interviews

SecurityTrails Blog · Apr 06 · by Sara Jelen

Mentoring the Upcoming Generation of Bug Bounty Hunters with Hakluke

Reading time: 13 minutes

We are in a time where global economies are screeching to a halt while cybercrime is not resting. With cybercrime predicted to inflict damages totaling $6 trillion in 2021, its rise has outraced traditional security teams and methodologies, making it harder to detect, mitigate, and resolve an escalating number of threats.

A new generation of hackers is blooming to rival the rising cybercrime forces. Once thought of as an unconventional, even underground, hobby, ethical hacking and bug bounty hunting has since become a popular movement. Bug bounty hunters and hackers are not just helping organizations face unknown challenges in the current threat landscape and making the internet safer for everyone. Now they have the opportunity to make a sustainable living out of it.

Providing resources, mentorship, and support is crucial in gaining trust and building relationships with the next generation of security researchers, bug bounty hunters, and professionals. Who better to fill that role than experienced, creative, and even entertaining role models.

Luke Stephens, better known as Hakluke is the Manager of Training and Quality Assurance at Bugcrowd. But he started on the other side as a hunter. Luke is well known and loved in the infosec community he has been a part of for years. Ethical hackers are a curious bunch. Luke has been curating and creating content to feed that curiosity with educational cybersecurity and self-development blog posts, talks, videos, podcasts, and hacking tools. Whether on Twitter, TikTok, his blog, or a YouTube channel, encouraging and directing new generations of hackers is at the forefront of Luke’s positive online presence.

As part of the Bug Bounty Hunting Month, Luke released haktrails, a Golang client for querying SecurityTrails API data, making it easier to access information directly from the CLI. We were excited to (virtually) sit down with Luke in the tropical oasis of Sunshine Coast, where he recently moved, and find out about his story, how he got into cybersecurity (hint: Matrix was the culprit), the importance of fostering keen minds in the industry, the right hacker mindset, interesting tidbits from his work with Bugcrowd, and much more.

Luke Stephens Hakluke

SecurityTrails: You help many bug bounty hunters and aspiring ones with your content and selflessly shared tips, tricks and just about anything on how to succeed. But what did your start in bug bounty hunting look like? What sparked your interest enough to start?

Luke Stephens: I think landing in bug bounties was the result of natural tendencies and personality traits, combined with a few formative events in my life. To give a brief history, I was born with a natural obsession with knowing how things worked under the hood. I gravitated towards computers at a young age, and my interest in hacking was piqued at 8 when I saw The Matrix at a friend’s birthday party. At that time, there were basically no resources to learn hacking, at least that I could find.

At some point, when I was probably about 12, I managed to convince my parents to buy me a book called Hacking Exposed, which detailed some hacking fundamentals. Despite having very little knowledge, I somehow found my way into some computer systems that I shouldn’t have. I made my first responsible disclosure to my school’s IT staff. As I approached the end of my schooling, I started up a couple of small online businesses for content creation and web development. My clients were mostly my friends or acquaintances, but it gave me an entrepreneurial spirit. I landed a job straight out of school doing high-level tech support, installations, and code customizations with a company that developed webmail products. I learned a lot about PHP, Linux, and systems administration.

what did start in bug bounty hunting look like?

After two years working on a computer science degree, I dropped out and started working as a full-time web developer for a few different businesses, but my interest in hacking never subsided. I completed my OSCP and eventually landed a job at a pentesting firm. I did pentesting for a couple of years while also getting involved in the infosec community and heard about bug bounties during this time. It was an exciting prospect to work after hours and earn some extra cash for hacking. I started spending a lot of time doing bug bounties and realized I got a lot more enjoyment doing this than pentesting.

I now work for Bugcrowd as an actual employee, and I also do some hunting on the side when I feel like it!

ST: How did starting your career off in pentesting and then transitioning to bug bounty hunting go? Do you think it would’ve been easier if it was the other way around?

Luke: Coming from pentesting, I was used to easily finding bugs as the targets are often fresh. Moving to bug bounty targets was more challenging and required me to alter my whole methodology. As a pentester, you are paid for your time, while as a bug bounty hunter, you are paid for impact. This difference is more than surface level - it changes the whole game. To find bugs, I needed to alter my hacking style significantly.

