Introduction to Bug Bounties
by Vedant Roy
In general terms then it is crowdsourced Penetration Testing where security researchers from all around the world are allowed to test some of the in-scope assets allowed by the company. The reward of finding bugs in their assets can either be cash, goodies, hall of fame, or a thank you certificate.
It is getting into the mainstream due to Covid 19. Many of the Penetration testers/Ethical hackers are finding a lot of spare time from their full-time jobs due to saved time from travel, basic preparations to go to offices, and getting more tasks done in a short amount of time with ease. And it doesn’t hurt to have a side hustle and earn some side cash. Looking into the job losses and businesses shut down, it’s better to have your eggs on different baskets.
Now how to get started – it depends on if you have prior knowledge on the field or not. If you are working as a full-time penetration tester, it is easier to get started by knowing some ins and outs of the whole process. Even if you are early in your career or looking for a career change, it is a good place to start into. I will give the steps and resources irrespective of any constraints mentioned above.
- Basic Security Concepts – It is absolutely necessary to learn basic concepts like how a website works, computer networks, introductory research, how to use various security tools like Nmap, Burp Suite, OWASP ZAP, etc. There are a lot of other prerequisites to learn like computer networks basics, how to set up a virtual private server (VPS), setting up a lab and testing environment, etc. Nahamsec git repository mentioned in the reference is a good place to start to learn the mentioned things.
- OWASP TOP 10 – It is a collection/section of the top 10 security vulnerabilities found in web applications. Best way to learn it is to start first with the OWASP.org website and get a preview of it. If required, you can look into OWASP OTG to get a better understanding. For practice – The web security academy by PortSwigger is the best place to do so. This particular resource is highly recommended as they keep adding new attack techniques and it's completely free.
- Read books – If you are an avid book reader then there are some of the books that must be kept for reference and in-depth learning. Web application Hacker’s handbook 2nd edition is considered as a bible in the web security field and the writer, Dafydd Stuttard is the founder is Portswigger itself. (Burp suite, web security academy). Other recommended books include Web Hacking 101, Bug Bounty Bootcamp, Breaking into Infosec, and the Tangled Web.
- Start Hunting – Once you start learning the concepts, it is required to get a hands-on for better understanding. The best way to do so is to start hunting for bugs in Vulnerability Disclosure Programs (VDP). For these programs, a hall of fame is provided on their website but no monetary reward. Because of that reason, it is easier to get started and find bugs as a smaller number of highly skilled bug bounty hunters will be present there and hence more scope to find some valid bugs. An open bug bounty is one of the platforms that lists all such VDPs from all over the world. But always try not to start running scanners to find something. Only test manually.
- Follow people on Twitter – Twitter is the hub for bug bounty/security researchers. New attack techniques, new tools are always added and hashtag #bugbountytips are used to keep all these techniques in one place. Follow some of the hashtags like #bugbounty, #bugbountytips #hacking, etc. to get your news feed populated.
- Movies/Documentaries for motivation – Motivation is the key to getting started on this journey. Knowing the history of hacking, why it was considered a crime initially can help you to understand the field better. Here are some of the movies/documentaries that I recommend – Who am I hacker (German), Zero Days (Documentary), Mr. Robot (Series), Person of Interest (Series), CSI Cyber (Series), Cyberwar (Documentary Series) and Hacker (Movie).
- Mental Health – Doing bug bounties for a longer period of time can result in burnout. A general misconception is that not finding good bugs, duplicate bugs and delayed response from the remediation team is the main cause but actually managing a day and a night job is a common reason. So always take some time off once you start feeling these symptoms. Apart from that, keeping yourself healthy by working out and getting 7-8 hours of sleep will keep you on track. Usually, the period can vary from person to person so there is no certain timeline to comment on, and always remember – mental health is a top priority.
On the closing note, remember that it is not going to be an easy task. Finding security vulnerabilities and getting into the hacker mindset requires a lot of time and dedication. You will face setbacks, feel exhausted, and whatnot but it is going to be worth it. And it is always a good choice to make the internet a more secure place for others.
I hope this article will inspire and help some of you readers to get started in bug bounties and work alongside some awesome people in the field. Thank you!
References and Resources:
About the Author:
Vedant Roy - I am an Associate Consultant at PwC AC based out of India. I have been working in the field for more than 3 years on Web and Network Penetration testing. I have been doing CTFs and bug bounties since my last year in college in 2018 and helped secure various clients from continents like Europe, North and South America, and the Middle East. I also volunteer in cyber cells to assist police officers in solving cybercrime cases.
LinkedIn - http://vedant-roy-230598129
Twitter - https://twitter.com/gh05t4s1