Demystifying Bug Bounties: Insights from a Decade of Experience - Yassine Aboukir

Bug bounties have gained popularity as a well-established process within organizations with a mature security posture. Throughout the last decade, I have been an active member of the bug bounty community and have had the privilege of managing such programs for several high-profile organizations, including Airbnb, the US military, Spotify, Sony, PayPal, and Slack. Additionally, I have also taken part in these programs as a hacker and have successfully identified over a thousand security vulnerabilities. This experience has proved invaluable in advancing my skills, mindset, and hacking methodology, allowing me to identify better and higher severity bugs over time, leading to increased payouts in return. During this presentation, we will deconstruct the concept of bug bounties and share insights and lessons learned from my experience as both a hacker and a bug bounty program manager. Furthermore, I will walk you through some of my favorite technical bugs that I have uncovered during my journey.

Join Today
Hacking the Hackers: Analysis of a Cobalt Strike Remote Command Execution Vulnerability - Rio Sherri
▶︎

Hacking the Hackers: Analysis of a Cobalt Strike Remote Command Execution Vulnerability - Rio Sherri

Hacking on Bug Bounties for 10 years: Shubs' (@infosec_au) Keynote at BSides Ahmedabad 2023
▶︎

Hacking on Bug Bounties for 10 years: Shubs' (@infosec_au) Keynote at BSides Ahmedabad 2023

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

JSluice: There's Gold In Them Thar Files by Tomnomnom
▶︎

JSluice: There's Gold In Them Thar Files by Tomnomnom

How to build backends you can defend in an interview
▶︎

How to build backends you can defend in an interview

Bug Bounty Year 1: $0–16k, Low to CVE #BSidesBUD2025
▶︎

Bug Bounty Year 1: $0–16k, Low to CVE #BSidesBUD2025

Deep Dive into Clouded Waters - An overview in Digital Ocean's Pentest and Security - Bleon Proko
▶︎

Deep Dive into Clouded Waters - An overview in Digital Ocean's Pentest and Security - Bleon Proko

How to Differentiate Yourself as a Bug Bounty Hunter - Mathias Karlsson @avlidienbrunn
▶︎

How to Differentiate Yourself as a Bug Bounty Hunter - Mathias Karlsson @avlidienbrunn

From zero to 6-digit bug bounty earnings in 1 year - Johan Carlsson - BBRD podcast #3
▶︎

From zero to 6-digit bug bounty earnings in 1 year - Johan Carlsson - BBRD podcast #3

The Dark Side of Wireless Networks: Intro to Wi-Fi Hacking - Megi Bashi - Ryan Dinnan
▶︎

The Dark Side of Wireless Networks: Intro to Wi-Fi Hacking - Megi Bashi - Ryan Dinnan

$780,000 in 3 months Bug Bounty!
▶︎

$780,000 in 3 months Bug Bounty!

Recon Skills and Tips | IWCON-W22 Talk by Orwa Atiyat
▶︎

Recon Skills and Tips | IWCON-W22 Talk by Orwa Atiyat

THREAT CON 2022- Automation for Manual Bug Bounty Hunters By Eugene Lim (spaceraccoonsec)
▶︎

THREAT CON 2022- Automation for Manual Bug Bounty Hunters By Eugene Lim (spaceraccoonsec)

New methods of recon with OrwaGodfather
▶︎

New methods of recon with OrwaGodfather

#HITB2023HKT D2T1 - Hunting For Amazon Cognito Security Misconfigurations - Yassine Aboukir
▶︎

#HITB2023HKT D2T1 - Hunting For Amazon Cognito Security Misconfigurations - Yassine Aboukir

Web Scraping Using Python For Beginners and File Handling in Python | Python Web Scraping
▶︎

Web Scraping Using Python For Beginners and File Handling in Python | Python Web Scraping

API Hacking 101, w/ Dr. Katie Paxton-Fear | by Traceable AI
▶︎

API Hacking 101, w/ Dr. Katie Paxton-Fear | by Traceable AI

Attacking organizations with big scopes: from zero to hero
▶︎

Attacking organizations with big scopes: from zero to hero

BSidesBUD2022: Bug Bounty Recon The Right Way
▶︎

BSidesBUD2022: Bug Bounty Recon The Right Way

k20 - Attacking Secondary Contexts in Web Applications - Sam Curry
▶︎

k20 - Attacking Secondary Contexts in Web Applications - Sam Curry