What exactly is a BugBounty program? — and understanding why you want to start doing bugbounties
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.
Pretty clear right? Companies setup a bugbounty program and supply information as to what they want researchers to poke at, and if the researchers find a valid vulnerability, you can report it to them and hope to receive a reward in return. Companies can choose to either reward you points on bugbounty platforms, swag, or even money.
BugBounties are a great way for companies to work with talented researchers from across the world but before starting bugbounties you need to learn the difference between different types of programs and then ask yourself "why do I want to do bugbounties". Do you plan on doing this full time or just on the side?
Getting a clear view as to why you want to start bugbounties will help you achieve your goals a lot quicker and become the creator of your own success. Why are we recommending this? Because bugbounties are growing at a rate of 143% year after year according to reports and companies are using them for a variety of different reasons, and researchers are also participating for a variety of different reasons.
Different types of programs
- Vulnerability Disclosure Program (VDP)
Typically these programs are public and only reward you with points and nothing more. Most people starting in bugbounties are told to start with these programs to 'learn the ropes' and to build 'rep' to receive more invites, but what most researchers don't realise is some of these VDP programs already have paying programs, they are just secret and shut off from the world. Now this goes back to that question, "why do I want to do bugbounties". Keep that in mind when making your decision whether to spend time on a VDP.
With that said, not all companies are able to run more than a VDP for a variety of reasons, such as being a charity. Just because a company is using a VDP doesn't mean you should ignore them, just be mindful about who you are working with and their reasons for running a VDP.
- Public BugBounty Program
A public bugbounty program such as Google & Facebook that is open to the world and reward money. There are LOTS of public bugbounty programs out there and some even have wide scopes. This goes back to the start of this guide with, Become the creator of your own success. Not every company is on a bugbounty platform. Most people are also under the illusion that just because a program is public that there will be nothing to find. False! New code and new features are pushed daily.
You also have to consider that if most researchers are avoiding these programs because they think too many eyes are on there, surely there isn't as many eyes as they actually think? ;) Get creative, there are bugs out there.
- Private BugBounty Program
Typically most private invites you receive will be paying programs, however not all private programs do pay. You can usually customise your invite preference on bugbounty platforms if you want to filter paying private vs non-paying. Researchers are usually invited to private programs after showing some activity on the platform such as a certain amount of valid bugs, certain rep/signal/impact value, activity in x amount of days.
You may hear some researchers refer to "VIP" and "secret" programs and these are programs setup by certain companies to work only with hackers they select. There is not usually a public critiea to join one of these and you are mostly selected based on your activity on their other program(s) & your skill.
Finding bugbounty programs
For those not wanting to participate on bugbounty platforms, we suggest using Google to find companies with bugbounty programs. Using seach terms such as "domain.com vulnerability disclosure program", "[email protected]", "domain.com bugbounty program" and "report domain.com security vulnerability" can help you discover companies prepared to work with researchers away from platforms.
Failing that you can always check if Security.txt exists on the given domain.
Finding your first bug
So you've learnt to hack via challenges, you know what a bugbounty program is and understand about different types available. You're ready to get stuck in, but sadly one thing we can't advise you on is which program to look at. One big hurdle people struggle to overcome is finding a program to spend their time on and sadly this is something out of most peoples control, especially if you are new and don't have access to as many programs as others.
But.. there is something we can advise on: hacking, and using your hacking knowledge to finding your first bug. Below are some tips and things you can try to help you in discovering your first bug.
- People say "think outside the box"
and they're right! If you are brand new and want to get stuck in, think about what type of vulnerability you want to try discover instead of just spraying & praying payloads everywhere and anywhere. Understand the feature it is you wish to break & get stuck in! (login flow for example, if you can break the login flow you are more likely to achieve account takeover). The beauty of testing for bugs is you can try anything, there are no limits. You are in full control of what's sent to the server.
- Scan & find as much as possible
Old files exist on old servers, even on well-established public programs. Subdomains come up & down all the time. New files appear daily. Spend time to understand what's in scope and begin finding & mapping as much information as possible. Just because a subdomain shows you a 404 error, there may be a "admin.php" file on there! Your recon can never be complete and you should always be hunting, and now can you understand why some researchers have automated their scanning on a large scale? :)
- Don't try too much & set goals!
Sounds a bit weird but it is very easy to think of lots of different bugs to try and overlook sometimes simple bugs. I've done it, we've all done it, and we'll all carrying on doing it! Make sure to set yourself a goal as to what type of bug it is you wish to find. An example would be: I know the parameter ?goto= is vulnerable to reflective XSS from past vulnerabilities, so today I will spend the day testing this parameter across as many endpoints as possible that I can find. It is very easy to spend a day trying lots of things, getting no where, and becoming burnt out. If you've become burnt out, take a step back to understand why and find a way to re-engage yourself.
- Mobile apps!
One key thing I see people missing is messing with the mobile app, or even just the mobile version of the site they're testing (if one is available). Most mobile sites use a different code-base and most mobile apps use a API. Download their app (make sure to check different country appstores!), change your user-agent to a mobile device, and start poking! One tip is if they filter XSS on the desktop site, do they also filter it on mobile? I've personally discovered a site-wide XSS issue via the mobile app as the payloads sent via the mobile API were not filtered on the desktop site.
All of the content on this site has been community-created and has been designed to help you not only have easy access to tutorials & writeups from researchers of the world, but to then apply the knowledge shared straight away on recreated real-world bugbounty situations. From there use your skills on bugbounty programs. We believe a hacker creates his own story and everyone has their own way of discovering vulnerabilities. Not every case can be, "try this, do that", and we hope from challenges that hackers can begin writing their own story.