20 February 2019

Hacking that Helps: Kevin Roh’s 120/120 Challenge


Personal resolutions and challenges crop up frequently at the beginning of a new year. Just like all humans, hackers love to set inspiring resolutions too. It’s cool to see our SRT hackers setting goals to be more active and successful on the Synack platform or even hackers not yet members of the SRT striving to be accepted. But the story of Kevin Roh’s personal challenge started well before January 1st. He gave himself a headstart on 2019 by personally challenging himself to find 120 vulns in 120 days, beginning October 18th, 2018 and ending February 15, 2019.

Each week, Kevin shared the progress he had made through his webpage and twitter, which led to a growing a list of followers and cheerleaders by the challenge’s end. By February 12th, 3 days earlier than projected, Kevin had submitted his 120th valid vuln, which marked the end of this challenge and a very impressive personal achievement.

Not only did Kevin achieve the goal he set out for himself in October of last year, he also decided to donate a percentage of his earnings from finding these vulns for Synack customers to charity in the hope that his personal pursuit could make a big difference beyond his own personal goals. Synack, impressed by Kevin’s drive and generosity, wanted to join him, and so we are matching Kevin’s donations one for one. In total, because of Kevin’s 120 vulns in 120 days challenge, we will donate over $10,000 together to Puppies for Patriots and March of Dime.

Read further for our Q&A with Kevin to understand his motivation, learn more about the challenge, what he learned, and why he decided to donate a percentage of his winnings:

Kevin Roh

Q:  Why did you choose the number 120?

A: There was another hacker who attempted the challenge and created a blog post a while back: https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/

He wanted to challenge himself and see if he would be able to find 120 vulnerabilities in 120 days and talked about how his experience was and what kind of mental walls he ran into.

The number 120 sounded like the perfect number of vulnerabilities to find since the challenge would only be 4 months.

Q: What sparked your desire to take on this challenge?

A: After reading the article by Shubs (mentioned above), I found that it was easy to find several vulnerabilities in a day. So I thought that I could probably complete a challenge like this easily. After all, it was only ONE vulnerability a day, so I didn’t think it would be that difficult.

Q:  Why did you decide to donate part of your earnings to charity?

A: There are a lot of people out there who are in need of food, clothing, and help in other ways. Donating 10% of my bounties didn’t seem like a huge deal to me, but to others, it can go a long way.

Also, I hope that I can inspire other hackers to do a similar challenge to mine and to donate a portion of their earnings to charity that means something personal to them.

Q: Why did you choose to donate to the charities you chose?

A: Puppies for Patriots pairs veterans with a service or emotional support dog to give them better care. I attended an event hosted by the Military Health Project & Foundation and thought it was really cool that adorable puppies were being trained to help military veterans with PTSD. Synack also has a strong record of supporting and giving back to Veterans through their Veterans Cyber Talent Program and their partnership with Puppies for Patriots, so I thought it would be a great organization to support.

As for March of Dimes, they work to improve the health of moms and babies. I wanted to contribute to an organization that I knew provided life-changing assistance to those in need.

March of Dimes

Q: Was money a driving factor for this challenge?

A: Money is always a consistent motivator to me to hack, and with the Synack’s model, I know that I’ll get paid within 24 hours of submitting a valid vuln, so that is a definite plus. But actually, more than for the money, I started this challenge just to challenge myself and see if I was able to find 120 vulnerabilities in 120 days.

Q: Why did you choose to do your vuln discovery only on Synack’s platform?

A: The Synack model made it the perfect choice for my challenge since all hackers’ vulnerabilities are triaged and paid out within 24 hours. Also, since Synack segments its hackers on specific customer targets, there’s less noise and competition on their platform which makes it easier to find unique vulnerabilities. Synack also has great, respected clients that are fun to work on.

Q: What did your schedule consist of when taking on this challenge? How did you balance full-time work and social life?

A: For me, balancing full-time work, social life and the challenge was easy. My schedule was:

6am – wake up

8am-4pm – full-time work

7pm-2am – hack


Throughout the challenge, I set certain weeks where I would take the entire week off to give my mind rest. During the weekends, I would usually rest and only spend a couple of hours hacking. Some weekends, I would travel back home to hang out with friends instead of spending my time hacking.

Q: Did your hacking skills improve? If so, in what way?

A: This challenge taught me that are so many different ways you can attack a target and it challenged me to be more thorough when doing recon and going through an application. The deeper you go, the higher the possibility that someone else missed something. Some targets on the Synack platform have been listed for a long period of time, so going further allowed me to probe deeply on critical functionalities.

Once you look deeper into a target, you get more familiarized with it. Actually, a couple of times while I was taking a nap or sleeping, I would think of places where there might be a vulnerability like an XSS or CSRF. And when I woke up and looked for it, it was actually there.

Q: What were some of the challenges you faced? What did you do to overcome them?

A: I think the biggest challenges were a combination of stress, loss of interest, boredom, and frustration. Whenever I didn’t feel 100%, I gave myself a break from hacking. These hacking breaks helped a lot and being able to travel with friends took my mind off of the challenge.

Q: How did you prepare yourself mentally for this challenge?

Before I started the challenge, I took a week to mentally prepare myself and went through the entire 18 week schedule. I picked out a few weeks that I would take a break from hacking to get away from everything and take care of my mental health. 4 of the 6 hacking breaks I planned trips with friends and went to Seattle, New York, and Las Vegas. I added an additional 2 hacking breaks into the schedule when I wasn’t feeling 100% and knew I had to take a break from everything. That definitely helped me push through the last couple of weeks.

Q: Would you do a challenge like this again?

I’ve thought about doing the 365/365 challenge. Finding 365 vulns in 365 days. But, after this challenge, I’ll probably wait a couple of months before starting another challenge.

Q: How would you better prepare for a similar challenge in the future?

A: I would put the same amount of hacking breaks in place and add any additional ones if I needed them. Next time, I might also try to have another SRT do the challenge at the same time to help motivate me and exchange ideas.

Q: What advice would you give others if they wanted to do a similar challenge?

A: Take a break from hacking before starting the challenge to mentally prepare yourself. Plan out a few weeks to take a break from hacking and do something that will take your mind completely off of the challenge. The 120/120 challenge was to find 120 vulns in 120 days which comes out to 1 vuln per day. If you start to fall behind, and you’re, say, 7 vulns behind schedule, don’t worry about it too much. Some days, you’ll find 3-4 vulns or maybe even more. Once you start stressing out, your performance will start to decrease. Keep in mind this is a challenge, and throughout the challenge you’ll face moments of weakness, but you will need to overcome those weaknesses.

Researchers on the Synack platform are presented with opportunities to work on unique targets and challenges, the fastest payouts and highest level of support in the industry. Synack’s innovative technology optimizes the Synack Red Team’s (SRT) efficiency in vulnerability discovery.

Synack provides initiatives to help foster the researcher community and to recruit top talent. SRT Levels is a program that rewards SRT members for their increasing contributions to the Synack platform, and incorporates hacking competitions and specialized challenges.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.