Bug Hunting Methodologies & “Big” Bug Bounties

At the very first glance you read the term “Bug Bounty”, what comes to your mind is that it’s a some kind of reward offering program. Actually there is nothing wrong thinking about that topic in that manner. Certainly you are going to be rewarded when you work with a Bug Bounty program but only if you know what you are doing exactly.

A “Bug Bounty Program” is an open deal which is offered by several websites, in order to protect their systems from potential cyber-attacks. The most important fact in here is that each and every party who is involved in this gets many advantages by such programs. But the main and the ultimate advantage of a bug bounty program is it helps making the internet a safer and a better place.

Bug bounty programs allow the developers to research and resolve bugs before the normal people in the society become aware of it. Those developers are commonly called as “Bug Hunters”. Many famous companies and organizations in the world such as Facebook, Yahoo, Google, Microsoft, Reddit, Square, and Tesla Motorsports have given their utmost contribution in implementing those bug bounty programs.

Mr. Hunter and Mr. Ready took the initialization of creating the world’s first bug bounty program in 1983. They had decided to reward a Volkswagen Beetle to anyone who is capable of finding and reporting a bug of their operating system “Versatile Real-Time Executive”. After an about decade later in 1995, Jarrett Ridlinghafer who worked as a technical support engineer at “Netscape Communications Corporation” introduced the phrase “Bug Bounty”. With this initialization later on the bug bounty programs began to expand vastly because of the financial and technical support of the world famous organizations.

Jarrett Ridlinghafer

In order to become a bug hunter first of all you need to register in a bug bounty platform. Today there is a huge variety of such platforms out there.

  • Hackerone

There is a huge variety of vulnerabilities that can be found when doing bug hunting.

1) SQL Injection

2) Cross-Site Scripting (XSS)

3) Command Execution

4) Clickjacking

5) Cross-Site Request Forgery

6) Reflected XSS

7) Open Redirects

8) File Upload Vulnerabilities

9) Unencrypted Communication

10) User Enumeration

11) Password Mismanagement

12) Email Spoofing

13) Malvertising

14) Logging & Monitoring

15) Buffer Overflows

16) Directory Traversal

17) DOM-Based XSS

18) Broken Access Control

19) Privilege Escalation

20) Toxic Dependencies

21) XML Bombs

22) Session Fixation

23) XML External Entities

24) Weak Session IDs

25) Information Leakage

26) Lax Security Settings

In order to do bug hunting there are some tools that need to be installed first.

  • Burp Suit

NOTE :- Most of those tools are pre-installed with the OS Kali Linux.

Bug Hunting consists with a sequence of several processes. After registering for a suitable bug bounty platform you need to do a research on the vulnerabilities in different organizations. So as it was mentioned before there are huge number of vulnerabilities that can be found during bug hunting. So at the beginning you need to select one vulnerability and you should try your best to exploit it. In order to do that the previously mentioned tools are going to be really useful. Here you have to be really careful before start attacking a vulnerability. It’s compulsory to read the scope of that organization carefully before starting the attack. Scope consists with the rules and the regulations of that particular organization. So if you violate any of those there is a possibility of you ending up in prison. So reading the scope is the most important thing to do before you start attacking a vulnerability. After exploiting a vulnerability successfully you have to create a complete report about the vulnerability, exploitation method and the impact that bug might do to their organization. You can directly send that report to that particular organization or you can send that report through the currently registered bug bounty platform.

So if you were able to generate a successful report to organizations about their vulnerabilities most probably they are going to reward you with a bounty. It can be some amount of money, a pen drive or a T shirt. If that bounty is money, then that awarded amount of money will depend on the impact of that particular vulnerability. But it’s important to keep remember that not all the organizations are going to reward you with bounty. Sometimes they might just simply send you a “Thank You” message.

Now let’s see some world popular bug bounty incidents which were reported lately out there.

1) HackerOne Breach Leads to $20,000 Bounty Reward

  • Once HackerOne has paid out $20,000 after a high-severity vulnerability was discovered in the bug-bounty platform. The flaw allowed an outside bounty hunter to access customers’ reports and other sensitive information.

2) A critical SQL injection vulnerability exposed nearly one million financial records stored in a Starbucks enterprise database

  • Eugene Lim, aka spaceraccoon, earned $4,000 after reporting the flaw to Starbucks via the company’s bug bounty program on HackerOne. The security hole was identified on April 8 and it was patched within two days. The vulnerability report he submitted to HackerOne was made public on August 6 2019.