#10 Rules of Bug Bounty
1.Targeting the Bug Bounty Program
How long you target the program ?
If the Answer is Just Few Hour’s or a night, Then That’s where you are doing wrong .Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s.
Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit .Just take a deep dive into the application.
2. How do you Approach the Target ?
if Answer is Just by Signing up at Target , Checking For Vulnerabilities like CSRF, XSS,Subdomain’s etc , Then This Could be the problem where you end up getting many duplicates or not getting any bug . would suggest to first check their documentation . Recon the Target . Understand the functionalities & privileges of the user’s in target. Recon , Check their doc’s, Information Gathering , for at least 1–2 days before start Attacking .
3. Don’t Expect Anything !
We Believe this is the most common thing bug hunter’s do After Reporting Bug’s that they expect the upcoming reward amount . Don’t Expect anything just close the report and start looking for other bug’s Because that could end up making you sad .
If you made the mindset that you are going to hunt bugs in matter of hour’s or night . this may or may not work everytime . Instead of it you could make a mindset which could be “I’m Going to Hunt Bug’s for Whole Week, Let’s just keep the target of 100$” . Believe me you will end up making 10x times target amount at the end of week and result would be happiness .
Some High severity bugs may get rewarded with low-average bounties , Don’t Shout at them,Just Ask them politely What could be the reason for bounty decision . More Importantly Be Happy and thankful to yourself of what you found .
Try to Accept this “ Sometime’s we may get unexpected rewards for small issues , We should also accept less amounts for High Severity Issue’s aswell“
4. Less Knowledge about Vulnerabilities and Testing Methodologies :
This is also common scenario lot of new bounty hunter’s start looking for bug’s without basic knowledge of how things work. What i have learned from my personal experience is you will get to know how application works until and unless you know how they build them . it is necessary first to know how application Build with Programming language before start breaking it .
5. Surround yourself with Bug Bounty Community to keep yourself Updated.
1. Create Twitter Handle and go to Hackerone Leaderboard :
2. Go to their Hackerone profile’s one by one and Follow them on twitter , Same Applies on Bugcrowd and other Platform As Well. This way you can surround yourself by Bug Hunter’s and Security Researcher’s.
3. Keep Bookmarking .
4. Take a read from Hackerone Disclosed Activity http://h1.nobbd.de/
5. Join Bug Bounty World on Slack and Keep reading Their Blog’s,Tool’s,General Channel and their conversation’s of Testing And Share what you know.
6. AUTOMATION: “Automation is Power.” If you want to automate things, you need to learn “scripting”. Is highly recommended learn some programming language. Some of the Best scripting languages are: JS, PYTHON, RUBY, BASH, even knowing some curl tricks or basic bash commands scripting, you have power in your hands for automate a lot of tasks!
“Hacking is an art from your own creation” .
7. GET BOUNTY or GET EXPERIENCE: As a Bug Hunter’s, sometimes we feel sad when no bounty is received. However we always gain experience, knowledge and your skills are improved. Look bug bounty in this way and keep your motivation up day by day. A lot of our life are made by emotions, is about how you feel your life moment after moment, doing all that things thats make you happy: so! if you do bug bounties, be happy! be fun! that’s the essence of this! I remember myself everyday when i feel sadly or not motivated: hey @ak1t4 ! whats happens? Remember enjoy this!
If you don’t get bounty, you get knowledge and experience, that’s why You always win!”
8. FIND THE “BUG” or FIND A “BUG’S CHAIN”:
If you find a BUG, ask always yourself: what’s the security impact on the application? You can start hunting and have in your mind the concept of “find a bug” or you can think outside the box and start hunting with the concept of “looking the best impact”. The first concept is totally isolated, the second concept embrace a more bigger point of view.
“Stay at the valley or work hard to claim the mountain and see a big panorama.”
9. FOLLOW MASTER’S PATH: I ask myself every day how improve my skills a lot more, then i go and search for awesome hacker’s blog or the best write ups that i can find. Best hackers inspire us to be the better version of ourselves.
“My daily inspiration are those who breaks their own limits and get success. “
- Detectify Blog
- Security Shizzle — Inti De Ceukelaire
- fin1te: Bug Bounty Participant
- Security & Code Blog
- Philippe Harewood
- ARNE SWINNEN’S SECURITY BLOG
- Daniel LeCheminant
- We Hack People
- IT-Securityguard Blog
- The misunderstood X-XSS-Protection
- Bug Bounty Findings by Meals
- Respect XSS
- Graceful Security!
- Fooling the Interpreter
- Klikki Oy
10. RELAX & ENJOY LIFE: The Real Success happens when you enjoy a balanced life. Your body and your mind needs an adequate rest to go beyond their own limits. If you spends a lot of hours hunting, close your laptop and go outside, to be more connected with the natural life. When you hunt with a rested mind, you can see beyond the bugs and all that important details that counts for a successful attack or PoC. Find all that gives you joy or peace, all that embrace you and improves you emotionally and mentally. Spend time with your friends and family, this life is like a Shooting Star, Enjoy that light!
Burp Suite Tool Attack Approach
Browser Plugin’s :
- Chrome : http://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/
- Firefox : http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
Bug Bounty References:
- fuzzdb — https://github.com/fuzzdb-project/fuzzdb
- SecLists — https://github.com/danielmiessler/SecLists
- NickSanzotta — https://github.com/NickSanzotta/BurpIntruder
- shadsidd — https://github.com/shadsidd
- shikari1337 — https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/
- 7ioSecurity — https://github.com/7ioSecurity/XSS-Payloads
- xmendez — https://github.com/xmendez/wfuzz
- minimaxir — https://github.com/minimaxir/big-list-of-naughty-strings
- xsscx — https://github.com/xsscx/Commodity-Injection-Signatures
- TheRook — https://github.com/TheRook/subbrute