Bug bounty is a joke

aka respect yourself

Like all medium click bait titles this was meant to grab your attention. However I believe in this statement despite the opportunities given.

The old “hacker af” green screen terminals, dark rooms culture is antiquated. There is an almost hidden economy for those willing to dig in plain sight and a cyber security skill shortage in the US. In 2017 you can hack Google and get 100k for your original work. Zerodium offers up to 500k for a Facebook Messenger RCE + LPE. Offensive security is coming out of the shadows, in a big way.

The surplus and marketing (are we still doing this dumb BugCrowd vs Hackerone competition/comparisons that make no sense???) of some bounty platforms outside of mature bounty programs have given rise to a watered down state of expertise in participants. We (scratch that, you) have allowed ourselves to be subjected to <$100 payouts when those before us confronted mature programs like Yahoo to prevent such things from happening. Reputation systems introduced the stigma that you must have X signal Y quality to participate in Z program pushing the enthusiastic hopefuls to flood low paying programs with low quality reports to collect the reputation.

Actually @k8em0 talked many times actively warning companies from starting bounty programs without correct app sec foundations. Else, you’re just bleeding cash for no reason. Does one really want to be paying out for yet another expired subdomain (subdomain takeover, they say…) because Jim forgot to close an old marketing site no one even visits. From my understanding over the years, the payouts should have been for the unique, rare to find issues. Some complain of duplicates but if 10+ find the same bug was it really that unique?

Technical write ups are now just screenshots of cash/cars or “limited disclosure” which then becomes a metric in the company’s “awesome” bounty presentation. I especially like when hunters excuse themselves from write-ups because they are too “busy” but yet they are in your inbox asking for another payload/POC/technique.

Screenshots of 404 pages with no additional information asking whether a “takeover” is possible. The blind leads the blind and no one in these bounty platforms and the invite only groups seems to get that this actually affects the incoming quality as well as behaviour of these self proclaimed “ethical security researchers” and “most valuable hackers”.

But, whatever. Wherever money dangles itself low quality work is sure to follow. I wouldn’t be surprised a year from now bounty submissions become outsourced the same way companies outsource triage work.

I’m not in a position to fix any of this.

I can however tell you, if you reached this far , to respect yourself. If you really are genuinely interested in seeing how far this can go (and it will with or without you)

Respect yourself

Companies should be awarding you for your talent and resources. Invest in that. Don’t be that guy who begs for cracked security tools (there are many of you out there). In my four years of hunting I never bought or had to torrent Burp Suite Pro Edition, I’ve used Burp Suite Community Edition sparingly and it has worked well. When I’m ready to scale maybe I’ll buy Pro but I respect myself and skills to know that it would never be my clutch.

You don’t need to be in an elite group to succeed. Actually many of the people I have seen who are most productive aren’t even in any of these invite-only groups. Separate yourself expand out in the larger world of infosec and software who knows you might actually get better than them.

It’s fine and dandy if you see a bug after stumbling in a low paying program to report. However in the interest of respecting yourself you should also value yourself. Invest your time in programs that want to invest in you. Many might disagree but we are long past the stage of treating bounties as just thanks with companies like Zerodium. I have seen more than a few companies promote themselves to get people to participate on their program even go into details as to multipliers on payouts based on conditions. So value yourself, or don’t.

You are being seen by many people in various areas. No one wants to see that profile picture in your researcher profile with your Guy Fawkes mask or you flipping the bird to the camera. I wonder if you think it’s all lulz when you look back at yourself five years from now and realize what you looked like. Don’t play yourself we aren’t in 1995 and frankly I don’t think you want to be, some of you might not survive that jail life.

Respect your work

Join an ESL program if you have trouble writing reports in english. If english is your language focus on how you communicate there are many resources online to reference. Drop the crappy techno track, no one wants to hear it. Don’t just copy what you saw written on a blog take the time to understand and develop your own flow.

Respect the company

The company has no obligation to pay you. None. Zilch. Nada. Get over yourself. You found the bug but you didn’t commit the fix for it, you didn’t talk to the developer who wrote it, you didn’t set up the meetings and protocols to ensure that those class of bugs don’t occur again. Unless you actually are a person of authority in the field who can bet his first child that he knows the bug better than the company, then don’t fight it.

If you see yourself constantly battling reports, you probably shouldn’t be participating in that program. Find companies that mesh well and invest in that.

So… are you going to remain a lost sheep or will you rise to the challenge and respect yourself?