Reasons you are not finding bugs, and ways to improve

Vickie Li

Follow

May 3, 2020 · 4 min read

You’ve poured hours and hours, days and days into looking for vulnerabilities and still haven’t found a single one.

You follow all the rules. You use all the tools. You stay in scope. What could be going wrong? What secrets are the leaderboard hackers hiding? Today, let’s discuss the mistakes that prevent you from succeeding in bug bounties, and how you can improve!

You participate in the wrong programs

First, you might be targeting the wrong programs all along.

Some programs downplay the severity of vulnerabilities to avoid payment. Some programs delay acknowledging and fixing bugs because they lack the resources to deal with reports. Finally, some programs restrict their scopes to an extremely small subset of their assets. They run bug bounty programs to benefit from the positive publicity, without the intention of actually fixing vulnerabilities.

Avoid these programs to save yourself the headache. Pick your programs carefully, and prioritize programs that invest in you.

You don’t stick to a program

How long should I target a program? If your answer is “a few hours” or “a few days”, this is the reason you are not finding anything! Countless of experienced hackers have already hacked on your public program. So you have to differentiate yourself from the competition or risk submitting duplicates!

You can differentiate yourself in two ways: you can dig deep, or you can search wide. Dig deep into each functionality of an application to search for complex bugs, or discover and hack obscure assets of the company.

Doing these things well takes time. Don’t expect to find bugs right away when you are starting fresh on a new program. Be patient. Don’t quit a program if you can’t find bugs right away.

You don’t recon

Jumping into big public programs without recon is another way to fail at bug bounties. Effective recon helps you discover new attack surfaces: new subdomains, new endpoints, and new functionality.

Spending time on recon gives you an incredible advantage over other hackers. You get to all the simple and complex bugs first on all the assets that you discover. And therefore, you can report without much fear of duplicates.

You go for low-hanging fruits

First off, don’t rely on scanners. You should assume that all bugs that can be discovered by vulnerability scanners have already been reported.

And avoid only looking for the “obvious” bug types. Simplistic bugs on big targets have probably already been found. For example, a stored-XSS on a forum comment field is something that many hackers will test for.

Instead, strive to gain a deeper understanding of the application’s underlying architecture and logic. From there, you can develop your unique testing methodology that will result in more valuable bugs.

Alternatively, you can develop rare skills, such as mobile hacking and source code review.

You write shitty reports

What if you have no trouble finding bugs, but can’t get companies to resolve your reports?

First, always try to escalate your bugs. If you get a lot of informative, the bugs you find are not impactful and companies see them as an “accepted risk”. In this case, don’t despair. Minor bugs can become big issues if you learn to escalate them. When you find a low-severity bug, don’t report it immediately. Take note and use it in future bug chains instead. For example, instead of reporting an open redirect, use it in an SSRF chain instead.

You might also fail to communicate the bug’s severity in your report. As the researcher who discovered the vulnerability, you shoulder the responsibility of helping your reader understand the impact. Always strive to learn more about a bug class, so that you can explain its impact accurately.

Tips to do better

In conclusion, here are a few tips to help you improve your bug bounty game!

1. Find programs dedicated to running a good bug bounty program.
2. Be patient. Don’t quit a program if you can’t find bugs right away.
3. Hack programs with large scopes and recon a lot! Automate your recon process to save time.
4. Avoid low-hanging fruits. Hunt for novel bug classes and complex vulnerabilities.
5. Develop skills to hack mobile and source code programs.
6. Keep comprehensive notes about the target and chain informative issues into bugs.
7. Write reports with your reader in mind, and always include a severity assessment.

Thanks for reading. And happy hacking.