NahamSec interview Rhok

Note that during these interviews I also moderate thus quality may vary.


  • Kevin aka Rhok

  • Been doing bug bounties for 4 years

  • Works at Okta

  • Hacks a couple times a month

  • First program: Uber

  • First vulnerability: Sensitive Information Disclosure

  • First bounty: $3350

  • Best purchase: provide money for parents

  • Favorite bug type: RCE

  • Mentor: Peter Yaworski

  • Favorite tool: Burp

  • Hobbies: gaming


  • During junior year in college he signed up to drive for Uber and found a PII bug

  • Signed up for HackerOne to report bug to Uber private program

  • Received couple thousand dollars and started to look more into bug bounties

  • Bug bounties landed him his first infosec job at Synack as security analyst

  • Currently works at Okta

  • Provided him with vendor side insight wrt bug bounties

  • SLA etc.

  • His role is to code review new functionality


  • First event he was invited to was h1702

  • Didn’t know what to do went in head first

  • met Peter Yaworski


  • What does it mean to you?

  • Motivate each other

  • Everyone has a different mindset

  • Often collaborates with

  • ZephyrFish

  • Zseano

  • Jaworski


  • Reading things from hacking activity

  • Going on YouTube or just googling things

  • Talking to people in the community, e.g. on Twitter

  • Once did 120 bugs in 120 days

  • Read article by Shubz doing 30 bugs in 30 days

  • Wanted to challenge himself

  • Lessons learned

  • Really get to know your target

  • Started following bug bounty hunters on Twitter and their blogs

  • Peter Yaworski

  • Frans Rosen

  • Matthias

  • Jack

  • How to learn new things

  • Do research

  • How did they go about it

  • Whitelist vs blacklist

  • What tools did they use

  • A lot of reading

  • CTF

  • Helps you think outside of the box

  • Promotes collaboration


  • Codes with Python

  • Not required for hunting but helps, especially with code review

  • Helpful for automation


  • Be patient

  • Don’t constantly ask for updates as it’s immature

  • Don’t be lazy

  • Don’t immediately reach for tools such as SQLMap

  • Try to understand how it all works


  • Recon

  • Understand what the product is about, what they have to offer

  • I do more vertical recon opposed to horizontal