My Bug Bounty Journey
My Bug Bounty Journey
In the below write-up I would like to share my bug bounty journey.
Disclaimer: I am still learning and in a process of getting a killer bounty 😊
“Hacking” caught my attention during my college days. I have been in cyber security domain for about 7 years, but I have been diving into bug bounties for about 3 years. It has been an incredible journey so far. Some of the things that stimulated me to get into bug bounty is nothing but;
1. Curiousness to learn and explore major platforms for bugs such as Facebook, Google, Microsoft, Amazon and many more.
2. Develop new techniques and grab some great technical skills in my area.
3. And obviously, who does not like getting paid some dollars $$$$ :P
Bug bounties require a massive amount of patience and you do not become a bug hunter overnight. Initially you deal with some invisible bounties and come across with responses like — ‘not applicable’, ‘strike of duplicates’ etc.
It certainly takes a while to start finding valid bugs in real-life. The internet was and is my biggest support. When I say Internet, it includes all the stunning reports we get to see from other hunters as well. Some amazing bug bounty platforms are listed below which you can tour as a beginner are:
· Bugcrowd
· HackerOne
· Bugbounty.sa (Saudi Arabia)
There is also a trusted platform Synack which will help you immensely once you have obtained adequate knowledge on bug bounty programs. It says:
“JOIN THE SRT(Synack Red Team) and you become part of a private network of highly curated and vetted hackers, challenged every day to deliver exploitation discovery and management for some of the biggest brands in the world.”
Alternatively, you can also try your luck on major sites by reporting the bug straight on their vulnerability reporting email — e.g. Intel.Product.Security.Incident.Response.Team@intel.com, bugbounty@wickr.com and so on.
Always remember, everyone does not know everything. Start with something you are good at.
I was lucky to find my very first valid bug in the first month of my journey for ‘Intel’ from which motivated me to continue my journey.
After a few failed attempts, i was successful with Microsoft, Intel again, Wickr, Dutch Tax and Customs Administration, Sony and so on for some of which I received few dollars, swags, Hall Of Fame and appreciation letters. Below are some of the few vulnerabilities reported and their reward snippets.
1.Reflected Cross Site Scripting
2. Open Redirection Attack.
3. Unencrypted communication.
4. Missing SPF, etc.
Suggestion for newbies.
· You do not need to be a coding master, but mainly learn the basics of programming languages and have good hands on OWASP Top 10.
· Spend some time reading reports other hunters have published.
· Please do not go out of scope, be responsible for the actions you take.
· Spend adequate amount of time with companies to fix any bug before you post them publicly.
· Be patient.
· Practice a lot.
· Keep yourself updated with latest vulnerabilities.
· Do not put too much pressure on yourself. I used to find only a bug in one-month 😊
Below are some of the essential resources that will help you enhance your bug bounty skills.
1. Bug Bounty Hunting Essentials
2. https://pentester.land/list-of-bug-bounty-writeups.html#bug-bounty-writeups-published-in-2020
3. The Web Application Hackers Handbook.
4. OWASP Testing Guide
5. Mastering Modern Web Penetration Testing by Prakhar Prasad
Thank you for reading my blog.
you can check out my LinkedIn profile here
