How to get started with a bug bounty

First things first lets get right into what a bug bounty is. When a company or group wants to get real world pentesting of there application or system they start a program. These programs describe the rules of engagement so hackers can preform a pentest ethically. This in its simplest way a Bug Bounty. A bug bounty is different then a Vulnerability Disclosure Program (VDP). VDP is just the process or way a company lets security minded people submit finds they have discovered. One other main difference between the two is that a VDP rarely if ever will give the researcher any more then swag or hall of fame shout out. The swag being company type goodies like mugs and stickers. The hall of fame shout out will normally come with a link to a place of the researchers choice (github, twitter, or personal website).

Why would a company pay to get hacked

Now that we have covered what a bug bounty is why would a company want to spend money to have strangers attack their assets? Top reasons for this is that they get access to a vast pool of talent dedicated to finding the vulnerabilities the companies internal team missed. Believe it or not security isn’t seen as a value adding thing so a lot of places think security can be sprinkled on top instead of needing to be baked in from the beginning. But for companies that see the value they use bug bounties as a recruiting tool. So keep that in mind as you start your bug bounty journey once you get good its great part time cash that can lead to full time work.

What a company needs to start a bug bounty program

Before a company starts a bug bounty program they need to define a few things for the hackers.

• What is the scope of the program:
  • This is the list of things in bounds of the program. Things that are included are eligible for monetary rewards they can be stuff such as what urls, OSI stack levels, specific functionalities.
• What is the company focus:
  • What is the main thing the company is trying to get out of the program. At the end of the day they have a goal be it to harden a system or functionality. Clearly defining the goal will direct the most effort towards fulfilling the goal. If you want the payment gate way tested the most telling people will stop most from poking around the about us page.
• Environment to test:
  • Is the program going to be run against the production site/servers or is it going to be a development/mirror site/server. When ever possible its best to use a mirror site/server that matches production as close as possible. Just using development assets might seem tempting it is going to be to unstable to be reliable tested against. The vulnerability might be the result of someone pushing a buggy feature that won’t make it to production. This also makes it harder to verify the vulnerability is valid.
• What type of attacker is the company looking for:
  • This isn’t to say the company is looking for a hoodie wearing, energy drinking, black background green text hacker (But for the record all my terminals are just that and I won’t apologies). Companies need to focus on the threat actor they are worried about. The three main types are black hat, gray hat, and white hat. Knowing how much insider info to give a program is a very important question. If a white hat tester is needed then the program should be focused on invite programs only.
• Should the program be invite only:
  • As mentioned in the last point invite only programs have benefits. The last example given was that a white hat needs a certain level of inside information/access to be successful. Invite programs can be literal invites on a person by person bases or on a set of criteria. The criteria being that a number of bug bounties have been done before, rating on vulnerabilities found in the past, or in some cases done special CTFs on a site.

Where to find these bug bounty programs

Now that you have a basic understanding of what a bug bounty program is and the use of it the benefits lets talk about where to find them. While you can check or contact a company directly to find out if they have a program in place the most common way is to join a bug bounty site like HackerOne. Below are a couple of of the top bug bounty platforms that are perfect for beginners and seasoned hackers looking for a side hustle.

HackerOne

You can earn cash hacking on bounty programs with this platform. Hackers have earned over $150 million through the HackerOne platform. HackerOne was started by hackers and security leaders who were driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. They partner with the global hacker community to surface the most relevant security issues that companies face before they can be exploited by criminals. HackerOne is headquartered in San Francisco with offices in London, New York City, Singapore, and the Netherlands.

Bugcrowd

Bugcrowd incentivizes uniquely-skilled hackers to continuously test companies critical targets and applications. Whether it’s a complex issue that’s flown under the radar, or something new introduced with the latest release, Bugcrowd has it covered. Bugcrowd’s global community of hackers have unique skills and perspectives needed to solve tough security challenges. Bugcrowd helped pay over $2 million to researchers for a Samsung Mobile reward program last year alone.

Hackenproof

They are part of Hacken Ecosystem, with products fueling cybersecurity industry from all sides: bug bounty platform, crypto exchange analytical ranking platform, cybersecurity conference HackIT, and a Cyber School. HackenProof is headquartered in Tallinn, Estonia with an R&D office in Kiev, Ukraine.

Final thoughts on how to be a great bug hunter

I’m going to wrap this up with a few words on what it takes to get to being a great bug hunter. Because practice makes perfect you are going to need to be practicing in between bug bounty programs. Subscribe to online resources like this very blog and practice the things you read and learn about. Setup a virtual machine as a cheap home lab to test things on. I’ve created a post all about virtual machines that you can check out here. As most of the bug bounty programs are related to web targets, the “The Web Application Hacker’s Handbook” is a must-read book. Watch tutorials and videos related to hacking. “Bug bounty Hunting Methodology v3 – Jason Haddix” is a great example. And above all be patient. It will take time to find your first valid bug. Duplicates are everywhere!