1 00:00:00,000 --> 00:00:04,800 In this episode of BBRD podcast, I actually have no guest. 2 00:00:04,800 --> 00:00:09,800 Instead, I'm solo and I will tell you about my journey to cybersecurity. 3 00:00:09,800 --> 00:00:16,799 How I started, what sparked my interest, how I then got through the computer science degree, 4 00:00:16,799 --> 00:00:21,799 how I started the YouTube channel, my other YouTube channel, which you probably don't know about, 5 00:00:22,600 --> 00:00:27,600 and then until today, when I do half, let's say YouTube and half bug bounty 6 00:00:27,600 --> 00:00:30,600 with a lot of travel and sports in between. 7 00:00:30,600 --> 00:00:36,599 So enjoy the journey. I think there are a lot of takeaways that you can use in your career. 8 00:00:36,599 --> 00:00:41,599 So I hope you will find it either entertaining or useful. 9 00:00:41,599 --> 00:00:42,599 Enjoy. 10 00:00:44,599 --> 00:00:49,599 As a teenager, I already knew that I want to be a programmer. I want to work in IT. 11 00:00:49,599 --> 00:00:52,599 The reasons were not that strong, to be honest. 12 00:00:52,599 --> 00:00:56,599 One of them was that I used to play a lot of games as a child. 13 00:00:56,599 --> 00:01:03,599 So I had to be proficient with computers, which usually just meant installing something or solving a problem, 14 00:01:03,599 --> 00:01:07,599 but definitely nothing like programming or using the terminal. 15 00:01:07,599 --> 00:01:11,599 And the other reason was, of course, I knew that programmers make a lot of money. 16 00:01:11,599 --> 00:01:15,599 So I wanted to do this, but I wasn't particularly interested in this. 17 00:01:15,599 --> 00:01:19,599 I didn't do a lot by myself to fulfill this interest. 18 00:01:19,599 --> 00:01:26,599 Like a lot of hacker stories that I'm hearing is, you know, someone was hacking PlayStation at the age of 12 19 00:01:26,599 --> 00:01:30,599 or creating cheating to Counter-Strike or to other games. 20 00:01:30,599 --> 00:01:37,599 It's not my story. For me, hacking was not present until I was age 19. 21 00:01:37,599 --> 00:01:44,599 And at high school, I knew I wanted to do my final exam with computer science. 22 00:01:44,599 --> 00:01:47,599 But at school, we pretty much didn't have a teacher. 23 00:01:47,599 --> 00:01:52,599 So we had a small group of students that wanted to learn by themselves. 24 00:01:52,599 --> 00:01:57,599 It was led by one of the past students of my high school. 25 00:01:57,599 --> 00:02:08,600 And as this group with one of the teachers, we went to Warsaw to a conference called Warsaw Computer Science Days 26 00:02:08,600 --> 00:02:11,600 or Warszawskie Dni Informatyki in Polish. 27 00:02:11,600 --> 00:02:18,600 And then there was a presentation by General Coldwind about CTFs. 28 00:02:18,600 --> 00:02:24,600 And this is actually the moment where my cybersecurity interest started. 29 00:02:24,600 --> 00:02:30,600 So it was quite late for standards of a lot of cybersecurity people that we know. 30 00:02:30,600 --> 00:02:33,600 And then I started to be interested in CTFs. 31 00:02:33,600 --> 00:02:37,600 I started playing PicoCTF. It was my first CTF. 32 00:02:37,600 --> 00:02:39,600 The tasks there are very simple. 33 00:02:39,600 --> 00:02:45,600 The first task that I did was learning to use the cat command in Linux, learning to use LS, 34 00:02:45,600 --> 00:02:51,600 learning what's base64 encoding, learning what's hex and simple stuff like this. 35 00:02:51,600 --> 00:02:57,600 But it was definitely what I needed back then because I couldn't do anything else. 36 00:02:57,600 --> 00:03:05,600 And I remember that in the beginning, I wasn't interested in doing the web stuff for some reason. 37 00:03:05,600 --> 00:03:06,600 I don't know why. 38 00:03:06,600 --> 00:03:09,600 And then somehow I did still transition to web. 39 00:03:09,600 --> 00:03:17,600 After starting to be more interested in CTFs, I started to learn web security. 40 00:03:17,600 --> 00:03:25,600 And then between the university and the high school, the final exams are in May in Poland. 41 00:03:25,600 --> 00:03:30,600 So we have like four months, maybe four and a half months of holidays, 42 00:03:30,600 --> 00:03:34,600 pretty much the longest holiday of your life usually. 43 00:03:34,600 --> 00:03:38,600 And then I was selling strawberries. 44 00:03:38,600 --> 00:03:42,600 And it was a season where strawberries were quite expensive. 45 00:03:42,600 --> 00:03:44,600 So not a lot of people were buying them. 46 00:03:44,600 --> 00:03:53,600 So I would just sit for like 10 hours, not doing much for most of the time because there wasn't much traffic. 47 00:03:53,600 --> 00:03:59,600 And I remember I was reading the web application hackers handbook when I was there. 48 00:04:00,600 --> 00:04:05,600 And I intended to do this task practically after my work. 49 00:04:05,600 --> 00:04:11,600 I remember there was a page on bug crowd about how to start bug bounty. 50 00:04:11,600 --> 00:04:15,600 And I remember that on this, I think it was a forum post. 51 00:04:15,600 --> 00:04:20,600 I don't remember when it was, but I remember that I visited this resource very often. 52 00:04:20,600 --> 00:04:24,600 And one of the books recommended was the web application hackers handbook. 53 00:04:24,600 --> 00:04:30,600 And I remember I struggled to do the practical stuff because after 10 hours of doing nothing, 54 00:04:30,600 --> 00:04:37,600 but doing nothing exposed to sun, it was challenging enough that after this time, I was just pumped out. 55 00:04:37,600 --> 00:04:41,600 I didn't want to do anything apart from from playing football. 56 00:04:41,600 --> 00:04:44,600 But I didn't want to do anything in front of my computer. 57 00:04:44,600 --> 00:04:50,600 And I remember I started waking up before I would start work at eight, I think, or seven. 