Hacker Spotlight: Interview with honoki
Hailing from Brussels, Belgium, Pieter (AKA @honoki on HackerOne) comes from an extensive business and cybersecurity background. He has over ten years of experience breaking and securing IT systems, over half of which as a security consultant delivering projects related to cybersecurity strategy, identity and access management, and security testing before starting his career as a freelancer. Pieter’s rare combination of exemplary business know-how and adept cybersecurity strategy execution, and that’s what has made his career take off. When he’s away from bug bounty hunting, security training and tests, he can be found composing music and playing the piano. @honoki is also passionate about crafting blogs on a variety of topics — from Linux and programming to music and travel. Check out his website and read on below to learn more about Pieter’s journey from a precocious Belgian schoolboy with an interest in computers to a well-known cyber security expert today.
How did you come up with your HackerOne username?
It's a handle that I originally chose because it sounded fun but didn't mean anything. Recently, however, I found out it appears to be the name of some Japanese ski resort.
How did you discover hacking?
I am of the generation of kids that learned to write code on calculators in high school, which sparked my interest in computer programming. However, I remember classmates popping XSS alerts in online school forums years before I learned what they were. My skills developed slowly over years of learning Visual Basic, HTML and JavaScript, until I learned how to employ those skills against websites (which, in the 2000s, were a lot less secure than they are today).
By the end of high school, my interests were sufficiently solidified to pursue a degree in Computer Science, where I learned more about software security and hacking, eventually landing me my first job in cyber security where I was further trained as a penetration tester.
What motivates you to hack and why do you hack for good through bug bounties?
There is nothing like the thrill of exploiting a cool vulnerability! I mean that quite literally; the adrenaline rush that some people go bungee jumping for, I try to achieve by spending my time looking for fun bugs.
There's also a lot of satisfaction in being the first to find holes in production systems. The added bonus of knowing you've upped an organization's security game and the bounties are a very welcome icing on the cake.
What makes a program an exciting target?
Wildcard scopes (e.g. *.example.com) always get me excited. Not because my recon is great, but because there's a better chance of coming across interesting applications. It shows an organization is committed to security across all their assets, which to me is a sign of maturity, and sets an expectation for the way in which reports will be handled.
I also like a target that contains a wide variety of complex features, increasing the chances of finding a fun combination of vulnerabilities. If a program incites creativity, I'm going to be hooked.
What keeps you engaged in a program and what makes you disengage?
I love when a program is quick to acknowledge a bug report, when a report sparks an interesting discussion or conversation about impact, and when a program awards a bounty on triage. Something that will definitely keep me engaged is when I am encouraged to keep digging on a vulnerability, and see how far I can take it.
On the other hand, I tend to stay away from a program when reports are left without a response for multiple days, or when my suggested impact rating is lowered without further comment or discussion. I will also typically abandon a program quickly when I find that everything I do immediately bumps into the WAF, making the process of finding bugs a bit too cumbersome.
How many programs do you focus on at once? Why?
Typically I will be drawn back to programs where I've had some earlier success, which means I'm usually focusing on the same four or five targets. Except I deviate from this when I receive a fresh invite, in which case I will likely spend a bit of time to see if there's something to spark my interest.
In general I don't feel like I do a great job of managing my attention, so I'll often get too involved in a program that's hardly worth the time, or get immediately sidetracked and hop from program to program without finding anything for days or weeks.
How do you prioritize which vulnerability types to go after based on the program?
If a program has a clear and detailed bounty table, they probably are a good indicator of what to look for. Lacking that, I like to follow my instincts based on the application features, or focus on the vulnerability types I have most experience with.
How do you keep up to date on the latest vulnerability trends?
Reading news articles and blog posts goes a long way. I try to take out a few hours a week just to get up to date about new research and interesting write-ups. Some must-read resources on my list are PortSwigger Research and the HackerOne hacktivity feed.
What do you wish every company knew before starting a bug bounty program?
Be prepared to enable easy access to your applications. If you have geolocation restrictions in place, don't expect hackers to spend hours circumventing those. I've been invited into programs that require registration with a US SSN in the past, or greet me with "The owner of this website has banned the country or region your IP address is in from accessing this website". Similarly, if I need credentials to log in, don't wait 15 days to provision them. I realize I may not be the world's most patient person, but I imagine those situations are going to lead to a hard pass from more hackers than just me.
How do you see the bug bounty space evolving over the next 5-10 years?
Based on the changes it underwent in the last five years, I expect it to continue growing and attracting the next generation of talented people from around the world to put their skills to the test. I also wouldn't be surprised to see it spread into industries that are currently less likely to solicit the help of hackers.
I hope we will also see an evolution in the way bug bounties can help increase security of organizations that cannot afford to pay bounties but would still benefit from responsible disclosure of security bugs.
How do you see the future of collaboration on hacking platforms evolving?
My best experience with collaboration was during live hacking events, where everybody is continuously sharing information and being uplifted by each other's knowledge. To maintain or recreate that feeling of shared effort and rewards away from a live event would be amazing. I can only see that happening with tools and platforms that enable shared notes taking, commenting, etc., which is currently reserved to people who set up their own collaboration spaces.
Do you have a mentor or someone in the community who has inspired you?
I am very much in debt to the original Team Belgium @arneswinnen and @intidc who have both taught me a lot. They have a very different approach to hacking than me, which continues to inspire me to try and look at things from a fresh angle.
What educational hacking resources do you wish existed that doesn't exist today?
This is hard to say. There is such an enormous wealth of amazing resources that I really can't think of something that's missing.
What advice would you give to the next generation of hackers?
Be patient but persistent.
The 8th Annual Hacker-Powered Security Report