The axiom that ‘patience is a virtue’ is surely no truer than when applied to the world of Bug Bounty.
Echoing many of his peers, Argentinian hacker g4mb4 cited this attribute among his three most important traits when it comes to hacking in this interview with YesWeHack.
G4mb4 – aka Damian Gambacorta – also recounted the impact of the vulnerability he is most proud of so far, considers whether being a developer made it easier to build a successful career in Bug Bounty, and details his methodology for choosing targets.
This conversation was filmed at Ekoparty, in the hunter’s hometown of Buenos Aires in November 2024, during a live hacking event where g4mb4 finished second on the final leaderboard.
The former developer has since started a company – OliveX – that leverages the expertise he has accrued in Bug Bounty, which he also combines with an additional senior cybersecurity role.
G4mb4 on becoming a hacker…
I started as a software developer like 15 years ago, and at some point, I decided that security was something that I needed to be more focused on.
During the pandemic, I started a course to learn about how to hack and do it in an ethical way.
And I started checking Bug Bounty and realised that it's something I really liked to do.
I migrated from development to Bug Bounty, which I’m currently focusing on right now.
On choosing his hunting targets…
I always say that I like to hack companies that I probably wouldn’t be part of, because the interviewing process would be complex.
So I really like to hack big companies that have a wide scope, that pay good, reasonable bounties and – most importantly – that treat us nicely and as part of their company. Not like a competition, because for us it’s a job also, and it’s something that we really care about.
On the three words that best describe him as a hacker…
I call it PPC – that is: persistence, patience and curiosity. That means I’m very curious about hacking techniques, tools and platforms. And I also have a lot of patience to spend long hours hacking through the night.
On the bug he is most proud of discovering so far…
Well, I found an IDOR. I focus mostly on IDORs, and the IDOR I found, I was able to get all the tickets from a big company.
And after getting all the tickets from that company, I was able to access reservations, cancel them and do more stuff with them.
That was pretty impactful because it was affecting a $1 billion company that was really big.
On what he likes most about YesWeHack…
I really like the way that the programs are organised on the platform, and how easy it is to report on YesWeHack.
I found it really easy to create the report, to focus on the flaw, and also the relation with the triagers was really helpful to commit, to solve the tickets faster.
On whether being a former developer typically makes you a better hacker…
I would say that it's the opposite: I had a background as a developer, then I started doing Bug Bounty, and once I had a lot of knowledge from Bug Bounty I started improving my coding techniques and being more professional in that.
I started applying for cybersecurity jobs, and now I’m a security architect due to the fact that I started doing Bug Bounty in my free time.
On his top tip for new hackers…
I would say that the tip I can recommend for new hackers is spending some time reading, learning about the vulnerabilities, how they can be exploited.
And with that in mind, start taking some time reviewing the programs, learning how the scope is, and start hacking. I think that you just need to start hacking!
Interested in emulating g4mb4? Register as a hunter on YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and hacking techniques on our blog.