Adventures in Bug Bounty Hunting

I decided to venture into the world of bug hunting in late 2018. I started with hackerone, synack, bugcrowd and here are some of my tips & experiences in my virgin journey. For a start, I am a full time Cyber Security Advisor specializing in Penetration Testing and Incident Response. I have background in Vulnerability Assessment, SIEM and Compliance Testing. In total have been in IT security for more than 15 years of my career.

1. Bug hunting is by far the most challenging experience in my career. In my honest opinion, it beats any certification/training in the market. It is a great way to learn something from scratch. There are tons of materials on the Web. My suggestion is to read up on as much material you can get hold. Some good sites include hackerone public reports, Real World Bug Hunting and Web Hacking 101 by Peter Yaworski and Orange Tsai. Medium is a great place for blogs too.

2. Get a mentor if you can. It is much faster if you have someone more experience in bug hunting to help you get started. Though, not many people are willing to share their skills due to the competitive nature of bug hunting. Good places to look for help are people that you know in real life. Get involve in your local social/special interest group meetups. Nothing beats personal experiences than trying to direct message a cocky hacker on Twitter.

3. Look for easy bugs such as cross referer domain leaks, private information leaks to 3rd party, missing authorization, CSRF, etc. The reason why bug hunting is so difficult is because there are just so many hackers testing the same programme. By the time you start hunting, there have been over 100 bugs reported, so do prepare for duplicates after submission.

4. Practice report writing, special attention to impact. Different platforms have different expectations. All platforms expects bugs to be reproduceable based on your report, so make each bullet point clear and concise. After that, make sure the impact is clearly described. Avoid cutting and pasting VA reports. Some platforms will deduct your reputation points for hypothetical reports, so beware. Bug hunting reports are actual hacking PoC, you need to be able to carry out the attack and show the business impact. Include screenshots with descriptions on each step.

5. Do not give up. When I first started on hackerone, I was dipping under 100 rep points, but gradually manage to bring it up to 300+, I also made about USD3000 combined on different platforms. But the initial frustration almost made me give up. I can attest pen-testing in my day job is far easier than bug hunting.

6. Start with progammes that do not pay bounties. It is easier and more likely to find a bug than paid ones due to competitiveness. Once you have an idea, go ahead and shoot for paid bounties. Also, if you feel it is too difficult to find valid bugs on bug bounty platform, just test some random site, you'll be amazed at how easy it is to spot a bug (even severe ones) on websites that do not participate in bug bounties. But, pay special attention to the law as you might be crossing the line here. If they have a responsible disclosure programme, you may opt to inform them of your findings.

7. Try to understand what each platform or progamme is looking for. Eg. programme ABC is interested in content spoofing, so if you find such bugs, more likely they will pay for it. The same bug might not be accepted on programme XYZ, simply because their risk register are different, it is hard to say which bugs will be accepted but read their policy carefully.

8. Be respectful with both programme and platform staff. They get to determine if your bugs get triaged. Final say will be determine by the programme owner or platform staff.

9. Be creative with your bugs, if you expect to only hunt for the OWASP top 10, you will be disappointed. Such bugs are heavily hunted and like Pokemon, are less likely to appear. Be resourceful and read other hackers' reports and try to innovate. Do not copy and paste other hackers reports, you will most likely get rejected.

10. This is especially true on hackerone, it is easier to get an accepted bug on progammes that are not run by hacker one staff. I don't know why, but I feel the programme owners are more lenient with acceptable bugs than hackerone staff. This is just my observation.

11. Lastly, keep abreast with latest research in cyber security. There are many notable researchers in this field, eg.  James Kettle and Orange Tsai are fine examples of pioneers that have dropped pretty big findings recently. Follow them on Twitter. Ben Sadeghipour, a notable hackerone hacker is also worth to follow as he has live telecast of bug bounty tips.

Overall, I am an old fart of 42 years but still learning and the guys I am learning are half my age. While most of my peers are now Head of Info Sec or CISOs, I choose to follow my mid life crisis; that is to continue to remain a tech guy. I'm getting better and my next year goal (2020) is to hit 900 reps on hackerone. It is definitely challenging to balance bug hunting with a family and a full time job but success is so sweet. I've made enough money from bounties in the last 4 months to buy my whole family a flight ticket to Europe for our holiday!