Вікторія Горбік Історії 31 March 2025, 09:00

“Hackers can move and manipulate the system in ways no one had imagined.” Everything (or almost everything) about “white hat” hacking from a man who has been on both sides of the fence

A 32-year-old Ukrainian developer from Uzhhorod, before the full-scale invasion, had been working peacefully for more than 10 years in many companies, creating various software for his customers, and had never thought about a different fate. However, since February 2022, a full-scale invasion has turned his life and work upside down, as it has for many Ukrainians. The man joined the hacker community, but chose the «white» side of the force.

The hunter under the nickname «stopwar» told dev.ua about what attracted him to this field, what distinguishes «black» hackers from «white» or «ethical» hackers, and what a specialist can expect in the future.

One step closer to the limit

The man felt the first impulses to look «behind the scenes» of IT systems while studying at university. It was then, about 10 years ago, while studying technical information protection systems, that he laid the foundation of information security in his head, studying modern ideas about eavesdroppers, «bugs» and other technical semi-espionage tricks using old methods from the 90s. For example, students investigated how to use laser beams to read acoustic waves from windows and thus eavesdrop on a conversation taking place in an office.

At the time of graduation in 2015, no one explained to graduates where they could get a job, and the term «white hat hacker» did not exist at all. As the specialist says, the graduates of his group and he himself went to work as programmers in private companies, but in the process of work, it periodically occurred to them that they needed to hack something or figure out how certain technologies worked. So, not yet understanding anything about «ethical» hacking, he began to get involved in this area, periodically changing his main place of work and working in several large international companies.

«People who go into development, programmers, namely „hard“ IT people, usually have one thing in common: they are more attracted to the computer world than to the world around them,» the hacker is confident.

However, according to him, there are two categories of specialists among them:

those who try to follow the rules and develop software to control computers and systems,
those who try to go the other way against the rules, to understand how the system works and circumvent it.

«Because we understand that there is power here, and we need to use it somehow,» says the programmer.

New system for blocking Internet resources is a mechanism for suspending any site in Ukraine - white hat hacker

The starting point is war.

Since February 2022, at the beginning of the full-scale invasion, the entire guild of Ukrainian IT professionals began to participate in the resistance, in particular, DDoSing Russian sites.

«It was mainstream back then, but I couldn’t understand what the point was, because the damage wasn’t that critical,» the developer recalls.

He explained that it remained incomprehensible to him why they would «put up» sites that would be «raised» in an hour or two or even a day or two and they would continue to work again.

It was then that, together with like-minded people, «stopwar» realized that it was possible to download and delete data. One of the first «combat» experiences was when hackers hacked the system of a Russian company and printed appeals to stop the war on their printers. So with the beginning of a full-scale invasion, the programmer’s curiosity about hacking coincided with a real opportunity to try his hand at this field.

Who is covering up webcam models in Ukraine? "White hacker" Mykyta Knysh tells the story

On the «light» side of the force

Speaking about the «black» and «white» sides of it, «stopwar» recalls the words of his colleague, a cybersecurity specialist: «A hacker is already ethical. An unethical cybercriminal.» Summing up, the programmer adds that in general the term «hacker» is positive, and only the media and movies have distorted it.

«Hackers are people who understand how a system works better than those who created it. They can navigate it, control it in ways no one else has ever imagined,» he emphasizes.

According to this term, according to «stopwar»:

«black hackers» — criminal elements who try to profit by hacking into companies' systems;
«white» or «ethical hackers» — look for vulnerabilities to help, often for the sake of helping, to make this world a better place, or for some reward or money, but adhering to the principle of doing no harm and gaining access to the system;
«Gray hackers» are almost like «white hackers», but the company’s specialist was not given permission to penetrate the system, but he still gets inside and finds vulnerabilities.

And although the programmer himself started, so to speak, from the «dark» side, namely hacking Russian websites, he later realized that he was closer to the idea of actually bringing benefit and making the world a little better. This is what led him to the «light» side of the force.

Hackers from the Lazarus group attacked another crypto exchange after Bybit. How OKX was affected

Where do bug hunters work?

The developer decided to switch and chose a niche where he could use his knowledge legally. That is, to become a bug hunter — a «white» hacker who searches for bugs in the systems of various companies for a monetary reward.

He told from his own experience how such specialists operate. In particular, the first thing a hunter does is participate in various Bug Bounty programs. Such programs are offered by websites and software development companies to search for errors and vulnerabilities in their systems. As a result, bug hunters who find places in the system that are prone to damage will receive a monetary reward.

Companies like Amazon or Netflix can invite «white» hackers themselves, organize open or closed events, or post Bug Bounty offers on relevant international platforms, in particular:

Bugcrowd is a crowdsourced security platform founded in 2012 and one of the largest bug and vulnerability disclosure companies on the Internet since 2019. The platform features a comprehensive crowdsourced list of bug bounties and vulnerability disclosure programs from across the Internet, curated by the hacker community.
HackerOne is a cybersecurity company specializing in vulnerability management. The platform allows companies to host bug bounty programs and engage the hacking community to improve the security posture of their systems. The platform also lists known bug bounty programs on its opportunities page.
Intigriti is a leading European penetration testing platform. The platform provides a list of publicly available bug bounty programs. In addition, they offer a Bug Bounty for the Intigriti platform itself. Detailed information about the platform’s bug bounty services can be found here .

Some companies in Ukraine also organize Bug Bounty, in particular, such programs are periodically held:

Prozorro is one of the first state-owned enterprises to implement such programs in Ukraine, and has been conducting Bug Bounty on an ongoing basis since 2019. The reward size started at $500.
Hosting Ukraine is one of the largest hosting providers on the Ukrainian market. The company launched a vulnerability bounty program and offered a $1,000 reward for vulnerabilities.
PrivatBank — according to «stopwar,» the bank offered a popular Bug Bounty program a few years ago. And now on their website you can find an offer to receive $1,000 for effective signals about vulnerabilities. However, the hacker says that according to community feedback, the bank is «slow» with this now.

