Mustafa Hasan

How it all started

I got interested in hacking during my early university days. I started learning web security by trying XSS payloads in every input field I see while browsing. Later on, I discovered bug bounties and that was my true first step in my career as a security professional. I created a HackerOne profile and started hunting on programs such as Yahoo!, Zomato, AT&T, Squarespace, Warner Bros, and others. I also took part in standalone bug bounty programs such as the Google VRP and Microsoft's MSRC.

Next stop

I then moved to Malaysia to finish my studies. I worked as a research assistant at my university, where I developed the full bus tracking and fare system as my graduation project, as well as taking part in developing the queue management system used by all the university's bureaus. I continued bug hunting on the side of my studies and work.

Beginning of information security career

Once I got back to my country, I joined a local pentesting shop where I did pentesting for very high profile clients such as the Central Bank of Egypt, the National Bank of Egypt, Vodafone, Banque du Caire, First Abu Dhabi Bank, Abu Dhabi Islamic Bank, among others. In parallel, I joined HackerOne as a part-time triage teamer, where I still do triage for all of our top clients such as AT&T, Booking.com, Porsche, MongoDB, Bybit, Wallet by Telegram, American Airlines, etc. I then joined DeliveryHero as a security engineer. DeliveryHero is a holding company that owns food delivery businesses, and my role involved pentesting all of the assets under DeliveryHero as well as the companies it owns. My day to day activities also involved security architecturing systems, threat modeling, and code reviews for all our brands.

Leap of faith into Web3

One day, a friend of mine asked me if I was interested in Web3 and blockchain security. Knowing nothing about the subject, I felt interested but had no idea what he was talking about. He connected me to the folks at Halborn as they were hiring and looking for security engineers. I started learning about how blockchains work, what wallets were, and what Solidity and Rust looked like. I then learned a bit about the EVM, Solana, NEAR, and Substrate. I passed the test and was accepted as a security engineer, and joined Halborn as a NEAR/Substrate ecosystem auditor. I worked at Halborn for a year, and it was a very essential step in my journey as a Web3 and smart contract auditor.

Web3 career progression

I was then approached by Quantstamp for a senior smart contract auditor role. I passed the interviews and joined the great team there. My experience involved EVM, Solana and NEAR audits. I also performed pentesting and wallet source code review activities, as well as reviewing codebases for bridges, governance, AMMs, lending/borrowing, node sale, and NFT protocols. I recently made my latest move to Spearbit as an LSR.