Even so, I don’t think it would have been easier the other way around because pentesting gave me confidence in my abilities and a solid foundation of hacking knowledge.

Learn everything, don’t assume anything, be persistent.

ST: How does your pentesting methodology differ from your bug bounty hunting one?

Luke: As a pentester, my goal is to follow a methodology to provide coverage and assurance. As a bug bounty hunter, my goal is creativity. I am always trying to discover unique methods and edge cases to exploit and uncover things that others have not.

ST: You create educational, insightful, and impactful content on many different channels for bug bounty hunters, but what type of content had the biggest impact on sharpening your bug hunting skills?

Luke: I consume a lot of content, but I try to curate what I ingest heavily. I’m a huge fan of content that provides either actionable value or mental models. Mental models are important because they provide a framework for building new ideas from, while actionable value is also important because it is practical advice that can instantly improve me.

Below are some of my favorite content sources:

Newsletters

  • Daniel Miessler’s Unsupervised Learning newsletter
  • Securibee’s Hive Five newsletter

Training platforms

  • Pentesterlab
  • Portswigger Web Security Academy
  • Hackthebox

Blogs

  • Portswigger
  • Orange Tsai
  • Assetnote
  • Sam Curry

YouTube Channels

  • STOK’s YouTube videos
  • Ippsec’s YouTube videos
  • Codingo’s YouTube videos
  • LiveOverflow’s YouTube videos
  • Nahamsec’s Recon Sundays

ST: You have a pretty exciting job going through bug bounty submissions at Bugcrowd! What are some of the most jaw-dropping bugs you validated?

Luke: I can’t delve into specifics, but the most interesting bugs are always the ones that affect widely used technologies. For example, when James Kettle dropped his research on cache poisoning. With the advent of internet-connected IoT devices, such as industrial devices, cameras, fridges, cars, or security systems, we will occasionally see jaw-dropping bugs just because the impact of exploiting them would be catastrophic in a very real, physical sense.

exciting job going through bug bounty submissions at Bugcrowd

ST: What are some of the bugs and hacking techniques you’ve seen a lot of submissions for lately, and what bugs do you predict we will be seeing more of in 2021?

Luke: Like all other years, I expect the security research community to drop some amazing research and novel attacks, though I couldn’t tell you what they will be! Mostly, I think it will be more of the same. The most common bugs are consistently sensitive data exposure, XSS, DNS misconfigurations, IDOR, and authentication bypasses.

With more people working from home due to COVID19, cyber adversaries now have a significantly larger attack surface. Suddenly, a kid’s Playstation is on the same network as a corporate laptop. Companies were forced into rushed solutions, such as video conferencing, VPN’s, and chat applications, to enable their staff to work from home. For the most part, when solutions are rushed, security is not a priority.

ST: What are some must-have tools in your bug bounty hunting toolkit?

  • Burp Suite
  • Ffuf
  • Nmap
  • All the Project Discovery tools
  • All of Tomnomnom’s tools
  • SQLMap
  • Linux text manipulation utilities (sed, awk, grep)
  • GNU parallel / interlace
  • Notion / Obsidian
  • Vim

ST: We hear a lot about technical skills and requirements for those wanting to enter bug bounty hunting, but what kind of mindset is needed to take the plunge and start hunting?

Luke: When you first start, it’s easy to feel discouraged. The ultimate mindset for starting bug bounties is:

  • A “just do it” attitude. I see too many people making lists, planning, asking others what they should learn, but never actually executing it. The most important thing is starting.
  • Inquisitive, a desire to know how things work under the hood.
  • Creativity to stand out from the crowd.
  • Persistence. Albert Einstein once said, “It’s not that I’m so smart, it’s just that I stay with problems longer.” This definitely applies to bug bounties. It’s more advantageous to be persistent than a genius.

ST: If you could give only one piece of advice for being successful in bug bounty hunting, what would it be?

Luke: Learn everything, don’t assume anything, be persistent.

Learn everything, don't assume anything

ST: There are a lot of opinions about infosec content making its way to TikTok, or any “modern” platform for that matter. You have a TikTok channel and your stance that it’s not about the platform but about content reaching those that it should is admirable. Why do you think the infosec community dismisses this? Shouldn’t educational content be on platforms whose users are young people looking to get into the industry? And this goes deeper than just TikTok. How can an industry with innovation and change at its core so often be dismissive over it?

