AMA with @jhaddix

Thank you for doing this interview! Can you please introduce yourself?

My name is Jason Haddix, I am from Southern California and I have been hacking for 10 years.

Ten years ago the internet was a very different place. I took a college course on “Ethical Hacking & Network Defense” and liked the topic but thought many of the attacks seemed unsophisticated or outdated. I took my interest online to some of the shadier IRC and underground forums. While working a nightshift job (IT helpdesk), I self taught myself network and web application hacking. The network stuff was tried and true but the web stuff, SQL injection, command injection, and XSS were all relatively new. I learned from reading and following everything/everyone I could. Back then SANS was one of the best certs for the ethical side of the scene so I payed my own way to get my GSEC, GPEN, and GWAPT certifications. I found a bunch of web related vulns at my employer and helped dev understand their impact. Shortly after I got my 1st job at a small consultancy. I worked with a stellar team there, and learned a ton. I helped define their web testing processes and expand their vuln assessment into actual pentesting. After a while there I needed to move on, and I took a Blackhat training with @danielmiessler. We teamed up on the CTF, got 2nd place, and I joined his team at HP/Fortify shortly after. I led the pentesting efforts there with another stellar team, and worked my way up the corporate ladder to become Director of Pentesting there. I started being a bughunter in parallel on private programs and then as part of Bugcrowd. I became obsessed and battled @bitquark for the top slot on the leaderboard for 6 months, eventually in 2015 I got the top spot. I left HP Fortify soon after to join the Bugcrowd team leading their triage and validation teams, as Director of Technical Operations. I have since “graduated” to Head of Trust and Security.

Q: What platforms or popular (public) programs have you hacked on?

Yahoo, Google, some game companies, and a billion Bugcrowd programs. Some private disclosures before Bug Bounty was really a thing too.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

Full disclosure, I work for Bugcrowd now, but when I wasn’t I would work my 9-5 as the leader of a pentest team, then come home and replace my gaming time with bug bounties (about 4 hours a night). Minus family dinner, family chill time, and tucking the kids in. In the pentest profession you can never really gauge how good you are at your job, so I wanted to see if I could get to the number one spot on the Bugcrowd leaderboard. I achieved that personal goal in 2014 and 2015. I remain in the top 50 today. It’s not really about the money for me, so I’d say hobby, but I did pay for my wedding with my bounty money so it was a nice bonus.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

When I was hunting actively it was about 20 hours a week, averaging 2-3 bugs a day, varying in criticality. Coming from pentest I submit everything, regardless of how small. It’s just how I test.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

On private programs it usually takes me 1-2 days to know the app well enough to find something high priority (unless something falls in my lap). Most of my submissions are medium level criticality.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

There’s been a few. Bypassing a WAF by forging headers was a fun one. Literally all the other hunters were being blacklisted because of too many requests. I found that the WAF plugin accepted a custom header to whitelist a client so I started testing and adding that header to all my requests, in which I told the WAF I was itself ( I literally had the bounty all to myself for 50% of the duration.

Wordpress’s public/charity mobile bounty sponsored by Bugcrowd was fun too. I found several 0-days in that app (you can actually Google the results of the bounty).

At a Bug Bash once I managed to find some leftover source fragments, that had credentials for an employee of a target. I tried these credentials and they logged me into some super scary backends I had identified via discovery.

I’ve had a ton of private program and pentest bugs I’ve found that are interesting but can’t really talk about =(

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to become established Bug bounty hacker?

I knew from the 1st bounty I participated in it was something I was going to do long term. Some the newer hunters don’t remember a time where this kind of hacking could get you arrested. I do. So the opportunity to use my skills and get paid for it (in my free time) was just too good to miss out on. The 1st hurdle for bug hunters is always getting enough submissions in to get into the tier of hunters that gets invited to private programs. It was the same with me. Just don’t give up!

Q: What do you do to keep up with all the new trends?

Mostly twitter. It’s so funny but that’s where our industry is, like it or not.

Q: Do you collaborate with other hackers? Can you name a few?

I’ve teamed up with @shpendk , @FatihEgbatan, and @ITSecurityguard at random points. I’d love to work with more hunters though, I find it exhilarating.

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

Alright… here we go!