58 00:04:50,600 --> 00:04:53,600 So I would wake up at five for two hours. 59 00:04:53,600 --> 00:04:59,600 I would do the practical tasks using topics that I learned the previous day. 60 00:04:59,600 --> 00:05:01,600 I used the root.me platform. 61 00:05:01,600 --> 00:05:04,600 I don't know if it's still live or not. 62 00:05:04,600 --> 00:05:10,600 And then during my job, I would read an e-book with a web application hackers handbook. 63 00:05:10,600 --> 00:05:14,600 I remember I did it on a bad e-book reader, which couldn't. 64 00:05:14,600 --> 00:05:19,600 It was a PDF format, which couldn't show the images well. 65 00:05:19,600 --> 00:05:23,600 So every time in my e-book, there was an image I had to pull out my phone. 66 00:05:23,600 --> 00:05:26,600 And on my phone, I had to check the image on the same page. 67 00:05:26,600 --> 00:05:31,600 And I did most of the reading via the e-book reader. 68 00:05:31,600 --> 00:05:36,600 And with this, I learned something throughout those those four months. 69 00:05:36,600 --> 00:05:41,600 And I knew I just want to to become a pen tester or bug bounty hunter. 70 00:05:41,600 --> 00:05:45,600 But I felt that first I would have to become a programmer. 71 00:05:45,600 --> 00:05:47,600 And I went to university. 72 00:05:47,600 --> 00:05:52,600 And I think my strategy at the university was quite well. 73 00:05:52,600 --> 00:05:54,600 Because I was at the computer science. 74 00:05:54,600 --> 00:05:58,600 There was no cyber security back then at this university. 75 00:05:58,600 --> 00:06:08,600 And I was doing as little as possible at the university to have as much time as possible to learn web security. 76 00:06:08,600 --> 00:06:10,600 Because I had to learn all web security by myself. 77 00:06:10,600 --> 00:06:14,600 There was no web security at the university. 78 00:06:14,600 --> 00:06:22,600 And I think the strategy of doing as little as possible for the university worked quite well for me. 79 00:06:22,600 --> 00:06:33,600 It was actually a tip I learned from another vlogger, another YouTuber, actually, that I saw at that conference that we went for high school. 80 00:06:33,600 --> 00:06:38,600 It was Maciej Anisarowicz. It's in Polish, so not relevant for most of you, unfortunately. 81 00:06:39,600 --> 00:06:44,600 And he had videos about becoming a programmer, basically. 82 00:06:44,600 --> 00:06:49,600 So I had to sort of modify them to be relevant for cyber security. 83 00:06:49,600 --> 00:06:53,600 But I did this strategy and it worked quite well. 84 00:06:53,600 --> 00:07:03,600 I also did the CTF research group or how extracurricular activities are called at the university. 85 00:07:04,600 --> 00:07:12,600 Because during the holidays, I was researching, is anything happening about CTFs in Krakow or at the university? 86 00:07:12,600 --> 00:07:24,600 And I saw that there is a research group or the extracurricular group about CTFs on my university led by a guy called Disconnected. 87 00:07:25,600 --> 00:07:36,600 And I was quite worried because I saw it did happen the previous year, but I saw nothing posted about the year I was about to attend to. 88 00:07:36,600 --> 00:07:41,600 So I remember I just texted him on whatever communicator. 89 00:07:41,600 --> 00:07:48,600 And I felt he's not going to do this to lead this activity and more. 90 00:07:48,600 --> 00:07:57,600 But eventually he did, and it then became the key to my career because, one, I learned a lot during this time. 91 00:07:57,600 --> 00:08:01,600 So I was learning in my free time and I was attending this group. 92 00:08:01,600 --> 00:08:09,600 And it was key because later, after the first year, he referred me to a company. 93 00:08:09,600 --> 00:08:16,600 And it was also the first time that I started looking at connections a bit differently. 94 00:08:16,600 --> 00:08:23,600 Because before, I looked at connections, at the word connections, as something negative. 95 00:08:23,600 --> 00:08:30,600 If someone would tell me they got a job through connections, I would just understand they have the uncle at the company. 96 00:08:30,600 --> 00:08:35,599 And the uncle hired them despite them not having enough technical skills. 97 00:08:35,599 --> 00:08:50,599 But this part with me attending some extracurricular activity and being active there and showing that I do want to learn, it enabled the connections in a positive way. 98 00:08:50,599 --> 00:08:55,599 Because Dominic referred me to a friend working at the company. 99 00:08:55,599 --> 00:09:01,599 And eventually I got hired there after the first year of university as an apprentice there. 100 00:09:01,599 --> 00:09:10,599 And it was a huge, huge achievement for me because I didn't even hope to start my career as an apprentice there. 101 00:09:10,599 --> 00:09:20,599 I really dreamt of being an apprentice there, but I thought that I will need a few years working as a programmer, maybe one or two years. 102 00:09:20,599 --> 00:09:25,599 And only then I could maybe, maybe get a job as an apprentice there. 103 00:09:26,599 --> 00:09:30,599 And even I remember driving for the, for the interview. 104 00:09:30,599 --> 00:09:42,599 I did really have the attitude of I'm going there to see how the interview looks like because I've never been to an interview, but 100% they will not give me this job. 105 00:09:42,599 --> 00:09:43,599 But they did. 106 00:09:43,599 --> 00:09:48,599 And I was hugely, hugely relieved and very happy. 107 00:09:48,599 --> 00:09:54,599 Working as an apprentice there in some sense surprised me at how easy it was to find vulnerabilities. 108 00:09:54,599 --> 00:09:57,599 Of course, I did learn a lot because it was my first job. 109 00:09:57,599 --> 00:09:58,599 So I obviously did. 110 00:09:58,599 --> 00:10:10,599 But it surprised me in the sense that during my, my first year before I started working, I did, you know, try some bug bounty websites because bug bounty was always very appealing to me. 111 00:10:10,599 --> 00:10:17,599 First, it's the, the independence part was always something that, that I felt attracted to. 112 00:10:17,599 --> 00:10:20,599 And also the economic factors because, you know, I live in Poland. 113 00:10:20,599 --> 00:10:23,599 It's not a country with high living costs. 114 00:10:23,599 --> 00:10:34,599 So if you earn in the, in dollars, basically in, in something that's not scaled to, to your country, then you can live on a really good level. 115 00:10:34,599 --> 00:10:37,599 For these reasons, bug bounty was very appealing to me. 116 00:10:37,599 --> 00:10:40,599 So I did, you know, open some public bug bounty programs. 117 00:10:40,599 --> 00:10:47,599 I, I did even try some vulnerabilities on websites without bug bounty programs and obviously nothing worked. 118 00:10:47,599 --> 00:10:53,599 I only remember one XSS that popped on the web, on the shopping website without the bug bounty program. 119 00:10:53,599 --> 00:11:04,599 But I imagined that, you know, these, the bugs you are finding in real life are not bugs that I was learning in the web application hackers handbook. 120 00:11:04,599 --> 00:11:10,599 But when you're doing pentesting, you are very often the first person to test, to test the website. 121 00:11:10,599 --> 00:11:15,599 So it was quite natural that I was finding many vulnerabilities there. 122 00:11:15,599 --> 00:11:17,599 Of course, I did have to learn a lot. 123 00:11:17,599 --> 00:11:19,599 I had to learn writing reports. 124 00:11:19,599 --> 00:11:22,599 I had to learn working with developers and I had to learn a lot. 125 00:11:22,599 --> 00:11:39,599 But the part of finding vulnerabilities surprised me that a lot of vulnerabilities in the reports were the, the simple versions, like the, literally the copy paste from OS top 10 or, or from any other book. 126 00:11:39,599 --> 00:11:44,599 So in this sense, it did surprise me, but I was, I was very happy. 127 00:11:44,599 --> 00:11:54,599 It was very, very satisfying to find all those vulnerabilities, but I was still, you know, thinking and always reading about, about bug bounties. 128 00:11:54,599 --> 00:12:01,599 I remember at this time I had a very tight schedule with everything. 129 00:12:01,599 --> 00:12:08,599 And I remember I like to go to a gym before the university, before work or something like this crazy days like that. 130 00:12:08,599 --> 00:12:20,599 And I also had the ritual that maybe one, once a week, once, once every two weeks, maybe once a month, sometimes before the gym, I would go to a cafe. 131 00:12:20,599 --> 00:12:25,599 I would sit there, I would watch bug bounty presentations. 132 00:12:25,599 --> 00:12:29,599 Then I would go to a gym and then I would continue with my day. 133 00:12:29,599 --> 00:12:40,599 And maybe for, for some of you, that's strange, but for me as a child, you know, drinking cafe in a, in a restaurant or in the cafeteria, it was kind of a luxury. 134 00:12:40,599 --> 00:12:44,599 It's not something, definitely not something I was doing often. 135 00:12:44,599 --> 00:12:48,599 And I don't think I did it once during my first year of university. 136 00:12:48,599 --> 00:13:00,599 So when I started working and I had the possibility to do it, I remember literally feeling luxury sitting always the same place in the same cafeteria before the gym. 137 00:13:00,599 --> 00:13:03,599 I also love working out in the morning. 138 00:13:03,599 --> 00:13:09,599 So it was also very satisfying to me to, you know, work out with the caffeine cake. 139 00:13:09,599 --> 00:13:15,599 And it was, it was, I love this time and we'll come back to this cafeteria later. 140 00:13:15,599 --> 00:13:18,599 But, but for now, I was being a Pentester. 141 00:13:18,599 --> 00:13:20,599 I was learning a lot as a Pentester. 142 00:13:20,599 --> 00:13:25,599 I was still continuing the university with the lowest effort possible. 143 00:13:25,599 --> 00:13:28,599 And I was learning about bug bounty. 144 00:13:28,599 --> 00:13:30,599 I tried a lot of websites. 145 00:13:31,599 --> 00:13:40,599 Sometimes at work we would, I hope my ex boss is not watching this, but sometimes we would finish the project much earlier than, than we had the time assigned. 146 00:13:40,599 --> 00:13:48,599 So I would just do bug bounty during my, my work hours and I was obviously not finding much. 147 00:13:49,599 --> 00:13:53,599 And then I remember that one day I was looking at Gitter. 148 00:13:53,599 --> 00:14:03,599 Gitter was an acquisition of GitLab and I was looking at the, at the source code mostly to just, you know, see the real world application, to see the bug bounty target. 149 00:14:03,599 --> 00:14:06,599 I was not hoping to find the vulnerability. 150 00:14:06,599 --> 00:14:11,599 And I was particularly interested in the OAuth authentication flow. 151 00:14:11,599 --> 00:14:21,599 And I remember that just after one request that, that I sent, the application stopped responding and it wasn't anything extraordinary. 152 00:14:21,599 --> 00:14:25,599 You know, when you are setting up your own environment, things break all the time. 153 00:14:25,599 --> 00:14:28,599 So I didn't think much of it at the time. 154 00:14:28,599 --> 00:14:33,599 And then I sent a few more requests like this after restarting the environment. 155 00:14:33,599 --> 00:14:37,599 And it was a repeatable, consistent behavior of the application. 156 00:14:37,599 --> 00:14:40,599 So after some time I debugged what's the cause. 157 00:14:40,599 --> 00:14:48,599 And I saw that there was a particular line of code that didn't foresee this, this input in this place. 