My story starts in the first year of college. I took Physical Education in school, so I didn’t know much about computer science. However I took up IT and found myself surrounded by some of the smartest people across the country, people that excelled at their work, I was quite intimidated and did not know where to start and that was my first challenge. Everyone takes things quite seriously in the first year since we’re still stuck in that competitive phase of JEE and so we used to prepare 3-4 days prior to the exam. We had a computer course in first year which covered some basics and I got average scores and that had me worried. My friends often joked that perhaps this was not the field for me and beyond a point I began pondering if I had indeed made the wrong choice. This was in my first semester. Post that, I began exploring the field, following videos on YouTube and what others around me were doing. Some of my friends were working remotely for startups and following their suit I started working on web development. Initially I worked on front end applications which were pretty easy and interesting as well. Working on these applications gave me the satisfaction of seeing 3-4 hours of work culminating in some valuable results, and that made me happy. I went deeper into the field, learning different frameworks, but over time it became too easy for me. It required some creative elements which were not in my forte, and slowly it failed to excite me and I moved on to explore my other options. I switched to android applications, which also resulted in the eventual loss of interest. I tend to get bored easily, tasks can easily begin to seem mundane, and that added on to my confusion of whether I made the right choice with IT. I tried competitive coding too, since most people told me that was important for internships and placements, but that failed to pique my interest as well and it got me frustrated and so I moved on from that. I started reading up more about all the courses we had in IT and got into networking. Although it had a lot of theory, it is still something that I find interesting. Every time I chose a certain field, I used to look out for other people on campus that excel in those fields and I would try to emulate their work. I did a few projects in all these fields and slowly moved into cyber security.

Cyber security is something that a lot of clubs in college have taken up and have tried organising events related to. I was a part of the Cyber-Security sub-sig in ACM where we shared and discussed articles related to websites being attacked and about data leaks and other common mishaps. I started out with simple Capture the Flag tournaments online, which got me interested in hacking. This was when I came across Bug Bounty Hunters.It comes under White Hat Hacking, wherein companies pay you for finding bugs on their sites, based on how critical the bug is. Bug bounty hunting requires a lot of confidence, and in today’s world where many people make their livelihood out of this, it is quite challenging. Even remote websites with low traffic tend to have about 10-20 hunters looking for bugs. I started watching youtube videos and read articles, and started with an application that we all use quite frequently, IRIS. Considering how even giants like Google have bugs, I was sure IRIS would have some bugs as well. When I found my first bug, I was quite excited, it was on the IRIS homepage and I reported the bug to the IRIS team, and got in touch with Akshay Revankar, the founder and IRIS team lead (2017-18) who quickly verified the bug. I continued searching for bugs on the IRIS website and kept in touch with Akshay who sorted them out, and that gave me a sense of pride since I was doing something for my college. Once you start looking for bugs, it becomes built in and whenever you find a new website, you try different inputs and try to break through. I came across bugs on the websites of a few companies, and reported them. One of them reverted and appreciated my professionalism, since I didn’t use it for my benefit, although they didn’t have any bug-bounty programs and I became an unofficial researcher for them and got paid based on how critical the bug was. Being a security researcher has the dual advantage of earning while also having fun working.  I started this in my 7th semester, and found my first bug after about 3-4 months. There are a lot of websites online that have detailed reports of how people have found bugs and it is quite fascinating to see how each hacker thinks. 

No application is perfect, you just have to figure out which domain to search in. Quite often you stumble upon bugs without actively looking for them. While my IT background did help me, I have come across a lot of hackers without a coding background. Bug hunting requires patience and dedication. It’s very easy to get burnt out. I currently work with Oracle, but I take out time after work and sit for 2-3 hours to look for bugs. On some days I have found bugs in less than 10minutes and yet sometimes I’ve gone for 2-3 months without finding any bugs. On those days I just keep my laptop aside and watch something on Netflix to take my mind off of it. 

Most people are confused as to what they want to do in their career. For example, I figured out that I want to be a penetration tester for a big company, and I didnt even know about this terminology in my first year. So start exploring, look for as many topics as you can learn because you never stop learning.In second and third year, you’ve got ample time to explore, so go forth and explore and find out what you would like to make a career out of. When I started out with bug-bounty hunting I didn’t know how much I’d get paid, but I knew it made me happy and it was satisfactory. I have been doing this for over a year now and I haven’t gotten bored so I know this is where my passion lies. So don’t give up, keep learning. It is easy to get intimidated by those around you, but you will eventually find out where your passion lies.

Curated by Shreyaa R