1. Who is Intruderx ?
I’m Indrajith AN, a 25 years old security enthusiast from Bangalore, India. I’m working as a senior application security engineer in one of the Big4 Consulting/Auditing firms.
4 years ago, I started to learn security by myself. I was intrigued by hacker crews and their tactics of compromising systems, so I decided to start a career in security : it took me more than a year to become a Bug hunter. I participated in many VRP’s (Vulnerability reward programs) and received rewards and acknowledgments from 70+ companies/Internet leaders such as Google, Microsoft, Apple, Oracle…
In 2018, I have also published some CVE’s coordinating with Cisco Product Security & Incident respond team:
To learn more about these realizations, don’t hesitate to visit my website.
2. What does Intruderx mean ?
I used to spend most of my time on IRC Channels and forums to learn new techniques and to follow some G33ks. I had the chance to meet some highly skilled hackers such as Intrud3r-Fr33k or Shad0wSpawn3r. Intrud3r-Fr33k used to pawn my system by throwing RAT’s and formatted my entire 500 GB data; he taught me a lot, which is why I chose IntruderX as my alias.
3. Can you tell us about the first vulnerability you found ?
I found my first vulnerability by pawning a company’s website with an SQL injection. I gained access to the database with credit cards infos. Even though the company didn’t have a responsible disclosure & reward program, they sent me a hoodie – a certificate that you can wear at all times 🙂
A few weeks later, I was working on one of the Top10 antivirus solution in the world, and I managed to dump millions of users’ license keys with an SQL injection. I reported it to the company’s CISO, who sent me some swags and a certificate.
4. What do you focus on when you start Bug Hunting ?
When I receive an invite, I usually start with the active & passive recons. Then I pick up the Access Controls, IDORS (simple but tragic), thinking that the other hunters might focus on XSS/CSRF. And obviously, business logic vulnerabilities are at the top of my checklist.
5. Which Bug Bounty programs did you enjoy the most ?
My favorite program was “Try breaking into our signup page”, a program launched by Yogosha.
I submitted 6 high findings and 2 medium ones ; The application developer who was handling the program was very reactive, and he fixed the vulnerabilities within 2 days.
6. What attracts you in Bug Hunting ?
I love the knowledge I can get from each program, by understanding different business logics & backend technologies. And obviously, I enjoy the reward and recognition from companies I help.
7. Why do companies need Bug Bounties ?
Thinking you can build a 100% safe application is a myth. Even with the best developers working for you, your application is still likely to have vulnerabilities. When companies rely on a crowdsourced community, they have more skilled people looking into their system than they could ever hire. It can also save them money, since they only pay the ones who find flaws. Breaches are expensive to recover from, way more expensive than money invested in bounties.
8. How do you think Bug Bounty will evolve ?
I believe Bug Bounty will become complementary to Modern Application Testing. It’s the best way for companies to know about their vulnerabilities before they become embarrassing new stories. Consumers will rely on a safer internet, and independent security experts will be fairly compensated for their efforts.
9. What did Bug Hunting allow you to do?
A lot of things! I met wonderful people worldwide, increased my network in our InfoSec community, conducted trainings & workshops in colleges. Last but not least, I became an application security engineer in one of the big4 auditing firm.
10. Where do you see yourself in the future ?
I’d like to become a Red Team security engineer and I have already started preparing for it. To know more about a Red Teamer’s skills, do not hesitate to watch this video of a power company in the Midwest, who hired a group of elite red team engineer to test its defenses.
Find IntruderX on :