Full-time hunters may have more time to chase low-hanging fruit, but part-time hunter SpawnZii has still carved out a place among YesWeHack’s most successful researchers.
SpawnZii – aka Romain Brun – sits 50th on our all-time leaderboard at the time of writing.
In this interview, conducted during YesWeHack’s live hacking event at leHACK 2025 in Paris, SpawnZii reflects on balancing bug hunting with his day job as a pentester. He also looks back on how he got into hacking, explains how his target-selection methodology has evolved, and shares practical advice for aspiring hunters.
SpawnZii on how he became a hacker…
When I was little, I started tinkering with computers to try to jailbreak my PS3. And actually, while looking for tutorials, I noticed that you could hack computers and that you could even make a career out of it. So I jumped into it.
I discovered Bug Bounty when I started engineering school through my mentor, who was already doing a bit of Bug Bounty. He’s called Worty, for those who might know him!
So we started doing Bug Bounty – don't tell anyone, but during class time! – and then there was an event organised between my school and BZHunt. YesWeHack was sponsoring this event. I’ve never stopped hunting since.
On the biggest challenge as a Bug Bounty hunter…
For me, it's a question of time. It takes a lot of time, especially when you have a job on the side.
Sometimes you receive invitations and the programs have just opened. All the full-time hunters will be able to find the easiest bugs. And behind there’s us. We have a little less time to look for valid bugs. For me, that’s the most challenging part.
On the three words that best describe his hacker mindset…
Curious, passionate and persistent.
Curious, because I think you have to be curious to do this job or look for bugs in everyday life. And passionate, because I think you have to be passionate to do this job.
Otherwise, in the long run, it can become a bit repetitive. And then with the competition and the time it takes, it can be a bit demotivating.
And persistent, because sometimes after a long series of duplicates, it can be a little demotivating to start looking for bugs again, so you have to stay focused.
On how he chooses Bug Bounty targets…
That changed over time. At first, I hunted a lot on all the invitations I had. I looked for bugs here and there.
But today I’m a little more disciplined. I stick to the same program a lot and hunt continuously on it, and I’ve developed a few tools for automation and monitoring.
On his favourite hacking tools…
Well, I mainly use Firefox, Chrome and Burp Suite. I think that’s pretty much all any bug hunter working on the web needs. But in terms of automation, I’ve developed my own platforms and tools.
On his most critical bug so far…
So I have a nice little bug that I found in November last year.
I used my father’s account, which had a pro account on a certain platform. Thanks to this account, I managed to gain further access to an administrator account.
It allowed me to discover a vulnerability that enabled me to recover anyone’s account without any interaction from the targeted user. And that earned me a nice bounty.
On his top tip for aspiring hunters…
I think that to get started with Bug Bounty hunting, you need to have a few tools and some basic web knowledge. I would recommend doing the YesWeHack Dojo challenges and the PortSwigger Burp Suite labs, which are also very useful and will give you a good foundation to start with.
And then try to start looking for bugs in a program. I know it’s a little difficult at first. You might think you need private invitations to find bugs. That’s not necessarily true, although it can help, but tackling a public program is also a good idea to start with.
Interested in emulating SpawnZii? Register as a hunter on YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and hacking techniques on our blog.
