I am a white-hat hacker and senior security consultant with a strong interest in both software development and application security engineering.
In 2014, I started participating in bug bounty programs and managed to rank up amongst HackerOne all-time top 20 hackers with over 750 security vulnerabilities responsibly disclosed to hundreds of high-profile organizations, the likes of Google, Yahoo, Twitter, Facebook, Uber, etc.
In 2016, I started writing technical content on various cybersecurity topics for Infosec Institute magazine.
In 2017, I joined HackerOne as a security analyst to help with bug bounty programs management and triage for different renowned organizations such as US Air Force, Yahoo, Adobe, Salesforce, etc. as well as closely coordinating with a large community of security researchers.
In 2020, I started undertaking contract work offering security consulting services (penetration testing, security assessment, code review, trainings, etc.) for companies from various industries. In the same regard, I joined HackerOne’s pentest program in 2022 and also became Bugcrowd’s certified penetration tester (CPT).
I’m a member of BSides Ahmedabad CFP review board and a keynote speaker at BSides Amman as well as speaker at various other international conferences such as BSides Belfast, OWASP Seasides in Goa, International cybersecurity conference in Kosovo, etc.
2014-09-04, Sagem Fast 3304-V2, “Sagem Fast ADSL Router is vulnerable to an authentification bypass vulnerability which allows to modify the preconfigured root password.”
CVE-2015-7580, Ruby On Rails, “Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x.”
CVE-2015-8474, Redmine, “Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1”
CVE-2016-5832, Wordpress, “The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.”
Projects & Contributions
- Sublert: a security and reconnaissance tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.
- ASNLookup: an API to quickly lookup updated information about specific ASN, Organization or registered IP addresses (IPv4 and IPv6) among other relevant data.
- Cisco ASA: a script to test for Cisco ASA path traversal vulnerability (CVE-2018-0296) and extract system information.
Conferences & talks
- Software Freedom Day Casablanca, 2015, “Open Source CMS: How secure are they?”
- BSides Belfast, 2018, “An efficient and cost-effective solution to augment organizations’ security”
- BSides Amman, 2019, “A Look Inside the Economics of Bug Bounty Hunting”
- 4th International Conference on Cyber Security and Privacy (CCSP), 2019, “Hacking Web Services’ RESTful APIs”
- OWASP Seasides Goa, 2019, “Leveraging certificate transparency to automate monitoring of new subdomains for fun and profit - Sublert tool release”
Media & Interviews
- Hacker Spotlight: Interview with yassineaboukir, HackerOne
- Hacker Q&A with Yassine Aboukir, Hacken
- Hacker Spotlight Panel - EMEA, HackerOne
- #MentorshipMondays - How to Communicate and Write a Report, HackerOne
- Cybersécurité: profession, chasseur de primes 2.0, L’express
- Gérard Berry : le meilleur des mondes informatiques, France Culture
- Le juteux business des chasseurs de bugs, 01 Net Magazine (n°881)
- The perfect digital nomad job: Yassine is an ethical hacker, Digital Nomad Podcast
- The Paranoids’ 2019 Valued Hackers, Yahoo Inc
- Hacker and Security Analyst - Yassine Aboukir, HackerOne
- Cisco ASA Flaw Exploited in DoS Attacks, Security Week
- شباب مغاربة برعوا في اكتشاف الثغرات بأكبر المواقع العالمية, CNN Arabic
- مغربيان يتألّقان في مسابقة عالمية لأفضل الأمنيّين الإلكترونيّين, Hespress