Skip to main content

10 Rules of Bug Bounty



1.Targeting the Bug Bounty Program
How long you target the program ?
If the Answer is Just Few Hour’s or a night, Then That’s where you are doing wrong .Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s.
Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit .Just take a deep dive into the application.
2. How do you Approach the Target ?

If Answer is Just by Signing up at Target , Checking For Vulnerabilities like CSRF, XSS,Subdomain’s etc , Then This Could be the problem where you end up getting many duplicates or not getting any bug . would suggest to first check their documentation . Recon the Target . Understand the functionalities & privileges of the user’s in target. Recon , Check their doc’s, Information Gathering , for at least 1–2 days before start Attacking .

                                                                                Ak1T4
3. Don’t Expect Anything !
We Believe this is the most common thing bug hunter’s do After Reporting Bug’s that they expect the upcoming reward amount . Don’t Expect anything just close the report and start looking for other bug’s Because that could end up making you sad .
If you made the mindset that you are going to hunt bugs in matter of hour’s or night . this may or may not work every time . 
Some High severity bugs may get rewarded with low-average bounties , Don’t Shout at them,Just Ask them politely What could be the reason for bounty decision . More Importantly Be Happy and thankful to yourself of what you found .
Try to Accept this “ Sometime’s we may get unexpected rewards for small issues , We should also accept less amounts for High Severity Issue’s aswell“
4. Less Knowledge about Vulnerabilities and Testing Methodologies :
This is also common scenario lot of new bounty hunter’s start looking for bug’s without basic knowledge of how things work. What i have learned from my personal experience is you will get to know how application works until and unless you know how they build them . it is necessary first to know how application Build with Programming language before start breaking it .
5. Surround yourself with Bug Bounty Community to keep yourself Updated.
1. Create Twitter Handle and go to Hackerone Leaderboard :
2. Go to their Hackerone profile’s one by one and Follow them on twitter , Same Applies on Bugcrowd and other Platform As Well. This way you can surround yourself by Bug Hunter’s and Security Researcher’s.
3. Keep Bookmarking .
5. Join Bug Bounty World on Slack and Keep reading Their Blog’s,Tool’s,General Channel and their conversation’s of Testing And Share what you know.
6. AUTOMATION: “Automation is Power.” If you want to automate things, you need to learn “scripting”. Is highly recommended learn some programming language. Some of the Best scripting languages are: JS, PYTHON, RUBY, BASH,even knowing some curl tricks or basic bash commands scripting, you have power in your hands for automate a lot of tasks!
“Hacking is an art from your own creation” .
7. GET BOUNTY or GET EXPERIENCE: As a Bug Hunter’s, sometimes we feel sad when no bounty is received. However we always gain experience, knowledge and your skills are improved. Look bug bounty in this way and keep your motivation up day by day. A lot of our life are made by emotions, is about how you feel your life moment after moment, doing all that things thats make you happy: so! if you do bug bounties, be happy! be fun! that’s the essence of this!
If you don’t get bounty, you get knowledge and experience, that’s why You always win!”
8. FIND THE “BUG” or FIND A “BUG’S CHAIN”:
If you find a BUG, ask always yourself: what’s the security impact on the application? You can start hunting and have in your mind the concept of “find a bug” or you can think outside the box and start hunting with the concept of“looking the best impact”. The first concept is totally isolated, the second concept embrace a more bigger point of view.
“Stay at the valley or work hard to claim the mountain and see a big panorama.”
9. FOLLOW MASTER’S PATH: I ask myself every day how improve my skills a lot more, then i go and search for awesome hacker’s blog or the best write ups that i can find. Best hackers inspire us to be the better version of ourselves.

10. RELAX & ENJOY LIFE: The Real Success happens when you enjoy a balanced life. Your body and your mind needs an adequate rest to go beyond their own limits. If you spends a lot of hours hunting, close your laptop and go outside, to be more connected with the natural life. When you hunt with a rested mind, you can see beyond the bugs and all that important details that counts for a successful attack or PoC. Find all that gives you joy or peace, all that embrace you and improves you emotionally and mentally. Spend time with your friends and family, this life is like a Shooting Star, Enjoy that light!
Source: Arbaz Hussain(Medium.com)

Comments

Popular posts from this blog

How I got access to Fastly account of dev.to

Hey Mates, Hope you all are Good, This is my first write-up about how i gain access to a company's(dev.to) fastly account.  One Day I got email that dev.to is going to open source on Github.
Previously I've found a critical account takeover bug in dev.to via stored XSS and get rewarded(Write-up later), Since I have account in dev.to that's why I receive this mail.
Now Let's get started. Now I was damn sure that there is something that the developer's missed while making dev.to project open source in Github, first i visited their Github project at https://github.com/thepracticaldev and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with cache_buster.rb which is leaking the fastly Api key like this.
with(headers: { "Fastly-Key" => "k15177t3dctdg27138b03c737688c84g" })
Dont't waste your time this is not an exact fastly api key let's move on.
Now it's time for fastl…

Getting started with Bug Bounty.

Getting started with Bug Bounty.
Hey, guys! This post is dedicated to all those who want to do bug bounty. Although I am not a ranker like my friends Sai Kumar Reddy, KL Sreeram, Vasim Shekh, etc I learned many things throughout my way in bug bounty and I want to share them in this post 
What should you know before getting into bug bounty?  First of all, you should know basic things about web app(ofc. bug bounties are not limited to it) have what is HTTP? What is HTML? What are HTML Forms? What is JavaScript? What does JS do? Structure of a web app(Nowadays all web apps have MVC). IMO this thing matter. A book like Web Hacking 101 will help a lot.Keep learning new things, How?  HackerOne’s Hactivity (Web Hacking 101 also covers this section), Other Hunters blog, And just dig in whenever you see weird term or thing, Maybe you end up learning a good thing?Play with Burp, Explore it Approaching a target If you’re new don’t just focus on reward only sites, go for points in this way you will…