A young man in his early twenties standing on a narrow lane in Coimbatore, holding a Dell laptop bag, smiling hopefully... the moment before he knocked on our door
Culture & Leadership May 2026 6 min read Field Notes

He Knocked on Our Garage Door in 2016. Apple Put Him in Their Hall of Fame.

He had no experience in ethical hacking. No experience in hacking at all. And absolutely no background in coding, which made the whole conversation feel a bit surreal. I hired him for a year and told him I would not disturb him. Eighteen months later, he booked a 10-day London trip for ten people for Rs 1... by finding a vulnerability in one of the world's biggest travel platforms. This is that story.

It was 2016. I was walking on the narrow lane in front of our garage office in Coimbatore when a young man approached me. He could not have been more than twenty. He had a small laptop bag on his shoulder and a directness in the way he spoke that I still remember.

Back then, we were paying Rs 4,500 a month for that garage space, and for the first three months, the only furniture we had was a plastic Nilkamal chair that wobbled if you leaned back too far. The neighborhood uncle used to park his scooter right blocking our entrance.

"Bro, I want to work in your company," he said.

I was a big astonished... people do not generally walk up to founders on the street to ask for jobs. I asked what he wanted to do.

"I want to become an ethical hacker."

It was way too early for our startup to even think about data security. We were not looking for one. Still, I asked a few questions.

The conversation... verbatim
Me
"Do you have any experience in ethical hacking?"
Him
"No bro!"
Me
"Do you have any experience in hacking at all?"
Him
"No bro!"
Me
"Do you know coding?"
Him
"No bro!"

Three questions. Three "No bro." And then a pause in which I genuinely do not know what happened inside my head. Something about the way he had walked up and said what he wanted... no resume, no LinkedIn profile, no intermediary... made me decide.

What I told him
"Ok. I will hire you for a year. I will not disturb you, and I will pay you. After a year, I will ask you one question: did you become an ethical hacker?"

I purposefully gave him no tasks. I would check on him once a month... not to assign work, just to ask how things were going. What he did instead was send me regular updates on what he was learning. Every few weeks, a message. A link to a course he had found. A concept he had got his head around. A tool he had started practising with.

I am not sure why I still think about this specific period. Maybe it does not matter, but the silence from his end was actually reassuring.

Month 1–6 · 2016
Self-teaching from scratch. Regular updates by message. No tasks assigned; no hand-holding given.
Month 7–12 · 2016–17
Began identifying small vulnerabilities in our own codebase. Specific, documented, quietly pointed out.
Month 18 · 2017
Booked a 10-day London trip for the entire team... 10 people... for Rs 1. By exploiting a vulnerability in one of the world's biggest travel booking platforms.
A person looking at a laptop screen showing multiple booking emails
I was reading through the emails... hotel confirmations, flight tickets, sightseeing bookings for 10 people... baffled. Then I checked my phone for transaction SMSes. Instead, there was a WhatsApp message: "Enjoy your London trip bro."

He had found a vulnerability in the booking engine of one of the largest travel companies in the world and used it to book a complete 10-day trip to London for the entire team... flights, hotels, sightseeing... at a total cost of Rs 1. Not Rs 1 per person. Rs 1 total.

We obviously reported the vulnerability to the company and walked them through how to fix it. That was never a question; it was always going to be responsible disclosure.

The London trip · 10 people · 10 days
₹1
Total cost. Booked by exploiting a vulnerability in one of the world's biggest travel booking engines. Every booking was real... hotels, flights, sightseeing. All reported to the company immediately. All fixed.
✈️ Flight tickets × 10 🏨 Hotel bookings × 10 🎡 Sightseeing tickets × 10 📋 Responsibly disclosed

Since then, he has helped identify bugs in some of the biggest platforms in the world. Working mostly from a small laptop and a mobile data connection. No corporate setup. No team. Just the will, and then the way.

Hall of Fame recognitions
🏆 Facebook... 2018 🏆 Facebook... 2020 🏆 Facebook... 2021 🏆 Facebook... 2022 🏆 Apple... Hall of Fame

Where there is a will, there is a way. I have heard this phrase many times and always found it mildly optimistic. I have seen it lived out once. It changed how I think about what a CV is actually measuring... and what it is missing.

The thing I keep thinking about is the three "No bro" answers. Every conventional hiring filter would have ended the conversation there. No experience, no skills, no formal background. The CV was empty. The will was not. And in the end, the will was the only thing that mattered... because everything else can be built, given enough time and someone willing to say: I will not disturb you, I will pay you, go and learn. It is the same reason I hire for trust over credentials — the CV measures what someone has done; it says almost nothing about what they will do when no one is watching.

More on people and building

Culture & Leadership
I Do Not Remember My Last Drawn Salary. But I Remember This.

Three companies, one decade. The numbers faded. The moments did not.

May 2026 · 7 min
 Founders & Startups
What I Learnt Choosing a Co-Founder. Three Times.

Not capabilities. Not diversity. The only thing that held was values alignment.

May 2026 · 8 min
 Founders & Startups
The Companies That Do Not Fake It Are Losing the Race.

Engineer.AI, Amazon Just Walk Out. The honest companies pay the price for the dishonest ones.

May 2026 · 7 min
← All writing Home