What is Bug Bounty Hunting?

WHAT IS BUG BOUNTY HUNTING?

Recently Bug Bounty Hunting has become all in all a popular expression. In any case, what precisely is it and how might someone begin?

After some time, applications turned out to be more intricate. The more complicated a cycle is, the more things there are that can turn out badly. In the period when most application code sizes lie in the large numbers, the security evaluation of both the codebase and the subsequent application must be done by experts. Not withstanding the above mentioned, engineers could not necessarily be security-smart or they dismiss secure coding fundamentals in light of several factors.

Pretty much every product organization performs security evaluations on their items either by utilizing security experts that it has previously employed or re-appropriates them to at least one network safety organizations. Some of the time both. These days there are apparatuses claiming they can computerize the code auditing interaction and scanners asserting they can distinguish the greater part of the known weaknesses of programming. So how might security messes with still be a thing?

WHAT IS BUG BOUNTY HUNTING PROGRAM?

While there are security gives that emerge from changes in innovation and other outer elements, the primary response is that at its base hacking is imaginative reasoning and inventive individuals can think in stunningly unique ways. To set it forth plainly in the event that there is a security issue in an organization’s item, the organization needs to be one of the first to find out, so they will remunerate anybody that reports one. At the point when an organization approaches and expresses that it will compensate people for revealing bugs, it is posting a Bug Bounty Program (BBP). By doing this, the organization gets a lot bigger number of individuals to test their items, security experts have another option or correlative method of pay by doing what they specialize in, and the clients get a lot more secure computerized insight. Everyone wins!

It ought to be noticed that a Bug Bounty Program isn’t a jungle gym for programmers. Bug bounty hunters should stick to the general set of rules/strategy of each Bug Bounty Program or bug bounty stage, not exclusively to live up to assumptions for conduct, yet additionally on the grounds that thusly they can turn out to be more compelling and fruitful during their bug report entries.

Adding to the abovementioned, the uncovered web resources of an organization can be in many cases an alluring way for an aggressor. These days, EDR and Identity Management systems make it truly difficult for an aggressor to get an underlying traction in an association in another way. By remembering these resources for the extent of a bug bounty program, associations supplement the interior code reviews and infiltration tests with ceaseless and proactive security testing and gather together their weakness the executives system.

These bug bounty programs typically have documentation that determine the standards that should be adhered to for an honor to be compensated, the kinds of bugs that each organization considers “bounty – commendable” and the value that they will pay for every class of bug. The last option can begin from only a fair notice or a piece of swag and get up to more than $50,000. Throughout recent years, bug bounty hunting has turned into a legitimate profession choice.

BUG BOUNTY HUNTING 101

While bug bounty hunting can be demonstrated profoundly rewarding, and it positively has been for certain individuals, there are likewise various reasons that individuals pick this expert way. As a matter of some importance, being the supervisor of your own self provides you with a ton of opportunity. You don’t need to be recruited and your abilities are the main thing that matters, so no one will pass judgment on you in light of your looks, character and so forth. There are individuals that began their cybersecurity late and don’t have a computer science degree. Working as an independent bounty hunter permits a monstrous measure of adaptability for individuals that can not deal with a 9-5. Likewise, these stages permit individuals from less well off nations to have a lot higher profit in contrast with having an ordinary work.

Just reading through these bug reports can be a fun learning experience for most hacking enthusiasts. Some of them are really complex and can give you a headache just by reading them but not all of them. In 2016 a researcher disclosed a bug to facebook that could allow him to reset the password and take control of any account. When you would request to change your password, Facebook would send a 6-digit PIN in either your phone or mail that you had to submit. You had a limited number of tries to get this password right before you get locked out. What the researcher found out, was that the lockout mechanism was not implemented on beta.facebook.com and mbasic.beta.facebook.com. This is a very clever hack but it does not sound that complicated, probably a lot of readers could replicate this if this was still applicable. So next time somebody asks you “Can you hack a Facebook account for me?” after learning that you are a hacker, you can reply “If I ever find a way I will probably report it for thousands of dollars, sorry”.

YOU TOO CAN BECOME A BUG BOUNTY HUNTER! NO BUTS!

But, I don’t think I am that good yet…

BUT IT SOUNDS ILLEGAL, IS IT?

Nope. Going blind and trying to attack everything that comes your way is not recommended. A certain degree of professionalism is expected, that includes everything from the way you communicate and interact with the companies to being mindful of what exploits you use and where you use them. You can find online information on which companies offer bug bounties. These programs can be found either in their websites or in one of the bug bounty platforms that are available. HackerOne has the most comprehensive list of companies with bug bounty programs, a webpage that aspiring bug hunters should bookmark. Even if you came across a vulnerability by accident(as a pentester this is often the case) the responsible thing to do is to report it to the affected company and/or website and they may even reward you regardless.

BUT DO I HAVE TO USE A SPECIFIC METHOD TO DO THIS?

Yes and no. Most bug bounty hunters fall under two categories, they either are very good at specific techniques (e.g. XSS) and try to apply this on everything or they take each application as a new project and work on it from start to finish checking everything (this is where most business logic errors are discovered). There is no correct way to do this. While there are specific methodologies that are battle-tested, and a lot of automated processes that get used to get ahead of the competition in this highly competitive and often time-sensitive field, thinking outside of the box is still crucial. Do not forget, each individual thinks creatively in a different way! Do what works best for you and by gathering experience you will form your own process.

BUG BOUNTY HUNTING VS PENETRATION TESTING

The terms Bug Bounty Hunting and Penetration Testing should not be used interchangeably. Find below some key differences.

  • Can be continuous – Time-limited.
  • Can be more specialized (in terms of both scope and skills required) – Usually broader.
  • Maximum impact is usually showcased – Showcasing maximum impact depends on the engagement’s time-sensitivity.
  • Multiple perspectives coming from the numerous involved researchers – Limited perspective coming from the hired firm.
  • No remediation advice required usually – Remediation advice required.
  • Both require professionalism to be successful.
  • Both do not require a degree or certification.

WHERE TO START?

An expensive setup, commercial-grade tools and specialized equipment are not required. All these things are quality of life improvements but they are not by any means necessary. A mid range laptop and a decent Internet connection is usually enough and while there are expensive software tools, most of the tools that hackers use are free. Plus, it is not very likely to get paid for something that comes

off as a result of a scanner because it will probably be already reported.

THANK YOU!