“Keeping yourself motivated” as a Bug Bounty hunter is paramount given the feast-and-famine nature of vulnerability discovery, says Italian hacker leorac.
In the interview below, Leorac – or Leo – also discusses his favoured type of vulnerability, tips for beginner bug hunters and the changes he’s observed in software development over the past two decades and the implications for hacking.
As he also explains in the video, Leo is a part-time hunter since he also works as a software engineer, and is married with two children.
The footage below was filmed in September 2024 at the RomHack cybersecurity conference in Rome, where Leo took part in Italy’s first-ever live bug bounty event, with targets provided by Ferrero.
Leorac on becoming a hacker…
I started hacking in 2021. I wanted to be a penetration tester. And I started to do CTF, and then I discovered the Bug Bounty world. I tried myself and I was very lucky, because I found some bugs pretty soon, so I got motivated. And I have been hacking ever since.
On the most challenging aspect of bug-hunting…
The most challenging part, I think, is the psychological one, because Bug Bounty is not only technical.
It’s important also to keep yourself very motivated, and Bug Bounty is a rollercoaster of emotions. Sometimes you find some bugs, some critical bugs – and you see yourself at the top of the mountain, like the best hacker in the world. And next time you can’t find anything for weeks, for months – and you think that you’re just done.
You have to be intentional in keeping yourself motivated and to stay healthy, and maybe take some pauses – and start all over again.
On the three words that best describe him as a hacker…
I guess ‘consistent’, because from when I started, I always went through all the process and I never stopped. The second one, I guess, is ‘creative’, and that’s the counterpart of technical – because I’m not so technical. I prefer to see myself as a creative, finding creative ways to hack on the applications. And the third one is ‘passionate’, because Bug Bounty is a part-time job. But for me, it’s my very passion and what I’m very passionate about.
On his most critical bug finds so far…
I guess that my most critical or biggest-impact bugs are all broken authorisation bugs, because it’s what I keep testing. Testing that I was able to, most of the time, get to privilege escalation, to do stuff with low privilege users that was meant to be done by an admin. And this leads to account takeover or, with an IDOR, information disclosure. So my main bugs are mostly just like that.
On the evolution of software development and hacking techniques…
I guess that the main evolution is about technology. So some years ago, old websites for example were in PHP, and now you see that not so much anymore. Before there were no frameworks, and now everything is based on frameworks. As I said before, I’m 40 years old so I’ve seen a lot in 20 years. And right now, of course you can’t hack as if it were five years ago or 10 years ago. You have to focus on different classes of vulnerabilities. So I guess you have to follow the technology – and then understand what this technology is, where this technology is more prone to be vulnerable.
On his top tips for new hackers…
My main tip is: just start. Because I see so many people in the loop of trying to study, to understand – because they are scared to start, they are scared of the challenge. But there are a lot of public programs, a lot of platforms, so just start.
And on the technical side, something that helped me a lot was the PortSwigger Academy. So all the time I suggest that. If you’re able to go through the PortSwigger Academy, then you are just fine to start doing Bug Bounty.
Interested in emulating leorac? Learn more about hunting through YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and techniques on our blog.