Grammarly, an online platform with Ukrainian roots that uses artificial intelligence to help people communicate in English, is offering hackers up to $100,000 in rewards in exchange for discovering critical security vulnerabilities: you need to get into the company’s server, read the code on a specific page in the database, and send it to the company in a report. In addition, the company says that it also pays for other vulnerabilities.

North Korean hackers targeted freelance developers, including Ukrainian ones, under the guise of recruiters

What should «white» hackers pay attention to?

Some companies, according to the expert, for example, like Facebook, work only directly. Google also worked this way until recently, but now the company has switched to Bugcrowd. Netflix, for example, always works through HackerOne, although it was previously on a different platform. The developer explains that cooperation with platforms relieves some of the burden on companies, in particular, from processing many low-quality reports that hunters send with descriptions of bugs.

In addition, platforms take on other functions:

determine rewards based on the criticality of the bug and transfer money to hunters;
they keep track of which hunter is the first to find a particular bug (which the specialists are immediately notified about), because the first one will receive a reward;
resolve disputes between companies and hackers in case of misunderstandings regarding the criticality of the bug, the priority of the hunter, and the size of the reward;
show statistics of successful reports on the company, from which we can draw conclusions about its integrity in payments.

A certain problem for «ethical» hackers is unscrupulous companies that do not fix critical bugs for several months and, accordingly, do not pay the reward to the hunters who find them. «This is a very bad sign, and a red flag for hunters that such companies are not worth working with, because most likely they will not pay for it,» the programmer emphasized.

«stopwar» said that he himself recently received an invitation to a private Bug Bounty program to search for bugs. The specialist found a dozen interesting but simple flaws, and one critical one. And three weeks later he received a message that this critical bug was found by another hunter six months later.

According to the expert, if a hunter finds a really cool vulnerability, he can sell it on the black market for several times more.

«But if you are led to do that, then of course you have already gone to the dark side,» he adds.

5 real-life examples of AI-powered hacker attacks that manipulated people's fear or trust and lured them out of money or information

About vulnerabilities

Speaking of vulnerabilities, they mostly depend primarily on the specifics of the company’s work. In general:

Critical bugs are considered to be:

database access,
code execution on company servers,
theft of people’s personal information, i.e. phone numbers, addresses, etc.

Not critical, for example, getting functionality for free that you have to pay for.

«Very often bugs are things that can be found using a regular browser,» the programmer adds.

How to choose a company

Before starting to look for bugs, «stopwar» always mentally builds a model of the company’s work according to its specifics and tries to understand what it wants to protect.

He usually said that he himself tries to find vulnerabilities in the products he uses every day, because it takes less effort to get acquainted with the system. However, according to the programmer, he is also interested in receiving a private invitation to the Bug Bounty, because, most likely, few people are looking for bugs there so far and the probability of finding and receiving a reward is higher. In addition, he notes that the more complex the system, the more bugs there are.

«The real problem is not choosing a field, but finding a company that is willing to pay for these bugs,» the developer adds.

Ukrainian hackers destroyed the network of Russian Internet provider Nodex and stole data

About money

«stopwar» participates in programs on the above platforms, as well as periodically at closed events organized by various companies. The reward varies depending on the conditions set by the companies, what hackers are allowed to do and what they are not, where to look for bugs. The reward can reach several million dollars for critical vulnerabilities.

For example, for a critical bug found on Prozorro, «stopwar» received about 28,000 UAH. This was the first platform he started with. Later he switched to others. In addition, he recalls that it was on this platform that he personally found the largest number of bugs and got into the hunter rating on Prozorro. On Netflix, the programmer found about 10 different critical bugs of high and higher levels.

Payment times can also vary from company to company. The programmer says that in his own experience, Netflix can respond and pay the reward within a day, while with some companies, it takes weeks or months to correspond about the report.

In addition, there are other features in payments, for example, some companies double the amount of the reward for several critical vulnerabilities found. However, in other cases, the company may combine several found bugs into one, explaining this by the fact that they have the same cause.

Personally, for «stopwar», hunting is not the main source of income. He officially works as a programmer in a company, and does hacking in his free time.

He shared that he could sometimes earn up to $10,000 a month from hunting, but this is not a stable monthly income. The most expensive bug bounty, for example, was paid to him by Netflix: $3,000 + $1,000 bonus.

Hunter shared that over the past year he has spent 30% of his time hacking and 30% on work, the rest of the time on personal matters. The income received was divided in half. According to him, if the percentage of income received from work and hacking shifts towards 30%/70%, respectively, then the specialist will be ready to switch to hacking fully.

What can await a «white» hacker in the future?

In addition to participating in Bug Bounty programs, charterers can also do some research, in particular, find bugs in open source and other products and get paid for it. Or this information can become the basis for the development of a separate product or solution.

Some of the hunters get the opportunity to work for state structures, but «stopwar» says that he would not be able to work there and does not want to. But he himself would like to test «Diya» or some other state program.

Read the country's main IT news in our Telegram

The creator of the data leak site HaveIBeenPwned was caught in a phishing email. How a hacker managed to catch a cybersecurity expert in his mistake

"Passengers, the train is not moving any further." Is it moving? How hackers have "defaced" railway infrastructure in different countries over the past 10 years: a timeline

Thanks to Ukrainian hackers and an international investigation, the supply of millions of euros of sanctioned military equipment to the Russian Federation via India was disrupted

Hackers are using Signal to send phishing links to defense industry employees and representatives of the Defense Forces. What to avoid