Bug Bounty Hunting, Part 1: Getting Started

Bug Bounty Cybersecurity

Welcome back my aspiring bounty hunters!

In recent years, bug bounty hunting has become a lucrative and legitimate career for those with hacking skills! In this series, we will introduce you to the field of bug bounty hunting and train you to find those bugs for the lucrative bounties!

Before we get into the technical details of how to find bugs, let’s take few minutes to introduce these programs for those of you who are new bug bounty hunting.

What is Bug Bounty Hunting?

Bug bounty hunting are programs employed by software companies and website owners to employ the cadre of hackers to find vulnerabilities (bugs) in their systems before the bad guys do. Before bug bounty hunting started, hackers were given a choice of selling the vulnerabilities to the bad guys or revealing them to software developers who often ridiculed and stigmatized them. These software developers often viewed hackers as the enemy. As a result, these companies saw their software constantly attacked and cost them and their customers millions of dollars. Some brilliant individual thought to use all those clever hackers to make their software more secure and the bug bounty programs were born!

Bounty hunters are the individuals who try to break the software. When they are successful, they report the “bug” to the company and are rewarded with a bounty (payment). Some often compare bug bounty programs to a external audit of their software by millions of eyes.

Bounty hunters may possess a wide-range of skills or be specialized in a particular area such as mobile apps (few people have the skills to test everything successfully). When bounty hunter finds a bug, they produce a vulnerability report to the company who owns the software so that they can fix the bug and make their software more secure. If the report is accepted, the company pays the bounty. The amount of the bounty is proportionate to the severity of the flaw found. Usually the bounties are few hundred dollars to a hundred thousand dollars. My fellow author at No Starch Press, James Forshaw, received $100,000 from Microsoft for finding a bug in Windows 8.1 In some rare cases, bug bounty hunters have made over $1 million

finding multiple bugs, such as the Argentinian hacker, Santiago Lopez seen below.

Bug Bounty Platforms

When these bug bounty programs began, it was often difficult to find the right person or department to contact to report the bug. In addition, the bug hunter risked being ostracized and sued by the software company when they revealed the flaw. As a result, bug bounty platforms were developed to manage the bug bounty programs for the software developers. These platforms manage the reports, communication, and reward payments for the software developers making the programs work smoothly for both the bug hunters and the software developers.

There are numerous bug bounty platforms operating today, but the largest are;

  1. HackerOne

  2. Bugcrowd

  3. Synack

Bug Bounty Methodology

There is no one single method to find software or system bugs. Everyone will develop their own system or it may vary depending upon your area of specialization

  1. Analyze the scope

  2. Look for valid targets

  3. High level testing of discovered target

  4. Review all the applications

  5. Fuzzing

  6. Exploit the vulnerabilities

Lets look at each of these steps.

1. Analyze the Scope

It’s critical understand the scope of the program. The scope details which assets are to be tested. Make certain to remain within the scope or risk spending your time on an area that will not generate any revenue for you.

2. Look for Valid Targets

Often, the software developers do not include the entire infrastructure in its scope. They may be specifically looking for vulnerabilities in specific domains, modules or apps. Find valid targets in this scope and don’t waste your time.

3. High Level Testing

Use a vulnerability scanner to look for vulnerabilities or flaws. Remember, vulnerability scanners simply test for already know vulnerabilities, so they are unlikely to find new vulnerabilities. At the same time, if a vulnerability scanner, for example, finds numerous SSRF vulnerabilities, there are likely to be more.

4. Review Applications

Review the applications in the bug bounty program and select the one suited to your skill set. If you are an expert of SSRF, focus your energies on those applications likely to have SSRF vulnerabilities.

5. Fuzzing

As you know, fuzzing is the process of sending pseudo-random inputs to an application and examining what happens. The fuzzing process will expose flaws that may lead to vulnerabilities. For more on fuzzing, see Fuzzing with Spike and Fuzzing Web Apps with Burpsuite.

6. Exploit the Vulnerabilities

Fuzzing breaks the application and exposes flaws in the code. The next step is to develop a proof of concept (POC) that exploits the flaw. A strong POC and explanation is likely to generate a lucrative bounty.

Summary

Bug bounty programs are an excellent way for hackers to earn a legal and legitimate living without running afoul of law enforcement or risk being sued by the software company. Software developers pay for you, the bug hunter, to find vulnerabilities in their code. Successful bug bounties hunters can earn a very comfortable living if they understand how these programs work and how to find bugs.

Hackers-Arise has a new course on Bug Bounty Hunting in the Subscriber training package.