Bug Hunter – the key profession in cybersecurity field. Exclusive interview with cybersecurity expert, Touseef Gul
An insight into the career of a Bug Hunter
There is an increasing demand for professionals in the field of cybersecurity. The network around the world is constantly targeted by thousands of external attacks. Therefore, having hacker-proof systems should be a priority and the duty of every company.
Professional Bug Hunter is, therefore, an ethical hacker, whose job is to seek legally for discrepancies in the security of companies and institutions and to identify solutions to protect their sites from cyber attacks. Below is the interview with one of the top experts in this area.
Helena: What is the exact name of your profession?
Touseef: I am a bug hunter, and not only, but I am also a researcher and a communicator in the security field.
Graham Cluley, an online magazine specializing in Computer Security, and TheJournal.ie have written about me and my business.
Helena: How do you promote your business?
Touseef: I don’t have a precise strategy, for example, several noteworthy sites that mention me, such as Hall of Fame, are promoting me, and some companies that I contacted (interested companies) have written about me aftermath.
Helena: What requirements and attitudes should have a person
in your profession?
Touseef: Firstly, you have to avoid to defame or in any way harm the company on which website you revealed the problem. To demonstrate your professionalism in this sector, you should always approach the company directly and responsibly. If some companies continue ignoring you, you can try to contact them through any support or other contacts. Besides, you should be familiar with all vulnerabilities and web applications, but avoid relying just on tools. For example, there have been situations when I had to contact the users directly so that they could warn the company who manages the website, since, after continuous reports, I have not received any response.
In other situations, I have received various replies, such as “I’m sorry, we think you are fake. I’m sorry your email has gone to Spam, or we have already corrected this vulnerability.” (actually, it always exists).
Helena: How important is your profession for companies?
Touseef: For any successful company, it is absolutely essential. For example, if you fail to comply with the GDPR in Europe, you could be heavily fined if the data managed by your company were violated. No matter how successful your business is, it can always be ruined, if hackers continue to access your data and then sell it for money to your competitors or anyone interested in your data. In addition, as I said in an interview, even if you have a one-page site (and there is a way to access your server), the hacker will try to access at least the server to use it for spamming / phishing, etc. So don’t take your Internet presence lightly.
Helena: Who are the companies that usually hire you, and could you also be useful to small companies?
Touseef: Anyone who takes their safety seriously, regardless of category. As I said before, it is always a benefit for hackers to be able to access your server, regardless of whether you have sensitive data on your server or not. I have worked for many SMEs across Europe.
Helena: Are the companies generally aware of potential risks?
Touseef: No, most of them are not; at least I believe so. Otherwise, they would have corrected the errors that I have reported to them.
Maybe they think they are safe and never tried to verify it. I have warned some vulnerable companies between 2013 and 2015, and they were unaware of it. I even showed them evidence that hackers published their data on Pastebin
Helena: From which countries are people most aware of the risks?
Touseef: I think the question should be: which countries give the utmost importance to the risks. From my experience from the reports, I could mention countries like Spain, the Netherlands, Belgium. At least these countries are aware that they could be vulnerable; on average, at least they give some importance. On the other hand, for example, Italy has many unsafe websites, but my experience with reporting in Italy has not been satisfactory when it comes to the feedback. It seems that people hardly value safety. An Italian IT service provider confirmed to me that in Italy, it is difficult to convince people about the importance of security unless they face significant fines.
Helena: What kind of vulnerabilities are you able to reveal?
Touseef: The biggest deal of my job is to find those vulnerabilities that can lead directly to a website’s data access, although some bug hunters sometimes convert medium-high vulnerability to highly critical.
Helena: What are the risks the company faces when it decides not to trust your reports, or anyway not to react?
Touseef: A person can be fictitious, without identity. Or it may ask for ransomware. But if you’ve attached the proof to the first email, at least their IT team has the chance to confirm it. It happened to me several times, where companies were able to solve the problem successfully, without even answering me, and sometimes they believe they have solved it, but unfortunately, it is not true.
Helena: What are the costs of your services and possible solutions?
Touseef: The costs vary by the type of website and the purpose. For agencies, I use to work at a fixed price per month, and I check all their sites.
Helena: Can the companies or website managers solve some of the reported issues themselves, or do they always need specialized assistance?
Touseef: Yes, they can, actually, it highly depends on the skills of their developers.
Helena: What are you doing to gain people’s trust? What’s your usual approach?
Touseef: My goal is to satisfy clients’ needs or demands. Since I am not a spammer or a hacker and I have no purpose of damaging people, I have no problem revealing who I am. I have an Upwork profile, and I also suggest asking the companies I have worked with for references for my work.