Technology Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter

[vtqhtr413]

Content source

https://www.securityweek.com/hacker-conversations-youssef-sammouda-bug-bounty-hunter/

Youssef Sammouda is a Tunisian security researcher who focuses on bug bounty programs. He describes himself as, “Vulnerability researcher with an attraction to web applications and the security vulnerabilities that affect them.” He achieved first place in Facebook’s whitehat program in 2021, 2020 and 2019. SecurityWeek talked to Sammouda about using cybersecurity research and bug bounties as a way of life and source of income.

The making of a bug bounty hunter​

“For the last five years,” he said (that is, starting in his mid-to-late teens), “I have focused on performing vulnerability assessments on some of the world’s biggest companies, mainly Meta and Google, and entering hacking competitions. I also currently work as a security consultant to start-up companies.”
This journey started early in his life. He began programming when he was twelve years old – but with no employment available for someone not yet in his teens, “I followed a path of general hacking and penetration testing. It wasn’t easy to do this legally. There wasn’t the same attitude toward whitehat research as there is today.” And there were no bug bounty programs to formalize the legality.

Legal pressures are something all researchers must consider. While most accept that conditions have improved, problems still exist today. As an example, in October 2021, a journalist with the Post-Dispatch discovered that teachers’ social security numbers were embedded in plain text in the html source code of a Missouri state website. The journalist took the responsible route. He verified that a few of the numbers he found were genuine SSNs, and then alerted the state authorities. But rather than a reward, as would happen in a bug bounty program, the state governor ordered an investigation by state troopers with a view to considering criminal charges (for hacking) against the journalist.

 

[vtqhtr413]

The nature of bug bounty programs is changing, and their ‘auntie’ is worried

Katie Moussouris talks with the Click Here podcast team about China's vulnerability disclosure rules, how an EU proposal has similar aspects, and why she believes these kinds of regulations will only make the internet less safe for everyone.

therecord.media

Katie Moussouris is the founder and CEO of Luta Security, a cybersecurity company specializing in vulnerability management. But she may be most famous for her work helping major corporations and government entities, including Microsoft and the Pentagon, to build bug bounty programs. The idea was simple: white hat hackers find vulnerabilities, they report them to companies, and those companies pay them — and, importantly, quietly patch the software.

The end goal, in all cases, is to fix the bug before anyone can exploit it. So in 2021, when China announced new regulations requiring private companies to report vulnerabilities to the government before they were patched, Moussouris was concerned. While many government officials and security researchers sounded the alarm over China weaponizing zero-days — as the Atlantic Council looked into for a September 2023 report — Moussouris worried about the precedent.

"The biggest problem with this provision is if other countries start imposing the same requirements on security research," she told the Record at the time.

And her concerns have come to fruition: