2 min read


AMA with Armaan Pathan

  • Any tips for Synack hunts and good finds in old programs there?

    • Dig as much as you can. Checking for each every endpoints/parameters for every possible attacks and most importantly never give up if you dont get bugs for 2-3 days.

  • What tools you used and what stuff you automate during bug hunting? How much time normally u spend on recon and vulnerability hunting? When and why you decide to leave target? Do you follow any checklist during hunting?

    • I do not use any tools for automation,i mostly hunt on synack so I leave the target when it gets deactivated.

  • Deeper vs Wider? What do you focus more on? Technical vs Logical bugs? Preferences? How do you look for Server side bugs if there‚Äôs no obvious parameters or functionality?

    • I focus on both logical and technical. To be very honest, you wont get low hanging issues, just keep on eye on each and every module for the updates.

  • Is Bug Bounty Experience or CVE published is necessary for getting a job?

    • No. Not at all, i know many peeps who has no bug bounty background but they have awesome jobs and they have done awesome researches.

  • What is your hunting methodology? Which is your niche bug (which type of bug you hunt most and focus on)? Any notes you can share?

    • Ummm mostly IDOR/Privilege Escalations but yeah i look for every possible attack vectors. But for IDORs/PE, make a note of endpoints, try to guess/brute force parameters.

  • Q1) What resources did/do you follow to learn application penetration testing?

  • Q2) Are you specialised in certain bug(s) or hunt for all bugs in your target?

  • Q3) Which types of program do you hunt on?

    • I use pentesterlab to learn/update my skillset.

    • I usually look for the big scope which has multiple user roles and modules.

  • How to get job in Infosec?

    • Learn about information security and once you feel that you have enough knowledge of basic stuff, start applying into companies.

  • Q1) Top 5 tools that your using?

  • Q2) Top 5 your Favourite Bugs?

    • Bugs:- Umm as such no specific, but yeah I love idors/privilege escalations as these two are easy to find.

    • For tools, I use burp suite (intruder,collaborator,repeater) and ffuf.

  • Requirements for joining synack red team?

    • Ummm not sure about now that what are the requirements as i have joined in 2015, but yeah you might require both app/host testing/exploitation skills.

  • What does your daily schedule looks like & how many hours you do bug hunting?

    • Ummm! Not daily. I have a full time job. So basically I do bug bounties on Friday Saturday only.