Before becoming a bug bounty hunter, Hector was living a completely different life. Back in 2019, he lost his job. With only a high school education, he bounced around to make ends meet. He sold popcorn at the cinema, then cellphones, and eventually joined the Coast Guard. Things got a bit more desperate as his debt compounded. Yet, he fought back. He pivoted to odd jobs like washing dishes and doing chores for his abuela. He did what he could find for pocket change.[1]
Then one day, he saw a story about a teen in Argentina named Santiago Lopez. Lopez was the first hacker working with HackerOne to earn one million dollars from a bug bounty. Hector couldn’t believe it. He really thought it was a joke. He didn’t know bug bounties existed. He figured if that kid could do it, this could be his way out. Big money like that stretches even further in his home county of Argentina. This was all the motivation he needed to fall headfirst into the world of security research.
He quickly hit up Hacker101 and Hacktivity. Then blogs, YouTube, Twitter. He clicked on any resource out there. The possibility of finding bugs in web apps propelled him forward. Months later, he was officially hacking. Hector moved deep into Electron. This set him up well for the Microsoft Teams Bug Bounty opportunities which launched shortly thereafter.
Hector had read that if a person wanted to make a name for themselves in security research, they needed to find a Microsoft bug. He could see the more complex an application is, the higher chance he would find something. He hunkered down for a week straight at his computer. With his cats by his side, and his girlfriend cooking up delicious, new vegetarian dishes to keep him alive, he pushed forward. His grit and “stick-to-it-tive-ness” would pay off. Eventually earning a spot on the Microsoft 2021 Most Valuable Security Researcher (MVR) leaderboard.
“I couldn’t believe it. Not only for what it meant, but it was a personal achievement because it recognized all the effort and work I put in all by myself.”
He smiles now when talking about his success, but when he reflects on the work he did before this, it’s easy to get emotional. Although his family wasn’t economically stable, he was gifted his first computer from his grandparents when he was 6 years old. Like others, he was consumed with Diablo and World of Warcraft.
He won his first “hacker-ish” prize at the age of 12. He entered a gaming competition he found on the back of a candy wrapper. While competing in a series of mini games online, he randomly figured out how to earn some bonus points. The glitch worked, and he was able to edge himself out of 2nd place, and into 1st place. The prize? A brand-new PlayStation and enough candy to last him a year!
This little bit of sweetness would be the only thing he would win until he began participating in bug bounties two decades later. At Pwn2Own 2022 he kicked off the competition by demonstrating an improper configuration bug in Microsoft Teams earning him $150K.
“From where I was before and my way of living to where I am now, I am able to live and provide for my family and my girlfriend, and my friends. I have a lot of freedom right now, and the fact that I came from having nothing to be here…it’s all thanks to the bug bounty. To me, sometimes I get emotional because it was a big change for me. A big achievement. The massive change is there.”
Hector is proof that even when things seem desperate, a little motivation can go a long way. His gumption and perseverance have earned him notoriety across security research and made him one of Microsoft’s Most Valuable Researchers in 2021. Stay up to date with Hector on his Twitter at @Hperalta89.
“To me the most important thing about my experience is that the bug bounty changed my life.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and wish to share cyber security views from across the Globe. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://msrc-blog.microsoft.com/2022/05/19/researcher-spotlight-hector-peraltas-evolution-from-popcorn-server-to-the-msrc-leaderboards/
Comments