Bug bounty programs… They all seem similar, but are they really all the same?
Finding the right program to target is the first step to being successful in bug bounties. But a large number of programs have emerged within the past few years, and it is becoming difficult to figure out which ones will provide the maximum ROI and learning opportunities.
So how should I pick a program? And how do I prioritize the different metrics of programs, such as payout amount, response time and asset type?
Today, we are going to explore the different types of bug bounty programs in terms of their asset type, analyze the benefits and drawbacks of each type, and figure out which one you should go for!
First, A Fun History Lesson
How did we end up here in the first place? Has bug bounties always been a big thing like it is now?
Bug bounties are currently one of the most popular ways for organizations to find security bugs. From large corporations, like PayPal and Facebook to government agencies like the US Department of Defense have all embraced the idea.
The pioneer bug bounty programs
Not too long ago, reporting a vulnerability to a company will more likely land you in jail than get you a reward.
Until in 1995, Netscape launched the first-ever bug bounty program. They encouraged users to report bugs in their brand new browser, the Netscape Navigator 2.0. This was the first time the idea of crowdsourced security testing was introduced to the Internet world. This means that the first bug bounty program was created 25 years ago. Isn’t that amazing?
The next corporate bug bounty program was launched by Mozilla only nine years later in 2004, encouraging users to identify bugs in Firefox.
A bug bounty boom
But it was not until the 2010s did bug bounties become popular. Google launched its bug bounty program in 2010 and Facebook in 2011. These two programs kickstarted the trend of using bug bounties as an augmentation to a corporation’s in house security infrastructure.
The bug bounty zoo
Soon after bug bounties became a more well-known strategy, bug bounty as-a-service platforms emerged. The two largest bug bounty platforms, HackerOne and Bugcrowd were both launched in 2012. After that, a few more platforms, such as Synack, Cobalt, and Intigriti emerged.
Bug bounty platforms and managed bug bounty services allow companies with limited resources to run a program. And now, bug bounties are widely adopted as an additional security measure for large corporations, small startups, non-profits, and government agencies alike.
Today, the bug bounty world is a diverse marketplace with tons of different programs, all with their own characteristics, difficulties, benefits, and drawbacks. This is what I call “The Bug Bounty Zoo”.
Species One: Social Sites and Applications
Anything that says “social” makes my hacker-heart happy. That’s why the first “species” we’re going to talk about in the bug bounty world are social sites and applications.
Social sites are a special breed worthy of extra attention because they are typically full of potential for critical web vulnerabilities such as IDORs, info leaks, and account takeovers. They are also often complex applications with a lot of user input opportunities, so they are prone to input bugs like SQLi, XSS and other injections as well.
So if you are a newcomer to bug bounties, I recommend that you start with social sites first. Targetting social sites means that you will have a large number of programs to choose from, will have a large attack surface to attack, and will be able to quickly build a wide range of web security knowledge.
My past blog posts are mostly about web hacking and will give you a good starting point to building these skills:
A good resource that helped me tremendously when starting to hack web applications is Peter Yaworski’s book Web Hacking 101:
Web Hacking 101
On December 22, 2015, Twitter paid over $14,000 to ethical hackers for exposing vulnerabilities. This wasn't a…
Species Two: Non-social Web Applications
Non-social web applications are also a good target for beginners. However, in my experience, they tend to be a little more difficult to hack than social applications and have less attack surface. But this is probably because I prefer to look for IDORs and info leaks when I first start out with a program!
Non-social web applications could also be a very fruitful target. The types of bugs that you should look for in these applications are slightly different than social applications. For these applications, focus on server-side vulnerabilities and vulnerabilities specific to the application’s technology stack.
Species Three: Mobile Applications (Android, IOS and Windows)
After you get a hang of the basics of hacking a web application, you can choose to specialize in mobile applications.
Hacking mobile applications require the skillset you’ve built from hacking web applications, as well as additional skills like certificate pinning bypass, mobile reverse engineering, and cryptography. It also requires a little more set up than hacking web applications and requires you to own a mobile device that you can experiment on.
However, the higher barrier of entry for mobile programs is also an advantage: these programs are less competitive and only a small proportion of hackers will attempt them.
Skillset needed: Knowledge about web vulnerabilities, Proxy skills, Knowledge about the structure of mobile apps (Required), Programming skills related to the platform, Cryptography skills, Reverse engineering skills (Preferred).Additional requirements: Mobile device.Number of programs: High.Competition: Low to Moderate.Barrier of entry: Moderate.Examples: Facebook Messenger, Twitter App, Line, Yelp, Gmail.
Check out my post here for an introduction to hacking Android applications:
Species Four: Source Code and Executables
If you have more advance programming and reversing skills, you can give source code programs and executable programs a try.
These programs can entail analyzing code for web vulnerabilities in open source projects and fuzzing binaries for potential buffer overflows. You usually have to understand advanced coding and computer science concepts in order to be successful in these programs.
Keep in mind that these programs are diverse and you have a lot of them to choose from. This means that you don’t have to be a master programmer to hack these programs, but rather, aim for a solid understanding of the project’s tech stack and underlying architecture.
Skillset needed: Knowledge about web vulnerabilities, Programming skills related to codebase, Code analysis skills (Required), Cryptography skills, Software development skills, Reverse engineering skills (Preferred).Number of programs: High.Competition: Low.Barrier of entry: High.Examples: The Internet Bug Bounty, PHP, WordPress.
For an introduction to reviewing source code, read my post here:
Code Review 101
How to perform source code review to find vulnerabilities in web applications
Species Five: Hardware and IoT
Last but not least, we have Hardware and IoT programs. These are programs that require you to hack devices like cars, smart televisions, and thermostats.
The skills that you need to hack these programs are highly specific: you often need to acquire a deep understanding of the type of device that you are hacking, in addition to understanding common IoT vulnerabilities.
In addition, although some programs will provide you with a free device to hack on, that often only applies to select hackers who’ve already established a relationship with the company. So you might also need the funds to acquire a device on your own to experiment on.
Skillset needed: Knowledge about web vulnerabilities, Programming skills related to codebase, Code analysis skills, Specific hardware and IoT skills (Required), Cryptography skills, Software development skills, Reverse engineering skills (Preferred).Additional requirements: Hardware or IoT device.Number of programs: Low.Competition: Low.Barrier of entry: High.Examples: Tesla, Ford.
Choosing the right program for your skillset is crucial if you want to break into the world of bug bounties. I hope this post helped you sort out the various programs that you might be interested in. Good luck and happy hacking!
For more bug bounty tips, like how to get private invites, read this:
For an overview of the types of vulnerabilities and concepts that you’ll need to understand to become a successful hacker, read this:
For tips on writing good vulnerability reports, read this:
Thanks for reading. Is there anything I missed? Feel free to let me know on Twitter: https://twitter.com/vickieli7.
The latest Tweets from Vickie Li (@vickieli7). Professional investigator of nerdy stuff. Hacks and secures. Creates god…
Special thanks to Darkerhack for the topic suggestion. Got any topic ideas for me? Send me a message!