- Aug 17, 2017
Youssef Sammouda is a Tunisian security researcher who focuses on bug bounty programs. He describes himself as, “Vulnerability researcher with an attraction to web applications and the security vulnerabilities that affect them.” He achieved first place in Facebook’s whitehat program in 2021, 2020 and 2019. SecurityWeek talked to Sammouda about using cybersecurity research and bug bounties as a way of life and source of income.
The making of a bug bounty hunter
“For the last five years,” he said (that is, starting in his mid-to-late teens), “I have focused on performing vulnerability assessments on some of the world’s biggest companies, mainly Meta and Google, and entering hacking competitions. I also currently work as a security consultant to start-up companies.”
This journey started early in his life. He began programming when he was twelve years old – but with no employment available for someone not yet in his teens, “I followed a path of general hacking and penetration testing. It wasn’t easy to do this legally. There wasn’t the same attitude toward whitehat research as there is today.” And there were no bug bounty programs to formalize the legality.
Legal pressures are something all researchers must consider. While most accept that conditions have improved, problems still exist today. As an example, in October 2021, a journalist with the Post-Dispatch discovered that teachers’ social security numbers were embedded in plain text in the html source code of a Missouri state website. The journalist took the responsible route. He verified that a few of the numbers he found were genuine SSNs, and then alerted the state authorities. But rather than a reward, as would happen in a bug bounty program, the state governor ordered an investigation by state troopers with a view to considering criminal charges (for hacking) against the journalist.