null Delhi Workshop on ‘Bug Bounty Hunting’

This month we had one of our awesome speakers back at null Delhi chapter. Abhinav did a Humla on Android security testing in April this year for null Delhi chapter. He quit his job and went to travel the entire south east Asia while freelancing on the go [jealous already :)]. This time he proposed to deliver a workshop on Bug Bounties for null Delhi chapter on 28th August. Bug Bounties are one of the most talked about things among security professionals and bug bounty hunters sharing their experiences and techniques gives us so many things to learn.

There was some confusion that occurred with the venue of workshop so we had to move to a new venue. Thanks to the team of Sapient, they could arrange their place to conduct the workshop at a very short notice.

Abhinav was well prepared for the workshop and had his set up for labs and other things ready. He started by distributing the class materials and at the same time covered the introductions with attendees. For a long workshop it is important to understand the type of audience which you are going to interact with so as to keep things at same frequency as audience.

The Workshop

The title of the workshop was “The Game of Bug Bounty Hunting: Money, Drama, Action and Fame” so as the title suggested it was going to be filled with awesome stuffs. It became evident when Abhinav started discussing the agenda and he ensured that he covers all four aspects i.e., Money, Drama, Action and Fame involved in Bug Bounty Hunting.

He started the workshop with 101 of bug hunting, its history, what are some important skills required to start with bug hunting and as I expected it to be; the most important skill as per him was not anything technical but out of the “room” thinking (we are not talking about the box anymore because its too small)

Abhinav had created a nice flowchart to explain the lifecycle of a bug submission to explain the minds present at the workshop as to how long it may take sometimes for a bug report to be validated after the submission so it is important to be patient after reporting a bug. He talked about the details of companies running individual bug bounty programs and the two most famous public bug bounty programs out there i.e., HackerOne and BugCrowd.

Lifecycle of a Bug Bounty Submission

The most interesting part of his workshop was when he started discussing the aspects of transitioning from a pentester to a seasoned bug hunter. 
Of course his points were hard hitting and true to a large extent so it provoked a good amount of discussion. Later he talked about the approach to be 
taken for finding good bugs and he spent a good amount of time explaining tricks and techniques which worked for him. That is the benefit of learning 
from folks who have spent a good amount of time on a particular thing. In addition to tricks and techniques of quickly finding bugs in applications Abhinav kept emphasizing on the reporting part and to be professional during the entire communication which I couldn’t agree more. He also explained what approaches bug hunters should not take and what doesn’t normally work when hunting for bugs in applications.

For the next two hours we spent time on exploring the scope of a program, looking for some low hanging fruits and reporting them. He made the participants work with some tools and scripts that can assist in speeding up the tasks.

Later Abhinav also discussed insights about some of the best bugs found till date which was pretty interesting.

Finally he talked about the dark part of bug bounties by discussing couple of bad scenes that took place in public and the lessons learnt from those public scenes.

The workshop ended with a discussion on legal aspects of participating in a bug bounty program and discussion around some of the best resources available on internet in order to learn bug hunting.

It was a great workshop for someone looking to start with bug bounty hunting.

All of the links and resources shared during the workshop are available in the slide decks. The slides of the workshop are uploaded on slideshare: