Bug Bounty — What, How, Why?
Beginner’s guide to bug bounty —
Hi everyone!
I am Sankalp Sandeep Paranjpe. Today, we will be talking about Bug bounties.
The CIA Triad:
C stands for Confidentiality ie. “Keeping good data away from bad actors”.
I stands for Integrity ie. “Information shouldn’t be modified without the consent of the owner”.
A stands for Availability ie. “Authorized subjects can access information in a timely manner”.
A bug is a defect or a weakness in your application that can be exploited to get any sensitive information or gain any unauthorized access to the organization's infrastructure. This can cause financial or reputational loss to the company. Bug breaks CIA Triad and needs to be patched.
A bug bounty program offers an opportunity for ethical hackers to find bugs in a company’s assets ie. web applications, mobile applications, desktop applications, or any other asset. If they find any bugs, they report them to the company. In return, the company offers them recognition or reward for reporting. The reward is based on the severity, impact, and type of the reported bug. This reward is called a bug bounty.
Before we learn and get started with bug bounties, we need to learn some basics -
- Computer Fundamentals — Every Computer Science background student learns these fundamentals in their college curriculum. Computer Organization architecture, Computer Hardware, Linux Administration, Operating systems, etc.
- Linux — Linux is an open-source, customizable, hacker-friendly OS. Get familiar with CLI. Also, learn Shell Scripting.
You can refer to the following videos -
- https://www.youtube.com/watch?v=U1w4T03B30I
- https://www.youtube.com/watch?v=GtovwKDemnI
- https://www.youtube.com/playlist?list=PLkPmSWtWNIyTQ1NX6MarpjHPkLUs3u1wG
Computer Networks — https://www.youtube.com/playlist?list=PLkW9FMxqUvyZaSQNQslneeODER3bJCb2K
- Programming, Scripting, development — Learn Python/bash scripting for automation. Learning PHP, Js, HTML, etc. will help to learn about the basics of web development.
How to find bug bounty programs?
Popular bug bounty platforms -
Hackerone: https://www.hackerone.com/
Bugcrowd: https://www.bugcrowd.com/
Intigriti: https://www.intigriti.com/
You can also find programs by using google dorks -
Resources -
The following Github repositories have a good explanation of web application vulnerabilities. You can learn from this repository. You can read about one bug at a time, methodology has been explained-
A very informative playlist by Heath Adams, TCM Security for learning web application pen-testing — Link
Reading books is very helpful to learning in this field. The following repository has some great books by great authors -
This repository contains -
- The Web Application Hackers Handbook
- Bug Bounty Bootcamp by Vickie Li
- Web Hacking 101
- The tangled guide — a guide to secure modern web applications
- Other books
Technical Blogs and Writeups -
https://hackerone.com/hacktivity
Youtube Channels -
- https://www.youtube.com/c/VickieLiDev
- https://www.youtube.com/c/BugBountyReportsExplained
- https://www.youtube.com/c/HackersEra
- https://www.youtube.com/c/Nahamsec
- https://www.youtube.com/c/FarahHawa
- https://www.youtube.com/c/SpinTheHack
Other resources —
Twitter — On Twitter follow the following # tags — #bugbounty, #bugbountytips, #togetherwehitharder
Why bug bounty?
- You can find bugs sitting at home and earn a high amount. Your working schedule can be very flexible. It’s not as easy as it seems. It is not advised to be a full-time bug bounty hunter. But as a freelancing type you can, with your main job.
- Bug bounties help you to gain security exposure as you test a real-time application for bugs.
- While in bug bounties, you get to learn about DevOps, DevSecops, and Cloud security.
Some tips-
- Consistency, Patience, and determination are required for hunting the bugs. In this field your hard work matters. Stay motivated.
- If you think you can be successful in a day, it’s not possible. Rome was not built in a day. You should have an attitude of learning every single day, as every day new bugs are found.
- Do not run behind automation. Understand the basics and foundation details. You will get to learn more. Yes, automation is there but it won't help you to learn in depth.
- Learn from the community and help the people in the community.
- Stay updated, and read write-ups/blogs.
I hope this is helpful.
Your feedback is appreciated.
Let's connect on Linkedin.
Thank you.
