Hacking on Bug Bounties for Five Years

About the Speaker

Shubham Shah is the co-founder and CTO of Assetnote, a platform for continuous monitoring of your external attack surface. Shubham is a prolific bug bounty hunter in the top 50 hackers on HackerOne globally and is first place on the HackerOne leaderboard for Australia. He has presented at various industry events including Kiwicon, BSides Canberra and 44Con.


Bug bounties have become an established process in organisations with a mature security posture. Over the last five years, we have been submitting vulnerabilities to companies in almost every industry. By participating in bug bounties over such a long period of time, there has been an evolution in the skills, reporting and payouts. There is a broad perception in bounties that there is a secret to unlock to be successful and only a handful of individuals are capable of that success. This presentation will break down why that is not the case. we will walk through all of my favourite bugs that we have found in the last five years, explaining step by step what led to the discoveries. We will discuss some of the lessons we have learned from our participation, and how you can replicate our success.