HackerOne Hall of Fame - Sean Melia “Meals”
This blog is the first in a series highlighting top hackers on HackerOne. These hall-of-famers are extremely talented bug hunters and continuously dominate the leaderboards and thanks pages. In this first post, we are thrilled to highlight, Meals!
In just two years Sean Melia, nicknamed “Meals” by buddies in high school, has uncovered nearly 500 vulnerabilities on HackerOne! He is ranked in the 94th percentile for signal, 86th for impact, 1st rank overall with 11461 Reputation and has been thanked by 37 organizations. What makes Meals a hall-of-famer? Besides owning the #1 spot on HackerOne for months, Meals was the first hacker to pass 10,000 Reputation!
“Bug bounties have changed my life significantly"
At 26 years old, Meals has been working as a pen tester for the past four years and has been partaking in bug bounty programs for the last two years. “Bug bounties have changed my life significantly,” he stated. “I've been able to purchase a house as well as go on trips and purchase nice gifts for my family and girlfriend.” His interest in security began in middle school, but really took off when he took an internship towards the end of college.
While his first successful hack may not have been the most memorable, Meals still recalls the first time he found SQL injection by inputting ' OR 1=1-- - into a login field and accessing an admin portal. “At the time I had no clue what I was doing or why it worked, however it sure was cool,” he shared.
“Learning to hack and putting my skills to good use has been very rewarding,” he stated. “I try to look for bugs everyday because I like the challenge. Some days are more fruitful than others when I am able to bypass the defenses of large and small companies in order to help make them aware of issues.” In addition to the intellectual challenge, another great motivator for bug hunting is the the paydays and recognition from peers, Meals said.
“One of my latest finds on a private bug bounty was a Server-Side Request Forgery (SSRF) that allowed me to pivot into the company's Intranet as well as read local files on the server.” This was one of the reports he is most proud of. He also finds notable bugs during his day job as a pen tester.
$40,000 Earned In A Month
When picking bug bounty programs to work on, Meals tends to prefer private programs where the researcher pool is smaller. “This allows the company to have better communication with researchers due to not being overwhelmed with a massive amount of reports.” He also finds that private programs tend to have better payouts and challenges. One of his hacking highlights occurred in June when he was working with a private program on HackerOne. “I submitted quite a few bugs and ended up walking away with $40,000 for the month.” What added to the experience was how responsive and grateful the team was for the work he put in, Meals added.
Public programs can also be very rewarding. “I’ve also had a great time reporting bugs to Yahoo over the last year and ended up walking away with quite a bit of money. Thanks guys!” he shared.
What does hacking with Meals look like? His hacking setup includes two MacBooks and a desktop that he uses regularly, as well as a few VPS's that he will run certain tasks on that may take days or weeks to finish. He does most of his testing with Burp Suite, nmap, Sublist3r, nikto, and various other tools here and there. As for the hacking golden hour, Meals shared, “Most of my best hacking is done between 10pm-4am.”
When asked about his success he stated, “When I first started on HackerOne I thought it would be so cool to be on the Top 10. Then the Top 5, Then the top 3, and now first place. I never expected to hit any of those marks, but I'm glad I was able to accomplish them.”
Tips For New Hacker
For new hackers just starting out, Meals recommends reading as much as you can about finding and remediating vulnerabilities. “Even if it doesn't make sense now it may come in handy one day,” he stated. And as a pro-tip for new hackers he says you should not be afraid to purchase something on a site that has a bug bounty, for example a membership or store item. The transaction will increase attack surface and you will likely find more bugs than others.
For security teams new to bug bounty programs, Meals recommends they start small in a private program with a select group of researchers. By starting in this way he states, “This gives you the opportunity to prepare your internal teams and figure out where your bottlenecks are. This also helps to clean up low hanging fruit which will in turn prevent a significant amount of duplicate reports for your team to wade through.”
Communication and Timely Acknowledgement is Key
He also emphasized the importance of communication and timely acknowledgement for teams running a bug bounty program. “If a researcher asks a question or reports a bug then they should be acknowledged. As silly as that seems it needs to be said,” he shared. Lastly, for teams looking to run a better bug bounty program, he recommends teams check in with the researchers for feedback every once in awhile for tips on how to improve the program. If your program feels like it has gone stale, Meals recommends teams increase their bounties or expand their scope.
When he is not hacking you can find Meals hanging out with friends and family, enjoying a beer and working on cars. We bet there are many more thanks and bounties in Meals future, maybe even hacking cars.
Have a question for Meals? You can follow him on Twitter @seanmeals! He also started his own blog we recommend you check out for bug hunting tips: https://seanmelia.wordpress.com/.
Stay tuned for our next hacker hall of fame blog in our series and let us know if you have a question for a top hacker by emailing us at hackers@hackerone.com.
Lauren Koszarek
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.
The 8th Annual Hacker-Powered Security Report