Interview with a bug bounty hunter: Youssef Sammouda

Interview with a bug bounty hunter: Youssef Sammouda

Behind the scenes there are many people working in cyber-security that make the internet a safer place. Youssef Sammouda is one of these people. He has submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way. Generally speaking, people may refer to this work as being a bug bounty hunter, but there is more to it than that.

Q: Tell us a little bit about your background

A: I’m 21 years old. I grew up in Tunisia. I always loved everything about computers from an early age. I started programming when I was 12 and my curiosity eventually led me to hacking. First I learned about “hacking”, techniques to get access to systems, how to escalate privileges, and how to achieve persistence. A better name than hacking is penetration testing. After that, I focused on web application security and learned a lot from forums and IRC chat rooms. Later, I heard about bug bounty hunting by coincidence and started doing it.

I can’t say much about my educational background since I dropped out of university due to my engagements in web applications development and my security assessments. I’d say that everything I learned to this day was from online content or books and not from educational institutions.

Q: How did you get interested in bug bounties?

A: Before bug bounties, it was difficult to test what you learned or sharpen your skills without being worried about getting noticed or caught when targeting websites or servers, since after all you’re doing something without the owner’s permission even if your intention is not to cause damage. So, the first benefit of bug bounty programs was the ability to responsibly apply or test what you’d learned about security, without worrying about legal actions by the website owners. Then of course, some of the programs introduced financial rewards which made it even better. You could start earning money at the same time as learning and doing what you love.

I became interested in the Facebook bug bounty program because it was beginner friendly. The scope was huge and it had the biggest rewards. My first bug in Facebook was a critical one and I found it in less than an hour, which encouraged me to dig more and learn about their infrastructure. After some time, I found myself knowing all the techniques to best enumerate their websites.

Q: Are there other security fields you are interested in?

A: I’ve always been fascinated by browser security and Operating System (OS) security. Reading proof-of-concept exploits of vulnerabilities found in browsers or applications has always been fun and an enjoyable thing to do, and I hope one day I can achieve the level of the researchers in these fields.

Q: Can you tell us something about how you find new bugs? And why you focus on Facebook?

A: I believe Facebook is running one of the best bug bounty programs out there. Sure, it has some problems and sometimes you get misunderstood by the security team, but if you compare it to other bug bounty programs, you’ll notice that Facebook is way better. Also, Facebook is very serious about its security. With time you notice that it’s getting harder to find bugs, which motivates me more, since I know others might be quitting and leaving me with a big scoop to dig out.

Due to the large numbers of researchers/hunters nowadays, and the continuous competition between us, I always try to follow my own methodology—which is different from others’—to avoid duplicated reports, and also to find special bugs that others have missed. Of course, over time, I have to change my methodology to stay in the game: Other researchers discover similar methodologies to mine, the security team adapt and make enumeration harder, and so on.

Q: Do you get a ton of requests to hack people’s Facebook accounts?

A: Actually, I don’t remember receiving requests to hack someone’s Facebook account, but I get requests to verify profiles or pages. I always try to gently explain that I don’t work for Facebook. I redirect them to the right Facebook support or contact page for their needs.

Q: What is the most potentially dangerous discovery you have made?

A: I believe the most dangerous discovery I have found was a Facebook bug that allowed me to return data fragments of any object. This data extraction bug was similar to finding an SQL injection bug, which is rare to find in modern applications. This could have allowed a malicious actor to collect a large amount of data about Facebook infrastructure, users and more.

Q: What advice do you have for aspiring bug bounty hunters?

A: I have always believed that there’s no such thing as a “bug bounty hunter”. There are security experts or researchers. “Bug bounty hunter” tells newcomers, or other experts in the field, that it’s all about bounties for us: How to earn them and what’s the fastest route to do that. Which is clearly wrong, since one must first understand what cybersecurity is and what problems we’re trying to address and fix.

The best advice for people trying to start is to first master a programming language. Then learn about security in a field you like (web, OS, mobile …) and how to write secure code. When learning about security, try to write vulnerable applications that you can exploit, so you can test what you learned against them. If you can understand how a vulnerability occurs in your application, you might try to apply what you learned against real applications, like the ones run by websites with a bug bounty program.

Do not care about bounties to begin with, just about finding bugs. You might report them without even waiting for the security team to reply. At some point, you’ll reach a certain level, with skills and experience gained over years, that will enable you to start making money from it, or by starting a professional career.

We would like to thank Youssef for his cooperation. You can follow Youssef Sammouda on Twitter.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.