Some people skipped online classes during lockdown to binge Netflix. Arun Krishnan skipped them to hack around on cheats for an online game—and ended up chasing bug bounties. This month, we're spotlighting Arun, aka winters0x64.
Arun’s a 20-year-old cybersecurity student from Kerala, India, who sharpened his skills playing CTFs with Team bi0s—India’s leading cybersecurity research club. After plenty of hypothetical hacks, Arun jumped onto huntr, ready to tackle real-world AI/ML vulnerabilities. Spoiler: it wasn’t easy. After a pile of duplicates and a healthy dose of frustration, Arun finally hit his stride. We caught up with Arun to talk bug hunting tactics, overcoming those early hurdles, and why nothing beats landing that first legit bug.
Hello everyone, I’m Arun Krishnan, hailing from Kerala, India. I’m 20 years old, currently pursuing a Bachelor of Technology (BTech) in Computer Science and Engineering (CSE) [currently a 3rd-year student] from Amrita Vishwa Vidyapeetham, Amritapuri. I started my hacking journey back in 2020. It was during the lockdown due to COVID—I was really bored and wasn’t really interested in going through online classes, so I’d usually skip those online classes and used to play an online game called Krunker. Eventually, I stumbled upon a community that makes cheats for Krunker, and from there I learned how to code in JavaScript, Python, learned computer fundamentals, linux, networks, hacking etc.
Currently I’m part of team bi0s which is the No-1 Hacking/CyberSecurity research club in India, - bi0s.in. I’m a CTF player for the team focusing on web security research. It was during this time that one of my seniors mentioned about huntr to me and I got interested and the rest is history :)
One of my seniors started hunting on AnythingLLM in Huntr, and he submitted a bug report on XSS to Account Takeover. He advised me to look into AnythingLLM as he believed there were more bugs in that application. Initially, I thought that I didn’t have the skillset to find bugs in real-world applications, as up until that point I was mostly finding bugs in CTF challenges, which were guaranteed to have bugs—unlike real-world software.
So time passed by, and then one day I just had a random thought to test AnythingLLM. I started reading the source code of AnythingLLM, and I came across a code pattern that I’ve encountered thousands of times in CTFs—it was an SSRF vulnerability. I suddenly wrote the report and submitted it, but after 2 weeks it was marked as a duplicate. By this time, I had submitted a few more bugs, but all of them were marked duplicate. I was frustrated at first, but then after the initial duplicates and failures, all I ever wanted was a valid bug. And after so many reports getting duplicated, I finally got a valid bug.
After my first bug, I wanted more, so I kept trying for more and got many more valid bugs. That’s how I started in the AI/ML bug bounty space. I enjoy the challenge the most because what pushed me to get a bug was the initial duplicates that I got, so just keep going, even if there are duplicates initially you’ll get a bug eventually, that’s what I believe and of course I like getting the bounty part second to that ;).
Alright, so this is how I test for bugs in an application. First, we should start with a mindset—you should believe that there are bugs in an application, just like in CTFs. After this, dive into the source code. Instead of reading an application’s source code from scratch, first learn how the application works. Go through the documentation of the application, identify interesting or overlooked functionalities, and then start reading the source code of these functionalities.
After reading the source, test for edge cases and try to look for bypasses for specific validation code or sanitizers, etc. Eventually, you’ll find a valid bug if you spend long enough time on a target.
I don’t rely on many tools for analysis—mostly what I do is manual stuff. But one tool I use and would like to master one day is CodeQL. I use automated workflows in GitHub to create a CodeQL static analyzer for the application that I want to test for bugs. This reveals a lot of code paths and might even reveal some low-hanging fruits. You can just fork an application and then create a new CodeQL Action workflow, and after the scan finishes, you can check out the results in the Security tab of your fork.
Okay, so after playing CTFs for like 2 years, I wanted to find bugs in real-life applications. But other bug bounty platforms demanded hunters to do black-box testing. It was around that time I came across Huntr via my senior, and that’s kind of how I got started. The experience so far has been amazing—the folks over at Huntr are amazing, so thank you for that. :)
The thing I liked most about Huntr is that I could test my CTF knowledge on real-world applications, get CVEs, and even get paid for the bugs. That’s like a dream for CTF players like me. I’d say that between MFVs and web app vulnerabilities, I liked web app vulnerabilities more […] MFVs are great, but so far I’ve had no luck with them—but I’ll keep trying. We’ll see.
Arun's journey proves one thing clearly: if your bug reports are stacking duplicates, you’re probably onto something good—just keep pushing.
Think you’ve found something juicy in how models serialize? Submit your detailed PoC to our MFV program. Validated finds could earn you up to $4,000. Pretty solid payday, huh? Happy hunting!