158 00:14:48,599 --> 00:14:50,599 And that's what caused the error. 159 00:14:50,599 --> 00:14:55,599 But I was still like, okay, that's denial of service, but that's not the bug that you can get paid for. 160 00:14:56,599 --> 00:15:00,599 And then I looked at GitLab actually does pay for this vulnerability class. 161 00:15:00,599 --> 00:15:08,599 So I remember, you know, submitting this report, still not believing I will get anything because it was just sounding very, very surreal. 162 00:15:08,599 --> 00:15:10,599 But they did pay me out. 163 00:15:10,599 --> 00:15:13,599 The video about this, this bug in detail is on my channel. 164 00:15:13,599 --> 00:15:16,599 They did pay me out $1,000. 165 00:15:16,599 --> 00:15:25,599 And I felt incredible at this time, especially that, you know, I was checking the notifications all the time, reading all the emails. 166 00:15:25,599 --> 00:15:28,599 You know, even you probably also remember this. 167 00:15:28,599 --> 00:15:34,599 If you've ever submitted your first bug, even when your bug is triaged, you are still thinking about scenarios. 168 00:15:34,599 --> 00:15:37,599 How can they still not pay you for this bug? 169 00:15:37,599 --> 00:15:40,599 Because it just feels surreal that you can get paid. 170 00:15:40,599 --> 00:15:43,599 But they did get paid and it felt incredible. 171 00:15:43,599 --> 00:15:50,599 I remember I spent half of this bounty on this watch that I still have today. 172 00:15:50,599 --> 00:15:55,599 And so it's still with me, still reminding me of that time. 173 00:15:55,599 --> 00:15:57,599 And I was really, really happy. 174 00:15:57,599 --> 00:16:02,599 And that's probably a feeling I will never remember again. 175 00:16:02,599 --> 00:16:07,599 And I wanted to somehow, you know, share with the world my findings. 176 00:16:07,599 --> 00:16:09,599 So I thought about creating the blog. 177 00:16:09,599 --> 00:16:13,599 I also knew that creating the personal brand is something good. 178 00:16:13,599 --> 00:16:15,599 It can help you get a better job. 179 00:16:15,599 --> 00:16:18,599 For example, it creates the personal brand. 180 00:16:18,599 --> 00:16:20,599 Then you have infinite possibilities. 181 00:16:20,599 --> 00:16:33,599 But I knew that a lot of people that write blog posts, you know, they only write those blog posts a few times a year because they usually, you know, even for me, bugs I was finding was during pen test. 182 00:16:33,599 --> 00:16:35,599 So I could not talk about them. 183 00:16:36,599 --> 00:16:41,599 I couldn't feel enough blog posts to be interesting enough. 184 00:16:41,599 --> 00:16:46,599 So I was procrastinating creating the blog for a long time. 185 00:16:46,599 --> 00:16:51,599 And then I thought of maybe doing something different. 186 00:16:51,599 --> 00:16:55,599 And the idea of my channel was in my head for some time. 187 00:16:55,599 --> 00:16:59,599 It's actually not the first YouTube channel that I created. 188 00:17:00,599 --> 00:17:08,599 The previous one I was creating when I was about 14 and 15 and 16 years old or maybe 13 to 15. 189 00:17:08,599 --> 00:17:18,599 It was in Polish and it was about tutorials for the game Battlefield, mostly Battlefield 3, Battlefield 4, and then some other FPS as well. 190 00:17:18,599 --> 00:17:19,599 And it was quite big. 191 00:17:19,599 --> 00:17:22,599 It's not that I created the YouTube channel with two videos. 192 00:17:22,599 --> 00:17:24,599 I was creating it with a friend. 193 00:17:24,599 --> 00:17:27,599 And it has, it's still public. 194 00:17:27,599 --> 00:17:29,599 It has like 5,000 subscribers. 195 00:17:29,599 --> 00:17:35,599 So it was in Polish and it was quite big for the size of YouTube back then. 196 00:17:35,599 --> 00:17:40,599 It was like 2013, 2012. 197 00:17:40,599 --> 00:17:42,599 So it was very early YouTube years. 198 00:17:42,599 --> 00:17:46,599 So 5,000 subscribers then was a lot. 199 00:17:46,599 --> 00:17:49,599 And we did it for like two years. 200 00:17:49,599 --> 00:17:50,599 Then we stopped. 201 00:17:51,599 --> 00:18:02,599 And I don't really remember lessons that I learned there, but definitely I did pick up some lessons then that I am using in my YouTube channel now. 202 00:18:02,599 --> 00:18:05,599 But I just don't remember those things clearly. 203 00:18:05,599 --> 00:18:09,599 I only have a few memories from that time. 204 00:18:09,599 --> 00:18:19,599 So the idea of YouTube channel was appealing to me, but I had no idea if I would still create videos about my bugs. 205 00:18:19,599 --> 00:18:24,599 It would still be the same problem of not having enough bugs to be enough. 206 00:18:24,599 --> 00:18:28,599 And I thought about, you know, maybe explaining reports of other people. 207 00:18:28,599 --> 00:18:35,599 The reason was that I was reading a lot of write-ups back then, and a lot of them were not written really good. 208 00:18:35,599 --> 00:18:45,599 Sometimes, you know, the submitter of the report, the reporter, assumes that the other person knows something about the system. 209 00:18:45,599 --> 00:18:50,599 Often, the triager or the company that processes the bug, they do. 210 00:18:50,599 --> 00:18:56,599 But then when the report is disclosed, for us, for readers, some things are unclear. 211 00:18:56,599 --> 00:19:00,599 So my idea was to explain those reports in a clear manner. 212 00:19:00,599 --> 00:19:07,599 But one problem with this idea was that I would be creating videos about bugs of other people. 213 00:19:07,599 --> 00:19:16,599 And I felt it's sort of uncool to, you know, use other people's intellectual property, in a sense, to create my videos. 214 00:19:16,599 --> 00:19:27,599 And I think I would not do the channel if not this guy or the author of these books, Pete Jaworski. 