mzfr's comments

I had the same issue so I started using RSS reader. I really liked yarr(https://github.com/mzfr/yarr) so I started maintain a clone(with extra features) of the original.

I browse HN/lobste.rs, twitter lists, dev blogs, newspapers, everything via RSS feeds.

I just saw this and as a project this looks great. But the more(maybe most) popular version of exactly this tool is Wakatime[0] and I've been using it for quite a while now. So my question here would be what "new" feature you plan to add to this so you can standout from other similar but popular services?

[0] https://wakatime.com/

> Already got my foot in some cool groups, not really a work-together thing

Yeah I actually was saying insense of professional work. For Ex: Take assetnote, they do code review,s and such. If you get to work with them that would be really good for professional work. There are several other smaller startups/org with good people in them that are doing security research.

> like pmnh (https://hackerone.com/pmnh?type=user) and zi

Oh, that is a good thing. I've followed some of their work.

> Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.

Right now, not sure how it would work. But P0 was just an example, if the idea of working they seem good then the first step would be to professionally become part of a smaller org/group that does security research. And then gain traction from there by doing more public research in whatever field you like. AFAIK P0 prefer people with public research experience and have something decent to show they did publically.

> and will easily land a job when the time will come." Well, that's the thing. I don't want to leave out any opportunities, just because I was lazy in my young years. There are many insanely good people out there and I heard companies more look at years of experience and certifications, instead of public "achievements" like HackerOne, etc.

Just read this in one of your comments (sorry just going through the thread). I actually agree with what @mrg2k8 said you are young and don't forget to enjoy the time you have now.

The thing about certification/Year of Experience is true but only when you actually want to work in an organization that works for itself. Basically, if you want to go in a line where you are working as insert security-related post, in a company. If you want to continue working as a researcher, just exploring applications and finding bugs then you don't have to worry about all that because in that scenario public achievements would rein over certifications or years of experience.

If you are getting bored with research and want to get a job like penetration tester, Product security, etc then I think the majority of my suggestions become irrelevant. And then you should just go for a degree -> certifications -> Apply for jobs -> $$$$

I've seen a lot of your tweets about those bounties :)

As someone who has done bug bounties and also has certifications, I can suggest a few things.

1. College - Like others said, it helps a lot not just careerwise but socially as well.

2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.

You might think why would you need a job in any org to do so? Well, simply because a stable income(the reason I stopped doing bug bounties) and association with a good org/group improve your network. Not sure if you know this or not but having a good network of people really helps, professionally.

3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.

**

You already know this but I'd state it again, literally every program lowballs, and no one wants to pay up. So if you get 10k for RCE but expected 100k, just stop reporting to that program. If you like working on their services then maybe try talking to the program managers about it. In the end, if you feel like the program isn't giving back as you expected just move on to a different program.

All the above stuff was what came to mind to help your professional/bug-bounty career. To answer the question

> I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.

If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)

Happy hunting!

There are various ways to do it. By default github pages support jekyll so on new commits github automatically pushes those changes to your blog/website.

If you plan to go with something like Hugo you'll have to setup a github action which will do the processing for you. Example of such github action can be seen here(https://github.com/mzfr/mzfr.github.io/blob/hugo/.github/wor...)

In order to actually move, the best way is to convert your webpages to makrdown and then just put them in the github repository.

A quite well know blog post about moving from wordpress to static gh-pages is this(https://www.hywel.me/static/site/wordpress/2016/07/17/fast-f...). But I think this might be old so it may or may not work.

Below is the list of few more blogs about this process:

* https://www.logitblog.com/moved-away-from-wordpress-to-githu...

* https://blog.netnerds.net/2020/08/migrating-my-wordpress-sit...

* https://haralduebele.github.io/2021/02/10/Moving-my-Blog-fro...

All of these blogs did it the same way, setup gh-page on github and then from wordpress export your content to markdown.

My suggestion is if you don't have much experience with markdown & github pages then just go with having a simple jeykll blog. And you can choose themes from here(https://jekyllthemes.io/free)

I use burp suite(community version) for the same purpose along with frida. There is also Brida[1] its sort of a bridge between both of them.

Something which I don't like is that every time I need the traffic to go through burp I need to go the WiFi settings and modify the "advance option" to use proxy. And if I keep the proxy settings on all the time then I've had issues with playstore and other such app, on the testing device. So that small bit of manual work is what I don't like.

In another comment[2] they mentioned they'll be releasing an android interceptor which would work without proxy, I think that would make me try this.

[1] [https://github.com/federicodotta/Brida](https://github.com/f...

