When rabhi’s reign as king of YesWeHack’s leaderboard began, TikTok had just risen to prominence, GPT-1 was fresh out the lab, and Log4j was still just a trusty java logging tool.
That was 2019. Rabhi has topped every annual leaderboard since, with second place often trailing by huge margins. True to form, he also tops the overall 2025 rankings so far (albeit Xel recently finally broke rabhi’s unbroken run of quarterly victories stretching back to 2019 Q1, and drak3hft7 is on course to do the same in Q3).
So what are the secrets of rabhi’s remarkable success? How does he produce high quality bugs so prolifically – and over such a long period of time?
Who better to tell us than the man himself. Rabhi kindly answered our questions for a Q&A we first published in the YesWeHack Bug Bounty Report 2025. You can now ready this exchange below too.
How did you become a hacker?
Rabhi: My involvement in hacking came from curiosity and a desire to experiment. I was fascinated by the idea of understanding systems and finding ways around them. My earliest success – reporting vulnerabilities to the Zataz.com platform – reinforced my desire to specialise in hacking.
When I started out in Bug Bounty, I reported vulnerabilities to companies like Yahoo and PayPal, and got a few fun rewards like Lumia phones. Over time, I developed a taste for more competitive programs, such as Google’s, where making the top 10 was a defining experience.
The first time I discovered a flaw in Google’s program I spent a sleepless night wondering whether it would be accepted or not. That experience – a mixture of excitement and uncertainty – remains engraved in my memory as a key stage in my progress.
What are the secrets of your success in terms of technical skills?
Rabhi: If there was one secret, it would be methodology. More than a set of skills, it's this ability to structure and perfect your research that will take you far.
Reconnaissance is the foundation of any successful test. Gather as much information as possible about your targets before you start testing. Because vulnerabilities and techniques are constantly evolving, you should also follow the latest trends and learn the most up-to-date workaround methods.
Specialise in a specific area too, such as web, mobile or reverse engineering. Even within a single category of vulnerabilities, there is always something new to learn and master.
Finally, I recommend differentiating your approach. For example, on a search page, most bug hunters reflexively test the search field directly, because it's the most visible and intuitive element.
But I prefer to explore less obvious parameters, such as elements hidden in JavaScript. This ‘off the beaten track’ curiosity often leads to the discovery of unique flaws.
What about the value of mindset and soft skills?
Rabhi: Soft skills are often underestimated, but they are essential in Bug Bounty. For example, you should trust your intuition and never give up. I've sometimes found vulnerabilities after days, even weeks, of painstaking research.
And be disciplined. I devote at least two hours a day to Bug Bounty. This keeps me efficient and responsive, particularly when invitations are extended to new programs.
You should also respect the trust that companies place in researchers. The way you write reports and interact with program managers can make all the difference. Good communication can strengthen your relationships and increase your opportunities.
Finally, maintain a healthy work-life balance. Bug bounty can be demanding, but it's important to know when to take a break to stay motivated.
Any advice for hunters who are just starting out?
Rabhi: The road to bug-hunting success may seem daunting, but with enough time and effort anyone can reach this destination.
I recommend honing your technical skills on specialist training platforms such as TryHackMe, RootMe or HackTheBox. Also take part regularly in Capture-the-Flag (CTF) competitions, attend cybersecurity conferences to broaden your knowledge, and experiment with different approaches.
Finally, be patient and don't get discouraged: results don't come immediately. Duplications or low scores are initially part of the process. Set yourself realistic goals and take things one step at a time.
And remember: every discovery, however small, is a victory that brings you closer to your goals.
Anything else to add?
Rabhi: What sets YesWeHack apart for me is the community spirit and the quality of the programs on offer. It’s a real source of inspiration. The team does a remarkable job of supporting researchers and improving programs.
For me, Bug Bounty isn't just a job: it's an intellectual and human adventure as much as a technical one.
So, to all those who are hesitating to take the plunge: dare to do it. It will be a long journey, but the rewards – in terms of learning, community and recognition – are well worth it.
Interested in emulating rabhi? Register as a hunter on YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and hacking techniques on our blog.
YOU MIGHT ALSO LIKE ‘Hacking is essentially about curiosity’: Blaklis on the art and science of Bug Bounty hunting