215 00:19:27,599 --> 00:19:32,599 He has two books. One of them is the blue one. I don't remember the name. 216 00:19:32,599 --> 00:19:34,599 This is the second edition. 217 00:19:34,599 --> 00:19:40,599 And basically, the concept of the book is that he grouped some disclosed public bug bounty reports. 218 00:19:40,599 --> 00:19:43,599 And he made a book about these. 219 00:19:43,599 --> 00:19:51,599 And this book is actually... I think you can get the first edition for free when you sign up at HackerOne. 220 00:19:51,599 --> 00:19:55,599 Or it's somewhere they send it to you after registration or something like this. 221 00:19:55,599 --> 00:19:57,599 At least, it used to be that. 222 00:19:57,599 --> 00:19:59,599 So it's definitely a respected position. 223 00:19:59,599 --> 00:20:02,599 And also Pete Jaworski has a great respect. 224 00:20:02,599 --> 00:20:06,599 I don't know if he still creates some bugs. 225 00:20:06,599 --> 00:20:10,599 But I remember that he was a respected person in the community. 226 00:20:10,599 --> 00:20:20,599 And basically, just seeing his bugs, it was the argument for me that, OK, if these books, they use the same concept. 227 00:20:21,599 --> 00:20:29,599 And nobody is telling that, oh no, Pete is bad because he created a book and makes money out of bugs of other people. 228 00:20:29,599 --> 00:20:34,599 Then definitely, me making free YouTube videos about them will also be OK. 229 00:20:34,599 --> 00:20:38,599 So thank you, Pete, for creating this book. 230 00:20:38,599 --> 00:20:42,599 Without you, I wouldn't be where I'm currently at. 231 00:20:43,599 --> 00:20:53,599 And my idea was also to add the visual layer to those videos because I felt it can really help people understand the bug better. 232 00:20:53,599 --> 00:20:55,599 And I think I did this quite well. 233 00:20:55,599 --> 00:21:03,599 The channel, sometimes people have to upload tens of hundreds or maybe thousands of videos before they catch traction. 234 00:21:03,599 --> 00:21:05,599 I caught traction quite quickly. 235 00:21:05,599 --> 00:21:12,599 And I think also the reason was that authors of the bug would sort of push my video forward. 236 00:21:12,599 --> 00:21:14,599 And these were good videos. 237 00:21:14,599 --> 00:21:17,599 So they did catch traction quite quickly. 238 00:21:17,599 --> 00:21:19,599 I was really happy that I finally got to it. 239 00:21:19,599 --> 00:21:23,599 Of course, I had to wait and procrastinate a lot to do it. 240 00:21:23,599 --> 00:21:31,599 And I finally started when the virus started, like literally first two weeks of the virus. 241 00:21:31,599 --> 00:21:37,599 I was really happy because at that time I would have studies. 242 00:21:37,599 --> 00:21:41,599 I would do like the full time studies or daily studies or whatever they are called. 243 00:21:41,599 --> 00:21:43,599 I would do part time job. 244 00:21:43,599 --> 00:21:45,599 I would be in a long distance relationship. 245 00:21:45,599 --> 00:21:49,599 So all weekends where I was not not working during the weekends. 246 00:21:49,599 --> 00:21:55,599 So for me, having two weeks off in this time, it was fantastic. 247 00:21:55,599 --> 00:21:57,599 I was really happy about it. 248 00:21:57,599 --> 00:22:03,599 And I did start the channel literally like two weeks after the COVID started or something like this. 249 00:22:03,599 --> 00:22:05,599 And then, of course, I wasn't happy about it. 250 00:22:05,599 --> 00:22:09,599 But it did push me to to create the channel. 251 00:22:09,599 --> 00:22:13,599 And then it was it was sort of growing like this for for some time. 252 00:22:13,599 --> 00:22:18,599 And the problem was that I was not finding bugs myself. 253 00:22:18,599 --> 00:22:19,599 I had the channel. 254 00:22:19,599 --> 00:22:21,599 The channel was bigger and bigger. 255 00:22:21,599 --> 00:22:23,599 I was working as a pen tester. 256 00:22:23,599 --> 00:22:25,599 I also changed job in this period. 257 00:22:25,599 --> 00:22:31,599 Also, the reason I changed jobs was because of my YouTube channel. 258 00:22:31,599 --> 00:22:37,599 I think my manager of my second job, he approached me on Twitter. 259 00:22:37,599 --> 00:22:40,599 And I want to believe it was based on the videos that I created. 260 00:22:40,599 --> 00:22:43,599 So it also played a big role in this. 261 00:22:43,599 --> 00:22:47,599 And it was also quite a big pay rise for me. 262 00:22:47,599 --> 00:22:49,599 So it was quite a nice change. 263 00:22:49,599 --> 00:22:52,599 But in terms of bug bounty, I didn't do a lot. 264 00:22:52,599 --> 00:22:54,599 I didn't have much time. 265 00:22:54,599 --> 00:22:59,599 When I had the time, when I did actually hack, I wasn't finding anything. 266 00:22:59,599 --> 00:23:08,599 And at some point, like more or less a year after joining my second job, I was already 267 00:23:08,599 --> 00:23:09,599 after the university. 268 00:23:09,599 --> 00:23:12,599 So I had a little bit more free time. 269 00:23:12,599 --> 00:23:17,599 And then I decided that it might be the time to quit my job. 270 00:23:18,599 --> 00:23:26,599 Very cold and calculated decision because it definitely did not feel like a right time 271 00:23:26,599 --> 00:23:29,599 because I knew nothing about business. 272 00:23:29,599 --> 00:23:32,599 I wasn't a successful bug bounty hunter. 273 00:23:32,599 --> 00:23:37,599 So why would I quit my job, you know, to leave out of these two things? 274 00:23:37,599 --> 00:23:39,599 I know nothing about. 275 00:23:39,599 --> 00:23:48,599 And the origin of this story actually begins when the people from my first company there 276 00:23:48,599 --> 00:23:53,599 we used to also during work hours to conduct some trainings for developers. 