Advice for hackers trying to get started with bug bounties

Bugcrowd and Hacker One the largest bug bounty site in the world at the moment, don’t last long if you only chase money… Start with your favorite brand and business.

Sunday, November 22, 2020, 4:13 GMT

Mandalorian bounty hunters, one of Disney’s hits, enter the guild to develop their prestige and get the best bounty information. It’s a hypothetical occurrence that’s going to happen on the other side of the Milky Way, but I personally love it because it really includes the lives of bug bounty hunters.

In reality, it is difficult for the bug bounty hunt to be active completely independently. Currently, there are two major bug bounties’guilds’, one is HackerOne and the other is Bugcrowd. Like Mandalorian hunters, bug hunters are safe in many ways to join these two giant guilds. These two guilds have attracted a total of $200 million in investment from 2011 to the present.

image source: Yandex

From an organization’s point of view, what is the difference between running a bug bounty program and running a vulnerability disclosure program?

The US Department of Defense, which has implemented a bug bounty, says, “The vulnerability disclosure program is suitable when you want to achieve a longer-term goal, and bug bounties are advantageous when you check a specific program or service in a short period of time.” In fact, security experts point out that “Bug bounties must have a monetary reward, and vulnerability disclosure programs sometimes do not.”

HackerOne and Bugcrowd act as a bridge between organizations that want to carry out bug bounties and security experts who want monetary compensation instead of removing some of these’monetary rewards’. They also open bug bounty programs on behalf of companies themselves. It’s about making money business for yourself and for hackers. Hackers who joined the giant guild called Hacker One in 2019 and used it were estimated to have earned about 40 million dollars. In 2018, $31 million was recorded. During these two years, the number of hunters who joined the guild nearly doubled, and there are currently about 600,000 members active.

Nevertheless, experienced bug bounty experts recommend that you subscribe to not only platforms that are classified as’major’ but also other places. At the same time, Bugbountyjp, Hackenproof, Intigriti, Open Bug Bounty, Yogosha, etc. are recommended. Casey Ellis, CTO of Bugcrowd, emphasizes, “No matter which platform you register, you really need to know how to hunt for vulnerabilities.” “There’s a big difference between being able to code a bit and handling the tools needed for a specific mission, and knowing how to hunt for bugs.”

Ellis emphasized that “there is a rating among bug hunters,” and “there are very few vulnerable hunters who earn about 1 million dollars a year.” “Companies bet huge prizes for one vulnerability. Just looking at this amount, you decided to become a bug hunter? no. That way, few people really make that money.

There are a few more types of hackers who make profits between $100,000 and $250,000, and far more hunters between $30,000 and 40,000. The most common category are hackers who participate only occasionally, like a hobby.”

Ellis said, “There is a strong tendency for security experts who want to start a bug bounty strangely to think,’If you live as a bug hunter, you can freely do what you want to do and earn a lot of money.’ “It is some of the few among the ten fingers in the film.” “Even if you find a million dollar bug once or twice, there is no guarantee that you will do something similar for the rest of your life. By the way, living only with bug bounties is similar to living a daily job. For most people, that’s the reality.”

Ellis continued to emphasize that although the bug bounty began in 1995, there were less than 10 years since there were people who were professionally hunted for bugs. At the same time, no matter how many years of experience researching vulnerabilities, those who want to live only as vulnerability hunters should be aware of the following.

  1. I get tired easily when I go after money
    There are already plenty of bug bounty activity guides and tips made by famous prize hunters on the Internet. These are materials created by people who have actually received a lot of money and invested a lot of time. Therefore, it is not too late to make a decision after browsing through these videos enough. Also, if you are still in the technically inexperienced stage, it is recommended to study the Internet working principle (the basics of HTTP and TCP/IP), networking basics, and command line usage. It is also recommended to diligently read books on Linux and Web technologies. JavaScript, PHP, and Java are almost essential. Following experts who do Twitter, YouTube, and various blogs is also a must-do for beginners.

