WHAT IS BUG BOUNTY HUNTING?
Recently Bug Bounty Hunting has become all in all a popular expression. In any case, what precisely is it and how might someone begin?
After some time, applications turned out to be more intricate. The more complicated a cycle is, the more things there are that can turn out badly. In the period when most application code sizes lie in the large numbers, the security evaluation of both the codebase and the subsequent application must be done by experts. Not withstanding the above mentioned, engineers could not necessarily be security-smart or they dismiss secure coding fundamentals in light of several factors.
Pretty much every product organization performs security evaluations on their items either by utilizing security experts that it has previously employed or re-appropriates them to at least one network safety organizations. Some of the time both. These days there are apparatuses claiming they can computerize the code auditing interaction and scanners asserting they can distinguish the greater part of the known weaknesses of programming. So how might security messes with still be a thing?
WHAT IS BUG BOUNTY HUNTING PROGRAM?
While there are security gives that emerge from changes in innovation and other outer elements, the primary response is that at its base hacking is imaginative reasoning and inventive individuals can think in stunningly unique ways. To set it forth plainly in the event that there is a security issue in an organization’s item, the organization needs to be one of the first to find out, so they will remunerate anybody that reports one. At the point when an organization approaches and expresses that it will compensate people for revealing bugs, it is posting a Bug Bounty Program (BBP). By doing this, the organization gets a lot bigger number of individuals to test their items, security experts have another option or correlative method of pay by doing what they specialize in, and the clients get a lot more secure computerized insight. Everyone wins!
It ought to be noticed that a Bug Bounty Program isn’t a jungle gym for programmers. Bug bounty hunters should stick to the general set of rules/strategy of each Bug Bounty Program or bug bounty stage, not exclusively to live up to assumptions for conduct, yet additionally on the grounds that thusly they can turn out to be more compelling and fruitful during their bug report entries.
Adding to the abovementioned, the uncovered web resources of an organization can be in many cases an alluring way for an aggressor. These days, EDR and Identity Management systems make it truly difficult for an aggressor to get an underlying traction in an association in another way. By remembering these resources for the extent of a bug bounty program, associations supplement the interior code reviews and infiltration tests with ceaseless and proactive security testing and gather together their weakness the executives system.
These bug bounty programs typically have documentation that determine the standards that should be adhered to for an honor to be compensated, the kinds of bugs that each organization considers “bounty – commendable” and the value that they will pay for every class of bug. The last option can begin from only a fair notice or a piece of swag and get up to more than $50,000. Throughout recent years, bug bounty hunting has turned into a legitimate profession choice.
BUG BOUNTY HUNTING 101
While bug bounty hunting can be demonstrated profoundly rewarding, and it positively has been for certain individuals, there are likewise various reasons that individuals pick this expert way. As a matter of some importance, being the supervisor of your own self provides you with a ton of opportunity. You don’t need to be recruited and your abilities are the main thing that matters, so no one will pass judgment on you in light of your looks, character and so forth. There are individuals that began their cybersecurity late and don’t have a computer science degree. Working as an independent bounty hunter permits a monstrous measure of adaptability for individuals that can not deal with a 9-5. Likewise, these stages permit individuals from less well off nations to have a lot higher profit in contrast with having an ordinary work.
Just reading through these bug reports can be a fun learning experience for most hacking enthusiasts. Some of them are really complex and can give you a headache just by reading them but not all of them. In 2016 a researcher disclosed a bug to facebook that could allow him to reset the password and take control of any account. When you would request to change your password, Facebook would send a 6-digit PIN in either your phone or mail that you had to submit. You had a limited number of tries to get this password right before you get locked out. What the researcher found out, was that the lockout mechanism was not implemented on beta.facebook.com and mbasic.beta.facebook.com. This is a very clever hack but it does not sound that complicated, probably a lot of readers could replicate this if this was still applicable. So next time somebody asks you “Can you hack a Facebook account for me?” after learning that you are a hacker, you can reply “If I ever find a way I will probably report it for thousands of dollars, sorry”.
YOU TOO CAN BECOME A BUG BOUNTY HUNTER! NO BUTS!
But, I don’t think I am that good yet…
Relax. Most likely, you won’t start their bug bounty journey by discovering a 15.000$ bug on Facebook. There are tons of companies with bug bounty programs, and not everyone is working on everything. So there are plenty of low hanging fruit for someone to go for, before you sharpen your skills and build your confidence.
Learning the basics of web penetration testing can be a daunting task. Hack The Box can help in flattening the steep learning curve through both web-related Machines on its hacking playground and the Bug Bounty Hunter job role path on HTB Academy. The latter is recommended, if guided training is your cup of tea.
In addition, you can go for strictly technical vulnerabilities or you can try to understand the flow of the application and go for what is known as “business logic” vulnerabilities, you may find a flaw in the process that nobody has noticed yet!
BUT IT SOUNDS ILLEGAL, IS IT?
Nope. Going blind and trying to attack everything that comes your way is not recommended. A certain degree of professionalism is expected, that includes everything from the way you communicate and interact with the companies to being mindful of what exploits you use and where you use them. You can find online information on which companies offer bug bounties. These programs can be found either in their websites or in one of the bug bounty platforms that are available. HackerOne has the most comprehensive list of companies with bug bounty programs, a webpage that aspiring bug hunters should bookmark. Even if you came across a vulnerability by accident(as a pentester this is often the case) the responsible thing to do is to report it to the affected company and/or website and they may even reward you regardless.
BUT DO I HAVE TO USE A SPECIFIC METHOD TO DO THIS?
Yes and no. Most bug bounty hunters fall under two categories, they either are very good at specific techniques (e.g. XSS) and try to apply this on everything or they take each application as a new project and work on it from start to finish checking everything (this is where most business logic errors are discovered). There is no correct way to do this. While there are specific methodologies that are battle-tested, and a lot of automated processes that get used to get ahead of the competition in this highly competitive and often time-sensitive field, thinking outside of the box is still crucial. Do not forget, each individual thinks creatively in a different way! Do what works best for you and by gathering experience you will form your own process.
BUG BOUNTY HUNTING VS PENETRATION TESTING
The terms Bug Bounty Hunting and Penetration Testing should not be used interchangeably. Find below some key differences.
- Can be continuous – Time-limited.
- Can be more specialized (in terms of both scope and skills required) – Usually broader.
- Maximum impact is usually showcased – Showcasing maximum impact depends on the engagement’s time-sensitivity.
- Multiple perspectives coming from the numerous involved researchers – Limited perspective coming from the hired firm.
- No remediation advice required usually – Remediation advice required.
- Both require professionalism to be successful.
- Both do not require a degree or certification.
WHERE TO START?
An expensive setup, commercial-grade tools and specialized equipment are not required. All these things are quality of life improvements but they are not by any means necessary. A mid range laptop and a decent Internet connection is usually enough and while there are expensive software tools, most of the tools that hackers use are free. Plus, it is not very likely to get paid for something that comes
off as a result of a scanner because it will probably be already reported.
If you read all this and think to yourself “Now I want to be a bug bounty hunter too”, you should definitely! You can totally try it for a few weeks to see if this is a journey you would like to take. It can be a side project in your spare time or you can try hard to try to get results fast.
Not sure where to start? One of the best online resources to identify bug bounty programs of your liking is HackerOne’s Directory. HackerOne’s directory can be used for identifying both organizations that have a bug bounty program and contact information to report vulnerabilities you have ethically found. You can also draw inspiration from HackerOne’s hacktivity that includes public bug reports. You can also get some help from here.