277 00:23:53,599 --> 00:24:00,599 And after I quit, people from the training department of that company approached me. 278 00:24:00,599 --> 00:24:05,599 If I still want to continue these during these trainings or create a new training actually 279 00:24:05,599 --> 00:24:07,599 to create a new training for them. 280 00:24:07,599 --> 00:24:11,599 But this time as a freelancer and not during my work hours. 281 00:24:11,599 --> 00:24:14,599 And I was quite happy to accept this proposition. 282 00:24:14,599 --> 00:24:19,599 I could make more money than I would in the during my regular full time job. 283 00:24:19,599 --> 00:24:21,599 So I was happy to accept the offer. 284 00:24:21,599 --> 00:24:28,599 And for this, I had to create the sole entrepreneurship sort of company in Poland. 285 00:24:28,599 --> 00:24:31,599 I had to, of course, pay taxes from it. 286 00:24:31,599 --> 00:24:34,599 I had to pay the insurance and everything. 287 00:24:34,599 --> 00:24:39,599 And I didn't plan on doing anything more about it. 288 00:24:39,599 --> 00:24:40,599 At that time, I was on. 289 00:24:40,599 --> 00:24:49,599 I only created it for the purpose of conducting these trainings and maybe some YouTube collaborations. 290 00:24:49,599 --> 00:24:52,599 But I wasn't thinking much about it. 291 00:24:52,599 --> 00:25:01,599 But actually, this creating the sole entrepreneurship did spark the business interest in me. 292 00:25:01,599 --> 00:25:04,599 And I started learning more about business. 293 00:25:04,599 --> 00:25:06,599 I was more interested about marketing. 294 00:25:06,599 --> 00:25:09,599 I was more interested about different products. 295 00:25:09,599 --> 00:25:12,599 And I didn't foresee this coming at all. 296 00:25:12,599 --> 00:25:19,599 But then I had the idea to, you know, maybe also create something to monetize the channel. 297 00:25:19,599 --> 00:25:25,599 Because then I also created the way to support the channel voluntarily. 298 00:25:25,599 --> 00:25:27,599 It was buying me a coffee website. 299 00:25:28,599 --> 00:25:34,599 And it was literally like two or three people sending me a coffee after a few months. 300 00:25:34,599 --> 00:25:36,599 So I shut this down. 301 00:25:36,599 --> 00:25:42,599 And I knew that if I want to make money off of YouTube, I just need to create my own product. 302 00:25:42,599 --> 00:25:44,599 So I started thinking about it. 303 00:25:44,599 --> 00:25:53,599 And then also other friend approached me about creating a course about Python and security. 304 00:25:54,599 --> 00:25:55,599 It's also in Polish. 305 00:25:55,599 --> 00:26:02,599 The way it works is I create the course and he does the marketing and he has the target audience and everything. 306 00:26:02,599 --> 00:26:06,599 And at this time, you know, I had thoughts about my own product. 307 00:26:06,599 --> 00:26:12,599 I had the potential of creating the course and I had the trainings I would conduct. 308 00:26:12,599 --> 00:26:17,599 But still, it didn't feel at all like the time to quit my job. 309 00:26:18,599 --> 00:26:24,599 But the thing was that I had about one year worth of savings in my account. 310 00:26:24,599 --> 00:26:35,599 And my analytical, the analytical part of my brain would nudge me to, you know, just quit your job. 311 00:26:35,599 --> 00:26:43,599 And if it doesn't work after one year, you can just come back and you probably can get a better job after one year of trying something else. 312 00:26:43,599 --> 00:26:47,599 So it definitely did not feel like the right time for me. 313 00:26:47,599 --> 00:26:51,599 Nobody of my friends would expect it. 314 00:26:51,599 --> 00:26:54,599 Nobody actually was trying to convince me that it's a good move. 315 00:26:54,599 --> 00:27:02,599 People would either be surprised, maybe even sending me indirect signals that it's not a good time or it's not a good decision. 316 00:27:02,599 --> 00:27:08,599 But I would still do my own thing because just the risk was not that big. 317 00:27:08,599 --> 00:27:14,599 You know, the worst thing that could happen was that after a year, I would just have to come back to employment. 318 00:27:14,599 --> 00:27:18,599 And it didn't seem like too much of consequences to me. 319 00:27:18,599 --> 00:27:21,599 So I decided to just go for it. 320 00:27:21,599 --> 00:27:22,599 And I'm happy I did. 321 00:27:22,599 --> 00:27:28,599 And now I also whenever making a decision, I'm thinking about the consequences. 322 00:27:28,599 --> 00:27:37,599 Because if consequences are like this, if they are not that scary, actually, because, you know, then at that time, you know, 323 00:27:37,599 --> 00:27:40,599 feeling like failure, yes, it would be bad. 324 00:27:40,599 --> 00:27:51,599 But, you know, the one thing that helps me think about it from a better perspective was what will I think about it in five years time? 325 00:27:51,599 --> 00:27:57,599 And from the perspective of, you know, at this time, I was I would be scared. 326 00:27:57,599 --> 00:27:58,599 I would be afraid. 327 00:27:58,599 --> 00:27:59,599 I would be unsure. 328 00:27:59,599 --> 00:28:01,599 I would feel like failure. 329 00:28:01,599 --> 00:28:07,599 But then, like, what will 30 year old Greg think about this? 330 00:28:07,599 --> 00:28:13,599 Oh, he would think, oh, yeah, when I was 25 years old, I decided to, you know, quit my job. 331 00:28:13,599 --> 00:28:17,599 And I spent a year trying to do bug bounty and to create content. 332 00:28:17,599 --> 00:28:18,599 You know, it didn't work. 333 00:28:18,599 --> 00:28:20,599 So after one year, I came back to employment. 334 00:28:20,599 --> 00:28:23,599 But still, throughout this one year, I learned a lot. 335 00:28:23,599 --> 00:28:29,599 It was probably what I was going to think about it, about the worst case scenario after five years. 336 00:28:29,599 --> 00:28:34,599 And having a perspective like this really shifts my mindset. 