Just about Bug Bounty.

YESHWANTHINI S
Sep 16, 2020 · 3 min read
Bug Bounty Program.

Bug Bounty program — A crowd-sourced platform that connects many organizations globally and encourages the disclosure of in-scope vulnerabilities by independent ethical hackers.

What is meant by crowd-sourced platform ?

According to Google, crowd-source means obtain (information or input into a particular task or project) by enlisting the services of a large number of people, either paid or unpaid, typically via the Internet.

Example: Bugcrowd- Security crowdsourced platform where many organizations tell their undisclosed vulnerabilities and encourages the people who report the in-scope vulnerabilities by giving rewards as bounties or points.

Bug Bounty Platforms: (some only listed)

HackerOne

Bugcrowd

Synack

Intigriti

Simply, A reward (points | bounty)offered by the organization for reporting bugs that may cause security issues.

History of Bug Bounty

First Bug Bounty Program: In 1983, Mentor Graphic’s Versatile Real-Time Executive operating system says anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) as recognition.

Credit: Google Image

Later in 1995, Netscape’s software engineers who fix the product’s bugs on their own and publishing the fixes, either in online news, forums set up by Netscape’s technical support department, or on the unofficial “Netscape U-FAQ” website, which listed all known bugs and features of the browser. So, Jarrett Ridlinghafer, an engineer at Netscape Communications Corporation coined the name ‘Netscape Bugs Bounty Program’.

Netscape launched the first technology bug bounty program for the Netscape Navigator 2.0 Beta browser.

In 2011, Facebook launched its bug bounty program. Started paying researchers who find and report security bugs by issuing them“White Hat” debit cards .

In 2014, Facebook stopped issuing debit cards to researchers.

After this many companies like Google, Microsoft, GitHub, Uber, Intel, Adobe and so started bug bounty program.

Bug Hunter (For Beginner)

To become a bug hunter, you have to learn and practice.

Consider all kinds of resources as important, basic knowledge about the security flaw or bugs should be clear.

Learn concepts like OWASP Top 10 Security risk, CEH, Pentesting in web application, mobile, network devices, Linux distros’, Bash | scripting languages, Linux commands.

Practice concepts like Kali Linux, Burp Suite, Security Testing Tools and Framework.

Study about bugs and vulnerabilities in OWASP testing guide , YouTube or Books.

Learn about the bugs and its exploitation nature.

Start pentesting. (in web application | android | IoT etc).

Bounty Hunter

After learning about bugs and able to pentest and find bugs, then start reporting. We can report bugs either in

1. Security crowdsource platform.

2. Responsible disclosure. (reporting bugs directly to the organization)

Report must include

Tile of the vulnerability,

Description,

Method to reproduce,

CVSS,

Priority/Severity,

Impact(technical alone),

Remediation,

PoC (Screenshot or video).

Image Credit: Google

Keep this in mind:

Don’t give up when your report is declared as unresolved | duplicate| won’t fix. Don’t expect bounties and compare your poc with others instead check other similar reports to know the impact alone. Don’t limit yourself from learning.

Happy Learning! Happy Hunters!

Techiepedia

Where the Tech is written

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store