By Daniel Ventura, Manager of Product Security Incident Response Team (PSIRT)
At Adobe, we believe in the importance of recognizing and celebrating our surrounding security researcher and hacker community who have demonstrated dedication to their craft and helped strengthen the protection of the products and services we deliver to customers. From hobbyists to full-timers, we are committed to continuously empowering and engaging our network of researchers around the globe.
For this researcher spotlight, let us introduce you to Ariel Rachamim and Omri Inbar, two active participants of the Adobe bug bounty program. Ariel is currently an application security researcher at Moon Active and a cybersecurity lecturer at ECOM Academy. Omri is a penetration tester at CYE and often dedicates his time to researching and discovering zero-day vulnerabilities primarily in application spaces. Outside of their day jobs, Ariel and Omri collaborate with one another on various bug bounty hunting endeavors.
We sat down with these two friends, Ariel and Omri, to learn more about how their partnership enhances their bug bounty experiences and hear their advice for aspiring researchers in the field.
Throughout my early childhood, I developed a passion for gaming and enjoyed playing video games like Maple Story, League of Legends, and Knight Online. Though I spent hours and hours playing these games, I realized what truly captivated me about the gaming world was the world of game cheats. I often found myself scrolling through various online forums and seeking different types of cheats to gain an advantage over other players during a game.
After completing my high school education, I figured I could channel my fascination with hacking into a career — through exploring cybersecurity field. Instead of hacking games as a kid, I would focus on hacking websites and infrastructures in the future. So, I enrolled in an online penetration testing course, which kickstarted my journey as a penetration tester. Two years later, I achieved my dream career to becoming an application security researcher, working in the gaming industry.
Today, my passion revolves around learning new hacking techniques and exploring perspectives that others may not have considered. When I’m able to identify a unique approach, I develop automation workflows that enable me to continue with my daily tasks as I receive notifications on my phone about new discovered vulnerabilities in bug bounty programs.
— Ariel
During my early twenties, I discovered the world of programming and instantly fell in love with it. My initial interest was working on embedded software, where I could transform a simple idea into a tangible product. Starting off my career in the robotics industry as a developer was where I was first exposed to the field of cybersecurity. I reverse-engineered games, aiming to jump to the top of the leaderboards or acquire in-game items without having to pay.
I soon realized that dismantling and deconstructing applications was just as, if not more, enjoyable than creating them. I was captivated by the idea of “defeating” a computer program and, by extension, its creators. Delving deeper into hacking and penetration testing, I started a new role as a developer/researcher at a startup that developed an automatic penetration testing tool.
Since then, I’ve been actively involved in the cybersecurity field, both as a zero-day researcher and as a penetration tester. Today, my primary interests lie in hacking applications, discovering new zero-day vulnerabilities, researching innovative attack vectors, and applying them in the bug bounty arena alongside my partner, Ariel.
— Omri
The mere thought of earning the title of a “hacker” used to send shivers down my spine. Throughout my life, I’ve always admired hackers and the cool things they’ve been able to accomplish, so joining this community is incredibly thrilling and motivating for me. Second, it’s always nice having the opportunity to earn additional money, enabling me to enjoy life’s pleasures and invest in a better future for myself and my family.
– Ariel
To me, bug bounty represents the ultimate game. Ever since I began engaging in bug bounty programs, I’ve lost all interest in playing video games, as they simply cannot compare to the thrill of a good old hacking session. It allows you to use your skills and keyboard to uncover real-world vulnerabilities, all within legal boundaries, and you even get paid to do it!
– Omri
I recall a time I identified a potential XSS vulnerability but could not figure out a way to exploit it, despite trying various payloads. Seeking assistance, I reached out to an Israeli Bug Bounty Group called ‘Bug Bounty IL’ on WhatsApp. There I met Omri who, being experienced in JavaScript, saw an opportunity to help me exploit this vulnerability. This was the start of our collaborative journey.
Working together has enabled us to combine and leverage our unique individual strengths and skillsets to move more efficiently toward our bug bounty goals. We were able to combine my background in infrastructure and databases with Omri’s expertise in researching vulnerabilities. As we delved deeper, we eventually started focusing on specific types of attacks and researching advanced methods of exploitation. Omri handled the research, detection, and exploitation flow, while I took care of the entire automation, reporting, and communication with bug bounty programs. Ultimately, we believe this powerful collaboration has helped us discover several critical vulnerabilities throughout our bug bounty journey.
– Ariel & Omri
Our experience with Adobe’s bug bounty program has been nothing short of amazing. Most of our reports are usually triaged in less than 15 minutes. The resolution takes a maximum of only a couple days, which does not impact the timeline for when I’m able to receive bounties for my submitted reports. Additionally, we’ve been able to work directly with the product security incident response team (PSIRT) and have always received quick and easy communication from the team. We firmly believe that our collaboration with Adobe to enhance its security posture has been an integral part of our bug bounty journey.
– Ariel & Omri
Believing in yourself is the first step to achieving great outcomes. My main driving force in beginning my journey in bug bounty hunting was the belief in my own potential. Witnessing others succeed and make significant profits from bug bounty programs boosted my confidence that I, too, could achieve similar outcomes and become an accomplished hacker in the field. I started my journey off by taking a local online course written by Israelis in the industry. With a friend I met through the course, we studied together and practiced a lot of machines on Hack the Box. I continued to practice and study on my own, obtaining the OffSec Certified Professional (OSCP) certification and spending many hours watching the IppSec channel on YouTube.
Understanding that bug bounty hunting is a long-term journey is also key. When I first started, I acknowledged that reaching the top wouldn’t happen overnight; improvement and skill development happen gradually over time. Even now, I feel like I have so much more to learn compared to many other hackers, but I believe that with enough dedication, I will reach their level one day.
– Ariel
For me, my motivation was never about the money. I was always driven purely by my own curiosity and urge to discover new vulnerabilities out in the wild, so for many years, bug bounty hunting was just a side hobby that offered no monetary rewards. Over time, I figured out how to leverage my programming skills to set myself apart from the crowd — and that’s when I started to see financial returns.
One of the books that helped me distinguish myself was Black Hat Python: Python Programming for Hackers and Pentesters (Justin Seitz 2014). This book taught me a valuable skill of creating custom tools, such as scanners, to help me discover unique vulnerabilities apart from the rest.
– Omri
The key is to think outside the box and explore approaches that are not very common or well-known. The challenge lies in automating these unique processes to operate it at scale. It’s essential to adopt a long-term mindset — understanding that if a method were easy, it would likely be commonplace. Avoid being a script kiddie; I do not recommend simply downloading Nuclei and indiscriminately applying it everywhere. True success in bug bounty hunting comes from innovative thinking and strategic automation.
– Ariel
Like Ariel, I believe that the key to success lies in not following the crowd. This approach involves doing extensive reading and research on your own and persevering through barriers. When faced with a challenging task, I view it as a sign to persevere, as something being difficult can often be a deterrent for many.
Also, if possible, try to hack with your friends. Not only does it make the process more enjoyable, but collaborating with a partner also encourages you to take a dedicated approach to the work.
– Omri