Prepared by: Kamal Kothyari , Saugat Pokharel, Kassem Bazzoun.

Sameer Rao is a highly respected independent security researcher with a wealth of experience in Meta bug bounty program. He has discovered numerous critical security vulnerabilities and has made invaluable contributions to the Meta bug bounty community by helping and inspiring others to enter the bug bounty field.Sameer's dedication to the community is evident in his willingness to share his write ups, provide feedback, suggestions, and ideas to help others succeed.

Recently, Sameer achieved a remarkable accomplishment by winning first place at BountyCon, a conference organized by Meta in Singapore, for the second consecutive year. This achievement demonstrates Sameer's exceptional skills and expertise in the field, making him a "rock" of the BountyCon.

We extend our sincerest appreciation to Sameer Rao for accepting our invitation to feature in the Hackers Spotlight section. His insights and experiences are valuable and inspirational to both newcomers and seasoned professionals in the industry. Thank you, Sameer, for sharing your expertise with us.

Tell us about your story on how you came to know about hacking and bug bounty,Also Can you share your first valid bug experience in Meta bug bounty, including feelings and what you did with the bounty reward?

I have a history with hacking and social engineering, dating back to my early days on Orkut, a social media platform owned by Google. My first gig involved creating phishing pages to hack into people's accounts and sell scraps. I then moved on to using clickjacking to get likes on Facebook pages, which I would later sell for a cheap price as I was one of the few who knew how to do this. Additionally, I wrote clickbait articles to generate CPA leads. My extensive familiarity with Facebook's features and bugs allowed me to take advantage of them.In 2016, I submitted my first bug, which was a cross-site scripting (XSS) vulnerability on a WhatsApp group invite link. This was discovered when a friend sent me an invite link, and I was experimenting by adding JavaScript code to it. At the time, I was already making more money from my services, so I was not too excited about the bug bounty reward from Facebook.However, after major changes were made to Facebook's features, my earnings started to decline. This prompted me to take an interest in bug bounties. After reporting approximately 16 invalid bugs and gaining a better understanding of the difference between software issues and security issues, I received my second valid bug in 2018, which earned me $5,000.

Who has influenced you the most in bug hunting and why?

Upon joining the group in early 2019, I was inspired by the various write-ups shared by its members, which expanded my understanding of different types of bugs such as page admin disclosure and contact point disclosure. I was particularly impressed with the former group administrator, Philippe, who selflessly dedicated his time and expertise to managing the group and contributing to its growth.He is the reason for my current standing and I wish him continued success and peace.

Can you describe the research techniques/ methodology you have used in the past for approaching a target ? Do you focus on specific bug types?

I have a keen eye for new features in products, and I have developed a technique for discovering them quickly. IDORs, rate limit vulnerabilities, and flaws in business logic are majority in my findings. I don't have any unique methods.

You have achieved the top 1 rank in the BountyCon for the last two consecutive years, can you tell us more about this experience? How did you achieve that?

consistency : I ensure that I have all my preparations(shopping/packing) in place and errands run before the pre-submission window opens, allowing me to fully focus on bug hunting. With unwavering dedication and focus, 14 days is more than sufficient to uncover any number of vulnerabilities.

How would you deal with any conflict/disagreement with the program? Do you have an example of when you have had to deal with a disagreement?

have limited examples to share as most of the time, the team's assessment of the submission is accurate. However, there is one issue where I discovered a vulnerability that allowed me to view members of a public "subgroup", despite the description stating that only members of the parent group were able to see the group and its members,It's beneficial to shift your focus to other bugs that have a 100% validity rather than pursuing something that may be valid but uncertain. Money <<< Peace of Mind.

How do you stay motivated and remain consistent (as you have been an active participant to the program since many years now) ? What are your strategies around this ?

I was once told that employees intentionally introduce bugs into code to ensure their job don't die. Although this may seem absurd, But provides motivation. I view bug bounty as a CTF challenge, where I am in search of the "flag" (bug) within the product.To maintain consistency, I have established a weekly routine with designated tasks to keep everything organized. This helps me to remain focused and productive.

What advice would you give to beginners who are struggling for their first valid vulnerability in Meta Bug Bounty?

It's time to delve deeper into bug hunting. While there are a limited number of bugs on "surface-level" accessible features, there are other features that require a deeper examination. These features, such as the Event Manager,Commerce Manager or Ads Manager.A thorough understanding of a feature is essential before searching for bugs. As an exercise for those struggling with this concept. Ask yourself this question: What is domain verification in Workplace? And, what happens if you are able to verify any domain? If you are not aware with answer, it may indicate you need to improve your knowledge about Meta products.

On which domain/asset, you've found the most bugs throughout your journey?

I primarily rely on web-based Facebook research for my findings, and I rarely test on mobile devices. In my opinion, it's better to specialize in one area of expertise rather than trying to juggle multiple areas.

==========================

Thanks again to Sameer for his valuable answers, and we extend our gratitude to the researchers in the unofficial Meta bug bounty community group for their contributions in sending questions that were included in this interview!

See you at the next installment of Hacker Spotlight!

If you have any suggestions for future series, please leave a comment below.