Hello World! I'm
I was just looking for bugs in the app for fun
I enjoy finding bugs in applications; sometimes I report them, and sometimes I don’t. I am neither a good person nor a bad one. I’m a mix of both.
My motivation towards cybersecurity is unclear, sometimes it’s just for fun, sometimes I get serious. Well… it’s mostly just for fun, haha.
Location
Central Kalimantan, Indonesia
Education
Penetration Testing
Experience
1337 Years
Interests
Tech, Anime, Isekai
Terminal
Firefox
Burp Suite
Script Kiddie • 2018
In 2018, I was just a school kid, drawn to the word “hacker” out of pure curiosity, starting with something as simple as breaking into Wi-Fi using a smartphone. Termux was my favorite app at the time. My very first favorite script was an SMS spammer that exploited OTP APIs with no rate limiting. Three months later, I stopped pursuing my interest in the world of “hackers."
Just a skid • 2019 - 2020
By the end of 2019 into 2020, I returned to my old curiosity, but everything remained the same. It was still just SMS spam, call spam, and pointless virtex wars on WhatsApp. More absurdly, I even found myself hating K-pop fans and TikTok users. I was still very much a kid back then. There was no real improvement, no meaningful progress, because it was all just play, never serious. Yet in that chaos, something quietly began: I started learning to write simple scripts in Bash. It was the first programming language I ever learned, and the first step I didn’t realize mattered.
Digital Agency • 2020
In July 2020, I gathered the courage to create my first YouTube channel, Randi Noober, with a profile picture inspired by the COVID era. something I can only laugh at now. My first content was Minecraft, but as time passed, those videos were set to private, and my focus shifted toward coding and simple technical tips. At that time, all I cared about was sharing my knowledge with others as quickly as possible, even if it was something I had only just learned myself.
Still Lammer • 2020 - 2021
By the end of 2020, I graduated from school but was forced to stop my education due to economic hardship. While my friends moved on, I was left behind, slowly losing motivation. With only a low-end smartphone, 1 GB RAM and 16 GB storage, I found an escape in the defacer scene. I knew it was wrong, but as a kid, it felt “cool” to break into systems others didn’t understand. There were no clear paths to bug bounty or responsible disclosure back then—only defacement mirrors, simple exploits, and the pursuit of a shell backdoor that offered the illusion of control.
Pure Defacer • 2021
I began to lose my way. Economic hardship limited my access to the internet, and every day I scraped together just Rp.3,000 for Wi-Fi, to escape, to distract myself, and to keep learning about defacing. As the year neared its end, I drifted further off course. With money running out, I misused my skills, selling collected shell backdoors to online gambling SEO operators, fully aware of how they would be used. Targeting servers with multiple domains, I sold each shell for $1-$2, and eventually, that was how I bought my first smartphone with my own money.
Still Defacer • 2022 - 2023
By the end of 2021, I began to see things more clearly. I was trapped in constant overthinking, haunted by a single thought, ongoing sin. Fortunately, my uncle invited me to work with him, accompanying his mobile health checkups while he also sold herbal medicine. At first, it felt completely out of place, nothing like me, but over time I grew used to it. Around that period, I lost my phone and spent a long while disconnected from the digital world. Eventually, I saved enough to buy a second-hand phone, using it only for defacing, no longer for selling, just a lingering habit I hadn’t fully let go of.
Beginner • 2023 - 2024
In 2023, I left defacing, briefly returned, and finally quit again by the end of 2024, even selling shell backdoors for a short time due to limited internet access and unemployment. I eventually moved away from those habits, focusing on gaming, until a video about a bug bounty course appeared on my feed in late 2024. Seeing members receive certificates of appreciation from CSIRT teams across Indonesia was eye-opening, realizing that even a simple bug like XSS could earn official recognition.
Beginner • 2024 - 2025
In 2024, I joined the course, and from that point my mindset toward bug hunting began to change. It was no longer about shell backdoors or defending them from others. Since the material didn’t fully resonate with me, I continued learning through YouTube, starting with terminal-based recon and scanning—subdomain enumeration, live host filtering, URL harvesting, and XSS scanning, while also studying manual techniques like Broken Access Control, improper authorization, server misconfigurations, and other real-world vulnerabilities.
Beginner • 2025
By the end of 2024, I earned my first certificate and my first bounty from BINUS, while also collecting multiple certificates of appreciation from CSIRT teams across Indonesia. The more I progressed, the more I regretted not discovering bug bounty earlier, realizing how much better this path was compared to defacing. In 2025, I launched an eBook on bug hunting fundamentals along with a private group, which later evolved into a more structured learning space. As I continued, bug bounty rewards came more frequently, strengthening my portfolio—and this is the path I continue to walk today.
Bug Hunter - 2024 - 2025
I began searching for vulnerabilities to report, with my main goal being to earn certificates of appreciation. After collecting around 30+ certificates, I slowly started trying bug bounty, even though many of my reports were rejected. My first report was a self-XSS via cookie on HackerOne.
Bug Hunter • 2025
I began to focus fully on bug bounty, prioritizing rewards over certificates alone. My first bounty came from BINUS, small by bug bounty standards, but it marked the beginning. From there, I concentrated on hunting through self-hosted bug bounty programs, and that persistence paid off, leading to successful bounties with platforms like Floq, well-known hosting services, and self-hosted programs such as Samsung and Proton, as well as through Bugcrowd and Intigrity.