[2] [https://news.ycombinator.com/item?id=30541263](https://news....

Assuming that the person you were working with didn't drain your wallet, there are many tools which can be used to actively monitor for commits being done on GitHub with secrets of sort.

The first one that comes to my mind is shhgit (https://github.com/eth0izzle/shhgit)

Anyone can self host it and then add multiple GitHub Dev keys to it. Then this can be used to monitor GitHub commits being done, majority of which can be categorized as "secrets".

Depends actually, if you just want to do pentesting then probably do some certifications like OSCP, CompTIA, etc. Once you get those its quite easy to land a interview for pentesting.

Initially job may not pay good but you can build your network and then probably start doing contract works. Most of the pentesters I know make more from freelance/contract work then their jobs. Because mostly those contract/freelance work pays on hourly bases. The initial hour rates usually are somewhere between 40-50 USD but they can go to 120-150 with just after few jobs.

P.S - I might have made it sound a very simple or easy profession but its not :)

what is your motivation behind it? I understand that you are working on this from quite sometime but similar service giants like spotify, (Apple|Amazon|Youtube) Music etc exists right? So how do you find the motivation to continue working on it. Also do you expect something out of it, like you are giving it your time & effort so what is the expectation out of it?

Sorry, if my comment sounded rude. I'm just curious to know :)

Did you mean to write "SEEKING WORK" ?

I can't apply for the fulltime Job since I'm in the APAC region but is there any contract job available? If there are then I'd be happy to apply for it.

Quickbook - https://quickbooks.intuit.com/in/

They have a decent interface, press the "clock in" button and the time starts. Whenever you want you can "clock out". You can see the "total time" report as well as the invoices or payout made.

The only downside I see is that when you "clock in" you get a small input box in which you can choose to write whatever work you've done or you are doing. The issue is that box is super small and you can't really see that much in it. So there is lot of scrolling involved.

    - https://github.com/auth0/repo-supervisor
    - https://github.com/awslabs/git-secrets
    - https://github.com/trufflesecurity/truffleHog
    - https://www.gitguardian.com/
    - https://github.com/eth0izzle/shhgit

All these tools can be configured to scan the repositories and generate alert when credentials or API keys are encountered

Hey,

I'm not a recruiting manager but since I noticed you are a fresher I just wanted to give some tips about your resume, from one dev to another :)

* Move the work Experience and Project part above Skills.

* Right now your resume looks very plain. Try to use a different template for the resume or maybe try learning latex. It would really improve the formatting of the resume.

* In the work experience try to be more descriptive. For example, you wrote the following:

    I automate tasks using Python and take care of the test environment

instead of that try to write 2-3 bullet points that will explain all the tech being used and also what "task" you actually automate. So something like the following:

    * Automated ABCD which is being used in XYZ, using python
    * My automation takes all ABCD and stores in X DB

This may not be the best example but this is just to give you an idea about being a bit descriptive.

* This will completely depend on you but in my opinion having those stars level grading in front of every skill is not the best way to do it. One of the ways I suggest is just to have Skills as an h1 heading and then add multiple h3 headings. Ex:

    Skills

    - Languages: Python, golang, rust, bash, javascript
    - Frameworks: Django, Flask
    - Misc: git, heroku 

Again this is just a suggestion, if you feel that current representation is the best you can just keep it that way.

Daylio - It's a journal/mood tracking app and I've been using it since march 2019. Other than keeping a track of my moods it also help me keep track of all my goals I want to achieve.

Google keep - I've tried all the popular/unpopular apps for note taking but I keep coming back to G.Keep, it's really very easy to use type that is why I use it for taking all kind of notes. The only thing I think it's missing is authorization/password protection.

Money Manager - Helps me keep track of all the income and expenses. It really heped me a lot in managing my expenses.

Okay, I am just going to assume that you are from India(if not, situation in India is very similar).

I took the Gap year and couldn't clear JEE, the most prestigious test in India. So I took admission in some private college. Yes, education might not be the best but going to college is a whole different life experience I mean other than just studies. It might be difficult for you to just go to "any" college or you might feel like "you wasted a year" but it's not like that every day you learn something new and once you go to a college you'll realize that gap year was actually very important(not just for study but for personal development too.)

Also all these marks, who scored how much, how much you scored in high school etc all these matters until you go to college, after that it won't matter at all. Going to college will help you find a lot of different paths, different "career options".If end up going to college you'll meet people from different background having a different mindset that will help you a lot to develop your thinking and to understand how things actually work in the "real world".

P.S: You are 18 worries less, enjoy more :-)