Arne Swinnen is a pretty typical guy; he enjoys playing soccer, swimming, and cycling. Based in Belgium, he recently taught his 4-year-old son how to ride a bike and his 1-year-old daughter how to take her first (baby) steps.
Swinnen is also one of Salesforce’s most active hackers.
Not in the way you might think, however. While pop culture often casts hackers as “bad guys,” many of the world’s top companies, including Salesforce, now enlist ethical hackers to help identify and fix security vulnerabilities.
In fact, bug bounty programs are an important part of managing security bugs and surfacing potential issues to help companies like Salesforce keep customer data secure. In 2021 alone, Salesforce rewarded over $2.8 million in bounties to ethical hackers who submitted more than 4,700 reports of suspected vulnerabilities.
We sat down with Swinnen to learn more about his hacking experience, what motivates him, and the advice he has for other ethical hackers.
Q: What sparked your interest in hacking?
I’ve been hacking for over 10 years. I was initially exposed to hacking during my computer science studies in college. Then in my master’s program for securing software, I participated in a virtual capture-the-flag team where we competed against other universities. That experience was the start of my love for trying to find loopholes in software.
Bug bounties were only in their inception phase after I graduated, but I soon discovered the flexibility that the lifestyle provided for me over other jobs, and decided that was what I wanted to do for a living. I’m now a full-time bug bounty hunter.
Q: How did you get involved in bug bounty programs?
I appreciate the technical and intellectual challenges inherent to bug bounty hunting. It’s encouraging to know that my work and discoveries could help prevent a breach or tech issues that could negatively affect millions of users. It adds a whole new dimension to the impact of my efforts — it’s not about a paycheck, but a purpose.
Q: Why do you choose to work on Salesforce’s bug bounty program?
There are millions of programs out there, but Salesforce is one of my favorites — it’s actually my main program — and in my opinion, one of the most mature programs out there. There’s a mutual level of trust and transparency with the Salesforce Bug Bounty Team.
Most importantly, the Team is receptive and appreciative of my findings. They respond quickly to my reports and have a dedicated Triage Team with a deep understanding of complex bugs and esoteric functionalities, which sets Salesforce apart from other bug bounty programs I’ve worked on.
Additionally, Salesforce is really investing in their Bug Bounty Program — they rigorously add scope to the program, which continually makes it an interesting program for me to devote time to. They also run regular promotions, and when there’s a big promotion, I can’t stop thinking about it.
Q: What advice would you give to someone just beginning their journey within a bug bounty program?
As a starting point, you don’t have to look for critical issues, but look for anything you think is a bug and submit it. Salesforce, for example, is very risk aware, so if it’s a very minor but valid issue, you’ll be recognized by the team.
Once you build up your credibility and submit enough valid reports to the team over time, you may be invited to their VIP program, where you’ll have exclusive access to new scope, promotions, and significant payouts.
The ability to find and fix vulnerabilities before products are rolled out to users is core to Salesforce’s broader security initiatives and helps maintain trust among its customers, partners, and ecosystem. Salesforce continuously evolves its bug bounty program, engaging with ethical hackers to protect the company’s growing product portfolio, and continuing to facilitate hacker-powered testing of many products even earlier in their development cycles.