areas that you can become very talented in whether that's going to be web application security internal testing or you know apis or source code review or whatever it may be if you find something that you really enjoy if you

pick that Niche and you study it and you become really good at it then you have a great chance at you know competing in this bug Bounty world and yeah uh I know this is kind of cliche but follow your heart don't let any anyone stop you I mean in the last 10 years I think a constant theme in my career has been people telling me that I should be doing something or I shouldn't be doing something but every time that this has happened I've just kind of decided to follow what I thought my best opportunities were or what I really wanted to do and if someone says to you I don't think that idea is great but you

think it's great then I think you should still go ahead and try it as much as you can it's not really their fault I think everyone you don't need to convince everyone um as long as you yourself think it's the right thing to do I think you should do it and yeah at the end of the day do what you want to do it's you know better than doing nothing and everyone's journey is different I'm not saying that you know what I've experienced in the last 10 years will be the same for you but it's certainly something that I wanted to share in this keynote with you guys as well and lastly uh probably the most

important thing uh is to take care of your mental health uh bug bounties are brutal you're going to have many days where you spend days weeks where you make nothing at all and at the end of the day it needs you need to be kind to yourself and you need to take care of your mental health you should get a good sleep uh work with your work on your mental health constantly and introspect and solve problems your skills will be Amplified if your mental health is in a good state so that's that's the last tip that I have for you and I guess in this last 10 years uh the one thing that I just kind of reflect through is all of

the highlights that I've had these last 10 years uh we founded asset node in 2018 uh which is the initial team that we had in a apartment in Brisbane with the United miles that I made I traveled the world went to Taiwan went to Tokyo and in 20 well in uh 2019 we found an RC in zoom in a Singapore live hacking event with the team at asset node and uh in 2021 we uh presented on Kite Runner which is an API security scanning solution anyways that's all for today thank you all for having me for the keynote I hope this was informative and uh adds a bit of value are there any questions