Luke: Fostering young, keen minds is perhaps the most important thing that we can do as established hackers today. It will keep the future of cyber security out of jail and ensure we put the brightest minds to positive use in our industry. How are we supposed to do this if we are not even communicating on the same mediums?

The hacker community encourages growth, education, information sharing, critical thinking, and innovation, all of which are critical to our society as we move forward.

It’s important to remember older people tend to be more risk averse. Because of this, older people are naturally slower to adopt new things, including social media platforms. If TikTok follows the same path as every other social platform, it will be a very different place in 2-3 years. There are plenty of TikTok creators in every niche imaginable switching to educational content, and cybersecurity is no exception. There are almost twice as many monthly active users on TikTok as there are on Twitter, and TikTok users’ age demographics are nearly identical to bug bounty hunters. To me, it seems like a great place to pique the interest of future hackers and guide them down the right path!

ST: When you combine imposter syndrome with frequent and severe burnout, infosec can be a mentally overwhelming career path. We work hard — we’re researchers, hackers, and hunters, but we but we are also us beyond our work. How do you focus on self-growth outside of work?

Luke: The biggest enemy of my mentaI health is my obsession (borderline addiction) with computers and hacking. I’m far from perfect, and it’s something I struggle with from time to time. Thankfully I have a wife and daughter who keep me in check.

I feel my best when I balance out my hacking with nature, good food, exercise, and sleep. I’ve just moved to the Sunshine Coast, a beautiful corner of the world with a lot of natural beauty so I’m spending a lot of time at the beach. That definitely helps!

As I get older, I curate my life a lot more. I say no to more things and spend time doing things that I’m legitimately excited about.

ST: How do you remain focused on your work, especially bug bounty hunting, while also keeping your private life balanced? What advice would you give to someone that is thinking of giving up — how to find that light at the end of the tunnel and keep going?

Luke: Currently, I have a full-time job outside of my hunting efforts so there is very little pressure on me to find anything. I am careful to rely on bug bounty hunting as my primary source of income only if I am sure I can earn as much as needed to be financially comfortable. It helps take the stress out of it and ensures I will continue to enjoy it.

Quite frankly, if I felt like giving up bug bounties, I would, at least until I felt recharged. The trick is to not allow yourself to get to that point in the first place. This requires careful lifestyle design.

How do you remain focused on your work?

ST: Bug bounty hunting is a competition, but the community is supportive, helpful, and empathetic to each other. Where do you think this comes from, and was it always this welcoming?

Luke: I think there are a number of reasons for the strong sense of community in this industry. Hacking was born from a small niche of passionate, like-minded people who would meet to share ideas and achievements. Many of the ideas discussed back then are now deep within the fabric of our society. Computers, phones, and the internet, to name a few!

Many things have changed, but hacking still attracts passionate, like-minded people. I can’t speak for everyone, but when I was younger, I often felt my views on the world aligned more closely with other hackers online than my real-life social circle. When many people feel this way, it forms a breeding ground for a thriving online community.

The hacker community encourages growth, education, information sharing, critical thinking, and innovation, all of which are critical to our society as we move forward.

ST: Let’s say you’re daydreaming about catching a bug and winning the bounty. What would be the bug and how would you go about finding it?

Luke: If I daydream about bug bounties, it’s not about one bug in particular. It would be about the long game - making great, consistent money doing what I love without risking jail time. But if I had to choose one bug, in particular, it would have to be a full non-interactive auth bypass in a huge bounty program with a 6 figure payout.

ST: All of this talk about bug bounty hunting, but what would you do if you didn’t work in infosec/bug bounty hunting?

Luke: That’s tough to say, I enjoy a lot of things. I’d probably spend a lot of time coding, following other entrepreneurial pursuits, creating music, laying on the beach, and bushwalking.

Any job alternative?

Final words

We hope you’ve enjoyed learning more about Luke’s background, his vision on fostering young minds and bringing new talent to the industry and that you heard some good bug bounty hunting tips from one of the best.

While we’re almost at the end of the Bug Bounty Hunting Month, we’re not slowing down! Expect more interviews with your favorite hunters, technical how-to’s and social media giveaways. And don’t forget to take the opportunity to grab your Bug Bounty Hunter’s Toolkit now!

SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.