Contact us
Request demo →
Contact us
German website
search
close

Who are those bug hunters? Interview with Jorik Berkepas

by Chris van 't Hof Blog 6 Jul 2021

In his quest of getting to know the hacking community, Chris van ‘t Hof decides to interview a number of hackers. Jorik Berkepas is the third bug hunter in this series.

Jorik Berkepas studied Computer Science at the university of applied sciences, is a certified Scrum Master and has been working as a developer for Embrace Social Business Software. When his employer started a bug bounty program with Zerocopter, Jorik saw how hackers found all sorts of errors in their software. He decided that he was also capable of doing just that and registered at the chamber of commerce as self-employed security researcher and started bug hunting next to his day job. Not only for Zerocopter, but also for other platforms. In the meantime he has a considerable number of reports to his credit: 200 via Zerocopter, 35 via Belgian Intigriti platform and a number of reports via HackerOne and French platform Yogosha. Does he see differences between Dutch and Belgian bug bounty programs? The Netherlands are after all front runners as far as responsible disclosure is concerned. Jorik: “Not at all. Belgians perform just as well, if not better. A lot of thought goes into following up on reports and they understand that man power is necessary to do so.”

In daily practice he sees that reports are not always dealt with properly. Jorik: “Bug hunting is not very motivating as far as your faith in humanity is concerned, but it does work wonders for your self-confidence. There are so many small mistakes out there. For example XSS. Easy to solve but there’s always one that slips through. When that happens you can enter the JAVA script code on the website, take over the user’s side and execute the code as another user. Depending on the time and creativity you have at your disposal, there’s a lot you can do with that.

The severity of the vulnerability depends on its location. Each time is different and that’s also why you keep learning new things. It’s all about targeted research. Most companies use pen tests to discover issues and then solve them in two spots whilst leaving the other twenty. There are others who just hope you’ll find nothing, because they are not set up to fix anything. Which means that six months down the line, you’ll still see the same bug.”

What’s your favorite hacking technique?

“First you start with the common vulnerabilities that have the highest bounties. Not the 50 Euro ones, but those of 1.000 Euros. Many sites contain an IDOR (Insecure Direct Object Reference). If you change for example one number in the URL of your invoice, you get to the one of your neighbors. Which means that all of a sudden sensitive data is out on the street. Often I dive into the JAVA script code that a site sends along to see if I can find anything interesting. My advantage is that I read code every day which makes it more likely for me to find stuff.”

Can you combine bug hunting with your job as developer?

“Well, my girlfriend isn’t happy with it. Starting at 8pm thinking I’ve almost discovered the bug and before you know it it’s 12pm. But it does pay well. Findings range from 50 to 1.000 Euros. The highest I had so far was 2.500 Euros for half an hour’s work. That’s nice. But you can also spend a day on a program and not find anything. Or report a bug that has just been found by someone else. Once I was able to trace identity papers of passengers on the site of an airline. That meant a big bounty. Unfortunately, just before I reported this, someone else did. Two days of work for nothing.” Hâck the Hague 2019 was another instance where he won prizes: third prize in the Most Impactful Hack category (500 Euros) and second in Most Sophisticated Hack (1.000 Euros).

The biggest reward, however, is that bug hunting teaches Jorik a lot for his work as developer. “Being active in bug bounties has considerably increased my sense of security in software development. This allows me to discover security issues in new parts of the software almost immediately. It also works the other way. Being a developer means that I can look at parts of code, reason which problems might arise, find these issues and prevent them from happening. It also helps to keep my colleagues focused. So if you are a software developer, do get into bug bounty.”

Source: “Cyberellende was nog nooit zo leuk” - Chris van ‘t Hof

Want to know more about Hâck The Hague? Visit the website for more information & registration!

Hâck The Hague 2021 in the media

An awesome event like Hâck The Hague is bound to grab attention in the media. How many municipalities and organisations voluntarily allow their systems to be hacked? Not that many, and definitely not by 200 hackers at the same time! From interviews with hackers, to articles about the competition. We have summarised the most remarkable coverage for you in this blog post. 

read more

Hâck The Hague 2021 Press Release

The Hague, 27 September 2021 – Today the digital infrastructure of the municipality of The Hague was scrutinised by 206 ethical national and international hackers. Among the 125 reported vulnerabilities were; unsafe access to accounts, outdated software, the ability to inject malicious code into a website and an account that could be taken over completely.

read more

Hâck The Hague programme: sneak preview

We have planned an exciting programme for Hâck The Hague that will air on 27 September. Expect fun podcasts and videos about cybersecurity in all shapes and sizes. We tested citizens of The Hague on their knowledge of cybersecurity and held exclusive interviews with both professional and student hackers. What will they share? Here's a sneak peak. 

read more

Do you have a question?

Our experts have the answers

Contact us