Bug Bounty program — A crowd-sourced platform that connects many organizations globally and encourages the disclosure of in-scope vulnerabilities by independent ethical hackers.
What is meant by crowd-sourced platform ?
According to Google, crowd-source means obtain (information or input into a particular task or project) by enlisting the services of a large number of people, either paid or unpaid, typically via the Internet.
Example: Bugcrowd- Security crowdsourced platform where many organizations tell their undisclosed vulnerabilities and encourages the people who report the in-scope vulnerabilities by giving rewards as bounties or points.
Bug Bounty Platforms: (some only listed)
Simply, A reward (points | bounty)offered by the organization for reporting bugs that may cause security issues.
History of Bug Bounty
First Bug Bounty Program: In 1983, Mentor Graphic’s Versatile Real-Time Executive operating system says anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) as recognition.
Later in 1995, Netscape’s software engineers who fix the product’s bugs on their own and publishing the fixes, either in online news, forums set up by Netscape’s technical support department, or on the unofficial “Netscape U-FAQ” website, which listed all known bugs and features of the browser. So, Jarrett Ridlinghafer, an engineer at Netscape Communications Corporation coined the name ‘Netscape Bugs Bounty Program’.
In 2011, Facebook launched its bug bounty program. Started paying researchers who find and report security bugs by issuing them“White Hat” debit cards .
After this many companies like Google, Microsoft, GitHub, Uber, Intel, Adobe and so started bug bounty program.
Bug Hunter (For Beginner)
To become a bug hunter, you have to learn and practice.
Consider all kinds of resources as important, basic knowledge about the security flaw or bugs should be clear.
Learn concepts like OWASP Top 10 Security risk, CEH, Pentesting in web application, mobile, network devices, Linux distros’, Bash | scripting languages, Linux commands.
Practice concepts like Kali Linux, Burp Suite, Security Testing Tools and Framework.
Study about bugs and vulnerabilities in OWASP testing guide , YouTube or Books.
Learn about the bugs and its exploitation nature.
Start pentesting. (in web application | android | IoT etc).
After learning about bugs and able to pentest and find bugs, then start reporting. We can report bugs either in
1. Security crowdsource platform.
2. Responsible disclosure. (reporting bugs directly to the organization)
Report must include
Tile of the vulnerability,
Method to reproduce,
PoC (Screenshot or video).
Keep this in mind:
Don’t give up when your report is declared as unresolved | duplicate| won’t fix. Don’t expect bounties and compare your poc with others instead check other similar reports to know the impact alone. Don’t limit yourself from learning.
Happy Learning! Happy Hunters!