Bug Bounties — A Beginner’s Guide

In the ever-expanding tech world, bug bounties are proving lucrative for many. We’re not talking about catching insects here; a bug bounty is a reward paid to an ethical hacker for identifying and disclosing a technical bug found in a participant’s web application (more on this later).

The size of the bounty depends upon the severity of the bug. With data protection being such a hot topic right now, findings which compromise sensitive information for example would likely qualify as a ‘critical’ bug. Bounty hunters are rewarded handsomely for bugs like these — often paid upwards of $2,000.

The nice thing about bug bounty programs is that they don’t discriminate based upon formal qualifications. It doesn’t matter if you don’t have a degree, IT-related certifications or ‘good’ grades — you just need to be able to find bugs in websites and apps. This might sound easier said than done, but it means that more or less anyone can get involved. All you need is:

2. An internet connection

3. A willingness to learn

4. A curious mind

Fortunately, the bug bounty community is very supportive of exchanging information for the greater good of cyber security. This means that there is a ton of inexpensive learning materials available online. Below are some excellent bits for newcomers:

  1. The Web Application Hacker’s Handbook (Dafydd Stuttard, Marcus Pinto)
The bug bounty bible

I cannot recommend this book highly enough. While it might be dauntingly long and years old, the fundamental concepts it teaches do not age. Though exploits change over time, the core way of finding bugs does not: manipulating user input.

(A free link to a PDF of the book hosted by IBM is posted above, but I really do recommend purchasing the book if you’re serious about getting into the field. The author deserves it!)

2. Web Hacking 101 (Peter Yaworski)

Best for beginners

This book is an extremely easy read and strongly recommended to any complete newbie. The author — Peter Yaworski — is a prolific bug bounty hunter and explains how to find many of the most common (and fruitful) bugs around. He also includes real-world examples of bug reports which have been filed and paid out. This is helpful to get a clearer sense of how bug bountying works in practice.

3. Hacker101

HackerOne’s free Hacker101 course

If you learn better by watching videos, then check out this series made by HackerOne (a leading facilitator of bug bounty programs). As they explain:

Hacker101 is a collection of videos that will teach you everything you need to operate as a bug bounty hunter. The material is available to learn for free from HackerOne. Taught by HackerOne’s Cody Brocious, the Hacker101 material is ideal for beginners through to intermediate hackers and located at this GitHub repository and the videos are available through YouTube.

4. Bugcrowd University

This is a free and open source project provided by Bugcrowd (another major host of bug bounty programs). The content features slides, videos and practical work, and is created and taught by leading experts such as Jason Haddix. Check out all of the available material at the official GitHub page.

Legal Hacking

As a bug bounty hunter, you can’t just go around hacking all websites and web apps — you run the risk of breaking the law. To start hacking legally, you have to sign up for bug bounty programs. These are websites — open to everyone — where companies register, outline which of their websites/apps are allowed to be tested and detail some information about payouts for bugs.

Sites which host these bug bounty programs are an instrumental part of the community. We rely on them to find work, mediate between hackers and companies during the reporting process, and serve as a portfolio for our findings! Below are two of the most popular sites to find monetised bug bounty programs:

  1. HackerOne — my personal favourite. They have the largest number of programs on offer, and also feature a ‘Hacktivity’ section which publicly discloses bugs found by consenting parties. This is great for the community as a whole: it educates other bounty hunters about new exploits to look out for, and informs security teams of potential bugs in their own systems. The site paid out over $11 million to bounty hunters in 2017!
  2. Bugcrowd — another good choice. The programs listed include some very high-profile clients including Netflix and Tesla at the time of writing this. They also offer free learning materials taught by expert bounty specialists available at Bugcrowd University.

Many companies also host their own bug bounty programs. Noteworthy participants are Facebook, Google, Microsoft and Intel. With big companies come big bounties!

Google awarded a $100,000 bounty in 2016

This article is the first of an ongoing series focusing on bounty hunting. Coming up soon is a weekly look at the biggest disclosed payouts in the community — stay tuned!

Originally published at medium.com on January 2, 2019.