TL/DR: Much like Darlene Alderson from Mr Robot, Goonjeta Malhotra entered the hacking battleground and sharpened her chops after taking inspiration from her brother. A skilled hacker in her own right, she talks about her first $2k bounty, why she joined Crowdsource and how hacking has changed her life.
Why did you get involved in the field of hacking?
Hacking has always felt like a superpower to me. It is a skill that I have worked on and learned with time. I was introduced to this field by my brother, he is my role model and I have always followed in his footsteps. Once I stepped into this field, there was no turning back. I knew this is what I want to excel at and be known for.
How has your experience with bug bounties been?
Bug bounties drastically changed my life. During the initial days, I was simply trying out my luck with bug bounties. I would report really simple and easy-to-find bugs, which would end up being duplicates most of the time. That can often be very demotivating for newcomers, but that was when I realized that not only did I need to be quicker but also thoroughly test the application, rather than looking for just 1 or 2 common bugs.
I changed my methodology and spent a lot of time actually trying to understand the application workflow and looking for flaws. Then after about a year of consistent efforts, I received a $2k bounty. This was an Access Control – IDOR issue where a low privileged user could perform actions on behalf of the Admin by simply altering the user id . Receiving such a huge bounty felt unreal and it also made me realize that when you follow something with dedication, you will always see the results.
Have you always had this luck doing Bug Bounties?
The initial months are always hard but I have a motto in life, that is, to always give my best in everything I do. I am not a person who quits easily, so everything I do has to be with precision and dedication. I feel that even if we fall, we should always fall forwards, so setbacks and challenges are a part of life but you will always learn something new, no matter what. Even if it is 1% progress, it is still PROGRESS.
Once you start enjoying bug bounties and do it for the purpose of learning (while also obviously having the bounty as a huge motivating factor) things start falling into place, the process becomes enjoyable, the learning is endless and the self-confidence grows immensely because you know your power now.
“Crowdsource is really great for the customers since now they are able to identify all sorts of vulnerabilities that otherwise might have gone undetected.” – Goonjeta on the benefits of Detectify’s Crowdsource
How should companies protect their attack surface?
I would recommend companies to take security seriously because it is something that must be addressed by every company. The world as we know it has moved online, from small companies to huge ones, everything is now online. Cybercrime and fraud are increasing day by day so it is not a matter of how I can get hacked, it is a matter of WHEN I will get hacked.
Every company must opt for a regular pentest and if comfortable, a bug bounty program, because that would help them work closely with really skilled researchers who hack for good. So it is a win-win situation for bug bounty hunters and the company.
What do you do if you come across a common vulnerability?
My first thought is always how common is it and can I escalate its impact? Usually, common vulnerabilities would always end up being duplicates but if you can escalate its impact or maybe bypass the security checks once the vulnerability has been resolved, the company would always be interested in knowing about the find and most companies do end up rewarding the researchers for their efforts.
My hacker superpower is that I am able to deeply assess the impact of an issue and if a finding seems to have a low impact, I always try to chain it with some other bug, because the higher the impact, the bigger the bounty!
What made you join Detectify Crowdsource?
At the time I joined Detectify, it was all the buzz on Twitter! It was a very new concept and a very creative idea that researchers would get rewarded for each unique hit every time a vulnerability is detected from the module that was submitted by the researcher. This is a very unique concept and a lot of researchers have made sweet sums of money submitting modules and continuously getting a payout, this is really great for the customers too, since now they are able to identify all sorts of vulnerabilities that otherwise might have gone undetected.
How can other hackers use their skills in a better way?
Just like every person is unique, every hacker has their own skill-set and it would be wrong to compare one with the other. Everybody has a different journey and learning style so it is possible that some people grasp some concepts earlier than others but if you are doing it for the right reasons and with the right mindset then you are doing amazing.
Focus on improving and learning rather than just money. Don’t look for quick results, that will never happen. Focus on your growth and always be supportive of each other, no matter how skilled you are, we all have our own pace and that is fine.
How can Bug Bounty hunters and companies become more aligned?
The gaps arise only when people ignore the security aspect, companies need to be more supportive of researchers in general. Receiving bounties for something we discovered, not only motivates us to work more on those programs but also look for more creative bugs.
Do you think the archetypal sinister portrayal of a hacker demotivates people from pursuing hacking as a career?
The portrayal of a hacker, with a mask and a hoodie, is just the perfect representation. For me, the mask symbolizes that it can be anybody, a woman or a man irrespective of age or gender boundaries, and a hoodie because that adds to the element of mystery.
What changes would you like to see in the industry?
I would be overjoyed to see more women coming up in this industry and taking the lead! Women are smart, skilled, and confident. Although the ratio of women to men in this field is seeing a huge improvement, it is still not equal. So I would love to see an equal ratio because everything works better when balanced and done together. 💪🏼
What advice would you give other women wanting to enter the field?
I would advise all women out there to go ahead and follow their passion because when you set your heart to something, you can never go wrong with it. Be fearless, be strong, have confidence, and give it your best!
Are there any organizations that encourage more women in security that piqued your interest?
I feel that a lot of work is being done by amazing women and organizations such as the Women’s Society of Cyberjutsu to uplift and encourage more women and provide them with the right opportunities to flourish in this field. Similarly, there are a lot more organizations that are actively working to provide career opportunities for women as well as organizing events to help them attain the required skill-set for this field.
Also, most of the people in cybersecurity are very welcoming and supportive, so there is definitely a good shift because the idea now is to lift each other up because there is strength in togetherness.
What are your future goals as a hacker?
I have so many future goals that I would like to achieve. I want to do a lot more in this field to provide more opportunities for women, help mentor and guide them. As a personal goal, I would love to be known as the first female hacker to have achieved $1 Million in bounties. There is still a lot to learn but this is something I aim for. I wish to be a role model for a lot more young girls and women, I want to inspire them and help them realize their true potential. Ladies – YOU GOT THIS!
Are you interested in joining her and other security researchers on Detectify Crowdsource? Email the Crowdsource team at email@example.com or learn more on the blog. Detectify collaborates with handpicked ethical hackers to automate vulnerability research for our web application scanner. Sign up for Detectify and start your free 14-day trial today.