As a full time bug hunter, it’s important to use the tools you are confortable with, sometimes a small improvement can change your life. During the great 3 days course presented by Nicolas Grégoire, he showed us a browser called Autochrome. Combined with a tiny Burp Suite extension, it becomes very easy to visualize the things you really want to see and reduce the noise for your eyes. In this article I will show you my current configuration.

...

This article is the following of the previous one (obviously…) about why I love bug bounty. However I realized that that one sounds like everything is perfect in this job, but since the world is not whole pinky full of rainbows, and butterflies, and unicorns, I have to say the truth. Long time resolution, loneliness, deception, companies, there are also bad points (or maybe I’m just frustrated to get so much duplicates these days xD).

...

As a user I would say that I don’t care about all these Flash stuff that try to catch my eyes, most of the time I have a plugin to disable them. As a developper, it reminds me the (not so good) old time when the marketing peoples always wanted to add “movement” in the website, yeah it looks so kool! As a hacker, well… I didn’t know how nice it could be, but I recently learned how to find issue in there and it’s funny as hell. I was close to the success as I quickly found 3 XSS, but unfortunately all my reports were marked as duplicate :/

...

A friend recently asked me what methods I use to find subdomains. To be honest I was confused, like “oooohhh so much, brute force mmm… zone transfer and… brute for… wait Google and mmm… many other tools!” What a shame that I was so inaccurate after so much time spent to look for subdomains. Time to dig a little bit! After I wrote a list of the most popular methods, I tried to make a list of some tools and online resources to exploit them. Of course this list is far from exhaustive, there are many new stuff every day, but it’s still a good start :)

...

People are usually surprised by the answer when they ask me what I do for living, questions rain, here are some answers. My first report was a XSS on a Yahoo acquisition, it happened the 26th January 2016. Since this date, I (try to) perform Bug Bounty as a full time job on Hackerone. Did I say “job”? I don’t really consider bug bounty/hacking as a “job”, it’s more a hobby or a passion, because you have to be passionnate to perform in this domain. So let’s say that bug bounty is my main source of income. Below why I do this “job”, why it fits perfectly to me and why I love it.

...