Youssef Sammouda is a Tunisian security researcher who focuses on bug bounty programs. He describes himself as, “Vulnerability researcher with an attraction to web applications and the security vulnerabilities that affect them.” He achieved first place in Facebook’s whitehat program in 2021, 2020 and 2019.
SecurityWeek talked to Sammouda about using cybersecurity research and bug bounties as a way of life and source of income.
“For the last five years,” he said (that is, starting in his mid-to-late teens), “I have focused on performing vulnerability assessments on some of the world’s biggest companies, mainly Meta and Google, and entering hacking competitions. I also currently work as a security consultant to start-up companies.”
This journey started early in his life. He began programming when he was twelve years old – but with no employment available for someone not yet in his teens, “I followed a path of general hacking and penetration testing. It wasn’t easy to do this legally. There wasn’t the same attitude toward whitehat research as there is today.” And there were no bug bounty programs to formalize the legality.
Legal pressures are something all researchers must consider. While most accept that conditions have improved, problems still exist today. As an example, in October 2021, a journalist with the Post-Dispatch discovered that teachers’ social security numbers were embedded in plain text in the html source code of a Missouri state website. The journalist took the responsible route. He verified that a few of the numbers he found were genuine SSNs, and then alerted the state authorities.
But rather than a reward, as would happen in a bug bounty program, the state governor ordered an investigation by state troopers with a view to considering criminal charges (for hacking) against the journalist. In the end, no charges were raised because no hacking occurred. A key element for hacking is the avoidance or bypassing of authentication processes – but there were no authentication processes: the data was plainly visible within the HTML that could be viewed by anyone with a browser.
But the threat of legal action hung over the journalist for several months – and such threats can have a chilling effect on researchers.
To avoid any legal issues, Sammouda switched to Capture the Flag (CTF) competitions to hone his skills, and gained knowledge in web and mobile application security. As the years passed, he reached the point where he could choose between working freelance or joining a company as an application security engineer. During this same period, bug bounty programs emerged as a potential source of income for a researcher.
“The desire to work for myself was stronger than the desire to work for a company,” he told SecurityWeek. “I felt that if I went to work for a company like Facebook, I would be tied to their infrastructure and be constrained by their approaches. I didn’t want that. I wanted something where I could always be learning something new with new technologies. As a researcher, I am effectively working for and with every company rather than just one.”
And thus, an independent bug bounty hunter was born.
The key to being a researcher, as we have discovered with other security researchers, is a deeply rooted curiosity. “It’s about curiosity, and a need to challenge both yourself and the programmers who developed the code,” he explained. Earning bounties comes second to the curiosity: bounty hunting is merely a method of earning a living while satisfying curiosity.
We have also learned from other researchers that the image of a solitary hacker in front of a computer in a darkened room gives the wrong impression.
“The ability to spend long periods on your own to do the research is not a pre-requisite, but the work forces you to spend many hours at your computer, much of it solitary. Working alone is a result of choosing this work – you don’t choose the work because you want to be alone.” Working alone is often – not always, nor with all researchers – a side-effect of being a researcher, not a requirement to be a researcher.
Worthy of note, however, is that Sammouda does not consider a formal education to be important. He went to university, but dropped out – and considers that everything he has learned has been self-taught through reading, forums, practice and mentally analyzing published proof of concept exploits.
Sammouda is a successful bounty hunter. “With Meta and Google, I make around $400,000 per year,” he told SecurityWeek. In the last twelve months, it was closer to $900,000. Overall, he has found about 140 bugs so far – around 120 in Facebook and the remaining 20 in Google and a few other big-name companies. So, how does he do this?
It’s largely about preparation and planning. The planning shows in a professional approach to his work. “How much money you make will depend on the quantity and quality of the bugs you find in any year. But you can find in the program policy page how much is paid for a certain bug; and you can plan your year with an estimated value of how much you’ll make during the year.” He takes note of cashflow planning.
The preparation comes from the years he spent learning his trade since he began programming at twelve years old and taking part in Capture the Flag competitions. Now he is confident he will find a bug whenever he starts looking.
“Although many people want to start on a bug bounty program, they don’t have the skillsets to do it the right way to efficiently to find the bugs. Before I started bug bounty hunting, I already had a very good background in security. That helped me start to make money right from the beginning. But the problem for many newcomers today is they’re not willing to spend enough time learning before they start hunting.”
He treats it with the discipline of working for a company without actually working for a company. It’s a bit like hanging wallpaper – the real trick is in preparing the wall before you start hanging the paper.
Get it right, and the bounty hunter earns both money and satisfaction. “Many of the bugs I found in Facebook were critical. I like all of them, but I mainly focus on bugs that would allow me to take over a Facebook account; for example, take over an Instagram account. By takeover, I mean gain access to someone’s account or get someone to visit a malicious website and get control of the account – so I like what I’ve done in finding these bugs. Two years ago, I focused on finding logic bugs in Facebook. I also found – and got $81,000 for it – a bug that allowed me to gain access to the entire Facebook infrastructure.
Most researchers are at least aware of the potential to sell discovered vulnerabilities to criminals on the dark web. Sammouda has a strong ethical code and has never been personally tempted. “In the past, hackers had to be black hats because this was the only way to make money from their skills,” he explained. “But nowadays I don’t think it is necessary. With things like bug bounty hunting and similar programs, you can make millions legally – so it doesn’t make sense to be a black hat.”
Apart from logic, this is down to his personal moral code. “For me,” he continued, “apart from the bounties, I feel I need to protect the users. With my skillsets I feel obliged to help protect the online users.”
There have been some suggestions that geopolitics can play a part in the difference between being a black hat and a white hat; that is, in some geographical locations it may be more difficult to make an honest profit from research. “I live in Tunisia,” he responded, “and I’ve never felt it is impossible to do bug bounties from anywhere in the world. Firstly, it’s online work; secondly the rewards are reasonable, and you can get paid in cryptocurrency. So, you can do bug bounties from anywhere in the world. It’s true that some researchers may prefer to work for their government in some areas, but there is always the choice to do the right thing.”
Being ignored by bounty schemes is sometimes raised as a potential reason for selling a vulnerability on the dark web. Sammouda doesn’t accept this. “To be honest, that has never happened to me. Companies that have a bug bounty program don’t ignore critical bugs.”
But what if…? “Following that hypothesis, I would use responsible disclosure.” Even if responsible disclosure has no effect, he wouldn’t switch to full disclosure – and in fact there have been examples. “I’ve had this experience,” he said. “One company didn’t want to fix the bugs; so, I had to contact a third-party company that worked with this company and say that if you don’t make them fix this bug it will affect you too. Eventually, the company was contacted by the third-party, and they fixed it. In another example, I had to contact the developers of an application directly because the company didn’t want to fix the bug.”
So, how do you become a successful bounty hunter like Youssef Sammouda? “First learn programming,” he says, “because cybersecurity research is about finding and understanding how a program works. If you’re not a programmer, you can’t even see the problem.”
If you’re interested in web application security, you should learn the languages used. “The same logic applies for mobile, and other areas. From then on, you should spend a lot of time doing the research part. This can initially be done by playing Capture the Flag (CTF). You should do CTF for at least three years, playing two or three times every week. This will give you the experience to start your own hunting. And, of course, you must continually read the news, and new security research and whitepapers. But if you have the basic inherent curiosity, this will all come naturally.”
The real incentive for wannabe bounty hunters? It’s not even a full-time job. “It’s part time,” said the man earning $400,000 per year. “I’m not a full-time bounty hunter.”