After nearly 20 years, legendary Litchfield still reigns supreme.

The king of the bug hunters has stalked vulnerabilities for decades, and last year he made history as the first hacker to earn over $500,000 USD in bug bounties on HackerOne. No wonder his influence ranking is at 93 percent, and he's a top 5 hacker on HackerOne (https://hackerone.com/mlitchfield)!

Litch, the founder of https://www.bugbountyhq.com/, hung out with us at h1-702 in Vegas for a chat about motivation, help for noob hackers ...and the coolest things he can’t talk about.

Tune into the video, or cast your eyes on the transcript;

Tell us a little something about yourself.
My name is Mark Litchfield. I’ve been hacking since 1999.

Where are you from?
I’m from the United Kingdom. Scotland, more specifically.

How did you get started?
To begin with, it was my brother David who introduced me to security. And then it was a simple case of having two machines, a client, a server, Internet cable between the two on a sniffer, watching how the client communicated with the server and understanding the protocols. That’s literally where it started from.

First vulnerability you found?
Oracle.

Why do you hack?
The challenge. It’s somewhat like a gauntlet being thrown down: can you break it? And I tried to. Sometimes -- a lot of the time -- I did.

Most memorable vulnerability?
One of them was the Apache transfer encoding trunk issue, which was back in 2003. That was a good one because it was a default install in Apache, been there since day one, basically since the thing was written. That’s probably the best one; the one that had the most impact. There are ones that I’d like to talk about but I can’t because they were like super cool but private, non-disclosure, all this type of – the coolest ones are the ones I can’t talk about, unfortunately.

How do you pick a program?
Money. Simple answer.

Story about working with a company? Good or bad?
Not particularly, no. Last night, the event we had here was fun. Actually getting to work with a team on site and seeing how they respond to security issues and how they work was interesting for me to see in real time. I’ve submitted a bug, now what’s going to happen? So that was probably the best thing, seeing what happens on the other side.

What hardware/software do you use?
Burp Suite is pretty much all I use. Most of my stuff is manual; the biggest part of Burp is use is the Repeater. I’ll go through the history, look at certain requests, send it through Repeater. Then, after I’ve got maybe ten or fifteen requests in Repeater the ones I find interesting, I’ll go back and start playing around manually. Then SQLMap, some of the classics, but Burp primarily.

How do you get in “the zone”?
Depends on the motivation of the day. I like putting my dance music on, Tiesto, stuff like that. It just depends how I feel when I wake up.

How have bug bounties impacted your life?
They’ve paid all my bills for the last two years because that’s all I’ve been doing. They’ve helped me establish a business, I’ve gotten to meet some really cool people, and it keeps me in the game learning new stuff. Not just what I learn, but looking at what other researchers do about finding their bugs. Sometimes it’s not necessarily the vulnerability that counts, it’s how did you get there. That’s what I’m more interested in – how did you get to that point? So yeah, through a lot of learning for myself and learning about what other people have been doing.

What do you do when you’re not hacking?
Karaoke. Hanging out with my wife. Kinda really boring. Drinking.

Favorite security conference?
I like Black Hat and DeFCon. I’ll be really honest, I haven’t really been to other security conferences, so I can’t give opinion about those. Black Hat, me and Jeff go way back so I love that, I love the people. I don’t actually go to any of the conferences; I just attend and meet up with everyone in the bar. For me, it’s more of a social networking event; catch up with people, find out what they’re doing, all that.

Any advice for new hackers?
The advice? Ask questions. If you don’t know, there are a lot of people out there simply too busy to answer so they’re not going to have time for you. Try and find the ones that do. It’s a great community, there’s actually more help. You’d be surprised because it’s all money based. If you’re not first, you’re last. Everyone’s tired of the duplicate, but there are a lot of people out there that will help you. If there’s something new to you, like security, ask. There’s plenty of security forums out there, the bug bounty one on Skype, et cetera. Ask. Join. And if you are in security and you need a new car, just stick around on a bug bounty. You can probably get one in a month.

www.HackerOne.com.