337 00:28:34,599 --> 00:28:37,599 And it's also something that I use today. 338 00:28:37,599 --> 00:28:48,599 Whenever I'm scared, whenever something feels risky, I'm thinking, OK, what will I think about the worst case scenario in five, in 10 years time? 339 00:28:48,599 --> 00:28:52,599 And very, very often is actually nothing that's scary. 340 00:28:52,599 --> 00:29:00,599 So it's definitely something that you can take away from this video to just not be afraid of failing. 341 00:29:00,599 --> 00:29:03,599 But actually, you know, think about what are the consequences? 342 00:29:03,599 --> 00:29:06,599 What will you think about them in a few years? 343 00:29:06,599 --> 00:29:12,599 And then very likely this decision will not be that scary. 344 00:29:12,599 --> 00:29:18,599 And as it often happens with these decisions, the worst case scenario doesn't actually happen. 345 00:29:18,599 --> 00:29:20,599 And so it didn't. 346 00:29:20,599 --> 00:29:22,599 And as you see, I'm still here. 347 00:29:22,599 --> 00:29:24,599 To be honest, I don't know how. 348 00:29:24,599 --> 00:29:33,599 Because now when I think about this decision, it seems extremely naive that I quit my job for bug bounty and for creating a business. 349 00:29:33,599 --> 00:29:35,599 Both things I knew nothing about. 350 00:29:35,599 --> 00:29:36,599 It shouldn't work. 351 00:29:36,599 --> 00:29:37,599 I think it shouldn't work. 352 00:29:37,599 --> 00:29:40,599 But I made it work, and I'm so happy to be here. 353 00:29:40,599 --> 00:29:44,599 Of course, for me, the growth, it was quite slow. 354 00:29:44,599 --> 00:29:51,599 Because usually when people start a business, they are already capable in doing something. 355 00:29:51,599 --> 00:29:56,599 Like someone becomes a good backhunter, and then they decide to create a channel. 356 00:29:56,599 --> 00:30:00,599 And extremely rarely, you know, someone just comes. 357 00:30:00,599 --> 00:30:02,599 Okay, I will be a backhunter. 358 00:30:02,599 --> 00:30:03,599 I'm not now. 359 00:30:03,599 --> 00:30:09,599 And even worse or even better, I also had a paid product at this time. 360 00:30:09,599 --> 00:30:17,599 So I created a paid product about learning web security when I had literally one bug behind my belt. 361 00:30:17,599 --> 00:30:19,599 And I was open about it. 362 00:30:19,599 --> 00:30:28,599 I'm actually so proud of this that I never had to, you know, lie about my past or be unclear about my past. 363 00:30:28,599 --> 00:30:30,599 I always told people, you know, I'm just learning. 364 00:30:30,599 --> 00:30:32,599 Come learn with me if you want. 365 00:30:32,599 --> 00:30:34,599 If you don't want, don't buy my product. 366 00:30:34,599 --> 00:30:37,599 And I'm very happy that it worked this way. 367 00:30:37,599 --> 00:30:42,599 Of course, the first year, year and a half were quite slow in terms of the business. 368 00:30:42,599 --> 00:30:47,599 Then the business skyrocketed in terms of my bug bounty journey. 369 00:30:47,599 --> 00:30:51,599 Of course, details are in bug bounty vlogs. 370 00:30:51,599 --> 00:30:56,599 But my growth here, my development as a bug bounty hunter is quite slow. 371 00:30:56,599 --> 00:30:59,599 And it's something that is sometimes annoying to me. 372 00:30:59,599 --> 00:31:05,599 Because I know that if I would dedicate just to bug bounty hunting, it would be much better. 373 00:31:05,599 --> 00:31:08,599 But I'm not spending that much time on it. 374 00:31:08,599 --> 00:31:10,599 I do spend more time on the business side. 375 00:31:10,599 --> 00:31:14,599 I do spend more time not working, basically. 376 00:31:14,599 --> 00:31:18,599 And it's a very, very tough balance to find. 377 00:31:18,599 --> 00:31:22,599 Because, you know, on one hand, I would love... 378 00:31:22,599 --> 00:31:24,599 Of course, I do these bounty vlogs every year. 379 00:31:24,599 --> 00:31:26,599 I'm sharing my results. 380 00:31:26,599 --> 00:31:34,599 And of course, it would be nice for me to, for example, have the next year's bounty vlog where I would be in the six-figure range or something like this. 381 00:31:35,599 --> 00:31:41,599 Or basically to be happy with my performance as a bug bounty hunter. 382 00:31:41,599 --> 00:31:50,599 But then the reality is when I have the choice of working more and finding more bugs and enjoying more time, 383 00:31:50,599 --> 00:31:56,599 I just see that I do in these cases make the decision to just have fun. 384 00:31:56,599 --> 00:32:01,599 So it seems that the quick growth is not the priority for me. 385 00:32:01,599 --> 00:32:07,599 And I see this based on my actions and not on my thoughts, which is quite a difficult thing to do. 386 00:32:07,599 --> 00:32:11,599 So my growth as a bug bounty hunter is quite slow. 387 00:32:11,599 --> 00:32:14,599 I'm planning to change this a little bit. 388 00:32:14,599 --> 00:32:19,599 I'm planning to focus more on bug bounty in 2024. 389 00:32:19,599 --> 00:32:22,599 But we'll see how it goes. 390 00:32:22,599 --> 00:32:28,599 Also, in my content, my content did evolve a lot throughout this time. 391 00:32:29,599 --> 00:32:36,599 In the beginning, it was just explanations of bug bounty reports, as the name suggests, bug bounty reports explained. 392 00:32:36,599 --> 00:32:40,599 These days, this is not my most common format. 393 00:32:40,599 --> 00:32:48,599 Usually, my videos are either podcasts or case study videos and occasional videos of other formats. 394 00:32:48,599 --> 00:32:53,599 But the original one is no longer the main thing. 395 00:32:53,599 --> 00:33:01,599 Also, the reason is that creating videos like this with visualizations, with animations, with everything, they took a lot of time. 396 00:33:01,599 --> 00:33:09,599 And I saw that even when I was putting more effort into them, they weren't really performing that well. 397 00:33:09,599 --> 00:33:18,599 And I see that, for example, with the case study, I'm spending more time before I even start recording the video or writing the article, 398 00:33:18,599 --> 00:33:20,599 because I just do the case study. 