For wide scope programs I have a script that does what I call “Phase 1”:

Subdomain discovery via scraping: & sublist3r


Subdomain discovery via brute force: same as above but with custom list:


Results get fed into:

Nmap & Eyewitness:

  • (something like) Nmap -T5 -Pn -n -p- -sV -sC–script=http-title -oA {outfilename} {targets}
  • Or Masscan with the nmap top 1000 ports

Around this point I do some manual discovery:

  • ASN’s:
  • Expand netblocks of the domains found above
  • Virtual host checking
  • Certificate Checking (even privates) to find other sites with that naming structure
  • Trademark or privacy policy google dorking

Results then get fed into Gobuster or filebuster w/custom lists:


I now have a lot of scope to work with. Eyewitness will give me screenshots which I parse through for interesting targets 1st. I then begin to connect with a browser to opportune looking sites, look for exploits associated to old versions, and begin web hacking with Burp.

Q: Do you always look for all vulnerabilities types when you approach a website?

I do. Some testers only look for certain classes of bugs, I tend to (because of my pentester and VA background) look for everything and anything.

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

I just switched to running a ton of tools out of docker containers, one particularly cool one contains my DNS scripts and some other tools, called Brutesubs by Anshuman Bhartiya.

It’s definitely in a hunters best interest to get familiar with SQLmap too.

Fro Burp plugins I (currently) use: Active Scan ++, Additional Scanner Checks, AuthMatrix, Backslash Powered Scanner, CO2, Flow, Hackvertor, Meth0dMan, Paramalyzer.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

I have a few custom tools to look for classes of vulnerabilities. I’ll be releasing them soon at DEF CON and Blackhat. Stay tuned. I also did a talk on bug hunting at DEF CON 23 which goes into a lot more depth. You can see the video here and the associated transcribed github (to be updated soon) here. There are definitely some basic questions you should think about when interacting with the site:

  • Does the page look like it might need to call on stored data? (check for SQLi, XMLi/XXE, etc)

  • Does the page functionality display something to the users (and does it reflect your input)? (Check for XSS)

  • Does the page functionality look like it might interact with the server file system (or can it)? (Check for LFI/CMDi)

  • Does the page functionality deal with redirects or use a path in a parameter? (check for SSRF)

  • Does the page upload files? (Check for file upload vulns)

  • ++

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

A lot. I don’t know where testers got the notion of a target being not valuable after running a long standing bounty. Some low hanging fruit may be gone, but p1’s and p2’s are still there!

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Pentesting and bug bounty hunting share a ton of the same skills, so that helped me a lot. I recommend starting with reading:

I also highly recommend installing and completing every single practice application you can find:

Time to wrap it up!

Q: What kind of music do you listen to?

A large range of EDM mostly. I like Zedd, Marshmello, 3LAU, Bro Safari, Firebeatz, Pegboard Nerds, Glitch Mob, ++

Q: What do you do when you aren’t hacking?

Game! I have played DoTA2, WoW, Destiny, Diablo, ++. I also parent and hang out with my wonderful wife and kids. I also love paintball!

Q: What kind of impact/role have bug bounties played in your life?

They allowed me to pay for my wedding, my new family minivan, work for one of the most impactful security companies in existence, and meet some of the best hackers in the world… so I’d say a pretty big impact!

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Keep at it. Good vulns don’t just shake out of the target in the 1st day (usually). Just keep looking!

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

Exploit Dev. I know basics-intermediate but, would love to be better at the hardcore stuff. I also lack a “traditional” software dev background so, someday, I’d like to remedy that.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

(see above)

Q: Someone was eager to know, what do you put on your toast?


Q: What’s your worst bug bounty story/experience? (Please do not mention a customer name or platform in your answer)

Before there were platforms for this, I reported several issues on mobile apps to big companies. Credential logging available to all apps, data stealing through intents, global photo sharing, no data protection API designations, ++. All were not rewarded and then fixed a few weeks later. Hurt my feelings! c'est la vie !

Q: If you had to pick one hacker to collaborate with, who would it be?

ONE? No way (i’m a hacker)! A few? Sure: @ITSecurityguard, @bitquark, @mongobug, @darkarnium, @justinkndy, @TheColonial, @justinsteven, @nahamsec, @theboredeng, @avlidienbrunn, @fransrosen, @yaworsk, @zseano, @bbuerhaus, @nnwakelam, @bugbountyhq, @ablinowax, @taviso, @darkieduck, @zephrfish, @thedawgyg, @smielgles, @brutelogic, @yappare, @soaj1664ashar, @merttasci_ , ++. All for various reasons (mostly b/c I’d learn a ton). I have tremendous respect for all of them. That’s just people I know have done some bug hunting for BB programs or disclosure… there are mountains of hackers from other parts of the scene I would love to work with (and already do/have).

Q: What’s the one feature you would like to see in the platforms?

Can’t think of anything that I can talk about atm, I’m pretty biased ;)