However, we must first find out what is the reason for studying diligently following our seniors. Studying is never easy, but will it be overcome with just the purpose of earning some money? Surprisingly not, except for very few. “’Why am I trying to find a vulnerability? You should be able to ask yourself questions such as’What do I want to learn through vulnerability discovery?’ When your motives become clear, the activity accelerates.”

“I have to show my creativity to find vulnerabilities that may be hidden, and the process is so enjoyable, and it gives me as much joy as playing games or reading,” said Hairwood. “The pleasure itself was better than winning a prize, and as a result, I didn’t even care about the size of the prize. That feeling becomes the driving force, so the bug bounty activity lasts a long time. Money is not a stronger motive than you might think.”

In addition, Hairwood says that she starts her day with yoga every morning. This relieves the stress and mental burden and starts working (he calls bug hunting a’hobby’). “Work becomes painful when you begin to feel pressured by the purpose of finding it. Of course, you can’t achieve anything with just a single poke without any purpose.”

  1. My favorite company, service, and product
    security expert Jesse Kinser, who regularly participates in the bug bounty program, says, “The first bug bounty prize was awarded by Starbucks.” “As someone who likes the Starbucks brand very much, of course, I have had a high degree of interest in the Starbucks system. So when Starbucks announced the bug bounty, I was involved without thinking, and my attachment to Starbucks led my research activities. Starting with a program related to your favorite company or brand is very helpful. Regardless of the amount of money.”

Kincer is not a’full-time’ vulnerability hunter. During the day, he works as the CISO of LifeOmic, a medical health IT company. LifeOmic himself joined Hacker One and conducted a bug bounty program led by Hacker One. At that time, the practitioner was Kincer, a CISO, and through this experience, I was able to become familiar with a system called Bug Bounty. At the same time, I experienced the positive aspects of the bug bounty.

“Then I learned how the relationship between business and hackers should be. In addition to finding the bug, hackers need to be able to explain to the enterprise why the discovery is important. And companies that hear such explanations must give feedback to hackers. It’s really important, or it understands, but it’s not that important to us. It is essential to explain why. That way, we can learn from each other. When this kind of conversation is possible, companies can try public bug bounties.”

Kinser emphasizes to bug bounty hunters that “you have to get used to working with documents.” “Most businesses and organizations communicate with outsiders through form-filled documents. That’s their language. If the technical details of the vulnerability are expressed as they are, they won’t understand what they’re paying for. It’s also an ability to package the results you’ve worked hard on.” He added, “It’s surprising, but there are many companies that break their promises and don’t pay money to hackers,” he added.

  1. Be flexible
    The bug bounty market is also in the IT field after all. It means a sudden change. Because of this, people who enter for the first time are either confused or unable to adapt and leave. He said,’I can’t really fit into this change’, so I can’t even try and give up the bug bounty. Perhaps what such novice hackers lack is not their IT skills, but their adaptability.

An anonymous UK-born professional bug hunter said, “For a security professional who wants to win prizes, flexibility is how widespread the technology can be in a wide range of fields. It is good to be flexible.” “The more interesting thing is that knowing only new technologies is not enough. It is advantageous to understand the legacy technology and code as well.”

In doing so, the hunter shared his bug bounty experience with the Norwegian advertising company FINN.no. “A total of 221 bugs were found, and a total of 31 hackers won a prize of $55,000. But the fatal vulnerability with the biggest prize money came from the vendor’s old code. After all, you need to know both. And that drives the hacker’s flexibility.”

There are some advices like this, but in the end, choosing a bug bounty program and participating in it can be a good experience. The important thing is to target companies running bug bounty programs or at least receiving vulnerability reports. It’s all because it’s a company that I usually like, so if I break through and report a vulnerability, I can get into a barrage. Remember, the discovery, reporting, and correction of vulnerabilities is limited by several regulations.