399 00:33:20,599 --> 00:33:23,599 And then the video itself is not that edited. 400 00:33:23,599 --> 00:33:25,599 It has no animations. 401 00:33:25,599 --> 00:33:28,599 It's not that pretty, but it's more useful. 402 00:33:28,599 --> 00:33:36,599 And that's why I also prefer this type of content, because, you know, it's more useful and it requires less work from me. 403 00:33:36,599 --> 00:33:38,599 And the same goes with podcasts. 404 00:33:38,599 --> 00:33:48,599 Podcasts are great because I don't only see the report of somebody else, but I actually can ask them about things that I do want to ask them. 405 00:33:48,599 --> 00:33:51,599 And I think this content is great. 406 00:33:51,599 --> 00:33:56,599 So this is the direction I'm going at. 407 00:33:56,599 --> 00:34:04,599 Also, one thing that I would like to have in my channel, but I really struggle to somehow make it work. 408 00:34:04,599 --> 00:34:12,600 I even talked about this with one of you who recognized me at the CCC conference that I came back literally two days ago. 409 00:34:12,600 --> 00:34:26,600 I'm recording this just after just after coming back that in my videos, I would prefer to sort of show you more or maybe make you think more about your life. 410 00:34:26,600 --> 00:34:39,600 Also, in terms of of some time off and in terms of some sports and some holidays, because at the end of the day, videos about bugs are videos about making money. 411 00:34:39,600 --> 00:34:46,600 And I do believe that for many of you, making more money is not actually something that will make you happy. 412 00:34:46,600 --> 00:34:52,600 And it can definitely harm your health in the long run if you spend too much hours in front of the computer. 413 00:34:52,600 --> 00:34:58,600 And I do leave, I think, a well balanced life with a lot of sports and a lot of travel. 414 00:34:59,600 --> 00:35:04,600 And I always have some urge to somehow, you know, not really share it. 415 00:35:04,600 --> 00:35:09,600 I don't care about sharing it, but I would care to make you think about your life. 416 00:35:09,600 --> 00:35:16,600 That maybe, you know, instead of spending more time in front of the computer with bug bounty, maybe you should go to the gym. 417 00:35:16,600 --> 00:35:21,600 Maybe you will be healthier for for for your old elderly life. 418 00:35:21,600 --> 00:35:26,600 So even now you will be healthier, you will be happier, you will have great relationships. 419 00:35:26,600 --> 00:35:28,600 You can also travel. 420 00:35:28,600 --> 00:35:32,600 You know, I see also all my all my choices in my life. 421 00:35:32,600 --> 00:35:38,600 They they did lead me to this place where I can work from anywhere on the world. 422 00:35:38,600 --> 00:35:45,600 And also my earnings do not depend on the country I'm working from and the times I'm in and everything. 423 00:35:45,600 --> 00:35:51,600 So I did in 2023, I did start sort of a digital nomad thing. 424 00:35:51,600 --> 00:35:57,600 I spent two and a half months in Spain, in Canary Islands, and I absolutely loved it. 425 00:35:57,600 --> 00:36:05,600 And now when you are watching this, it's probably like January or February because I'm recording this up front. 426 00:36:05,600 --> 00:36:14,600 I'm in Argentina and I'm also living sort of a digital nomad life because I absolutely love the digital nomad community. 427 00:36:14,600 --> 00:36:16,600 I don't like the winter in Poland. 428 00:36:16,600 --> 00:36:17,600 And that's why I travel. 429 00:36:17,600 --> 00:36:24,600 And I also urge you, if you are a bug bounty hunter, if you have a remote work, you can you can do this. 430 00:36:24,600 --> 00:36:26,600 So so you should think about doing this. 431 00:36:26,600 --> 00:36:29,600 It's also easier for some people, harder for others. 432 00:36:29,600 --> 00:36:37,600 For me, I want to do these things now when I'm when I'm single, when I have no kids, when I have no not many responsibilities. 433 00:36:37,600 --> 00:36:40,600 This is this is the time to do it. 434 00:36:40,600 --> 00:36:42,600 And one last thing. 435 00:36:42,600 --> 00:36:45,600 I told you that I will come back to the to the cafeteria. 436 00:36:45,600 --> 00:36:56,600 I talked about before when I did go to the cafeteria, watch bug bounty presentations and and be really hyped and dream about the bug hunter lifestyle. 437 00:36:56,600 --> 00:37:00,600 And, you know, I kind of forgot forgot about it for some time. 438 00:37:00,600 --> 00:37:08,600 But then I think like one year ago when I was already living from YouTube and bug bounty, I came back to this cafeteria. 439 00:37:09,600 --> 00:37:21,600 I took the same thing I always take the large black Americano and the muffin, which is absolutely delicious and very, very calorie rich as well. 440 00:37:21,600 --> 00:37:23,600 But absolutely delicious. 441 00:37:23,600 --> 00:37:27,600 I sat in my favorite couch in the same place I always did. 442 00:37:27,600 --> 00:37:36,600 And I realized that I'm now living the lifestyle that I used to dream about all the times that I would go to this cafe. 443 00:37:36,600 --> 00:37:43,600 And on this positive note, I want to thank you for for watching this video or for listening to this podcast. 444 00:37:43,600 --> 00:37:55,600 And I want to encourage you to to make risky decisions, to not be afraid to always have the long term perspective and the worst case scenario, which is usually not that bad. 445 00:37:55,600 --> 00:38:00,600 And I encourage you to do sports and I encourage you to travel. 446 00:38:06,600 --> 00:38:07,600 Thank you.