I hope you are doing well.
I am Shrimant More currently working as a Penetration Tester at TCS.
I have been in this Bug Bounty thing for some amount of time(still learning every day) and performed well on HackerOne, BugCrowd, and YesWeHack.
So thought of doing a write up where I’ll share how I started my Bug Bounty journey and how beginners can use this for their reference.
I usually get messages like
“From where to start Bug Bounty”
“Tips for Bug Bounty”
Sometimes it becomes hectic to reply the same thing again and again to every message, so here’s a complete detailed write-up.
I follow “The Golden Circle Rule” almost everywhere, and I want you, yes the one who is reading this, to follow the same thing while entering into Bug Bounty.
1. What is Bug Bounty / Bug Bounty Program
A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs.
2. How to do Bug Bounty?
i. Find a Bug Bounty Program
ii. Read InScope and Out of Scope items
iii. Report bugs with detailed Proof of Concepts to respective Bug Bounty Program (Sometimes reports are marked as Not Applicable or Duplicate)
iv. Earn (Money / Swag / Hall of Fame)
Seems Easy right? But it’s NOT that easy and NOT hard too
3. Why Bug Bounty?
Ask yourself, why you want to become a Bug Bounty Hunter?
If the answer is: Easy Money
Then, my friend, you won’t stay here for a long time, because submitted Reports going duplicates and Not applicable is demotivating and most of them give up here.
But, If you are someone who loves:
ii. Reads daily/weekly
iii. Has “Never Give Up” attitude
iv. Out of the box thinking
v. Appreciate others work for the community
vi. Works smart
Then you will get success in Bug Bounty.
Choose your Bug Bounty niche
There might be varieties of interests depending from person to person, You can find various platforms that have Bug bounty programs relate to the below list:
i. Web Application
ii. Android Application
iii. iOS Application
v. Source Code Review
vi. Reverse Engineering etc.
So, as a Beginner, I started with Web Application because it was easy to set up labs and a lot of resources were available easily.
I would suggest beginners that, start learning how to find Vulnerabilities in Web Applications and then move towards other types from the list.
Find Bug Bounty Platform
Below are some of the Google dorks to find Public Bug Bounty Programs/Responsible Disclosure Programs
inurl /bug bounty white hat program inurl : / security inurl:security.txt "powered by synack" inurl"security report" inurl:security "reward" buy bitcoins "bug bounty" site:help.*.* inurl:bounty site responsible disclosure responsible disclosure:sites responsible disclosure europe intext responsible disclosure responsible disclosure r=h:nl responsible disclosure r=h:uk responsible disclosure r=h:eu "submit vulnerability report" intext:bounty inurl:/security /trust/report-a-vulnerability site eu responsible disclosure site:responsibledisclosure.com inurl : /responsible disclosure site .nl responsible disclosure inurl: private bugbountyprogram inurl:reporting-security-issues site:security.*.* inurl: bounty responsible disclosure white hat "vulnerability reporting policy" "security vulnerability" "report" inurl:/security ext:txt "contact" inurl:security-policy.txt ext:txt site:*.*.* inurl:bug inurl:bounty inurl:/security ext:txt "contact" responsible disclosure swag r=h:nl responsible disclosure swag r=h:uk responsible disclosure swag r=h:eu site:*.*.de inurl:bug inurl:bounty responsible disclosure swag r=h:com responsible disclosure hall of fame "responsible disclosure" university inurl:/.well-known/security ext:txt inurl:responsible-disclosure-policy responsible disclosure bounty r=h:nl responsible disclosure bounty r=h:uk responsible disclosure bounty r=h:eu responsible disclosure reward r=h:nl responsible disclosure reward r=h:uk responsible disclosure reward r=h:eu intext:responsible disclosure bounty inurl : / responsible-disclosure/ swag inurl:'/responsible disclosure' hoodie inurl : /responsible-disclosure/ reward intext:Vulnerability Disclosure site:nl intext:Vulnerability Disclosure site:eu inurl : / responsible-disclosure/ bounty "powered by bugcrowd" -site:bugcrowd.com insite:"responsible disclosure" -inurl:nl site:*.*.nl intext:security report reward inurl:/responsible-disclosure/ university site:*.*.uk intext:security report reward site:*.*.cn intext:security report reward intext:security report reward inurl:report inurl:'vulnerability-disclosure-policy' reward site:support.*.* intext:security report reward intext:security report monetary inurl:security site:*.*.nl intext:responsible disclosure reward "Submission Form powered by Bugcrowd" -bugcrowd.com "powered by hackerone" "submit vulnerability report" inurl:/.well-known/security ext:txt intext:hackerone inurl:"bug bounty" and intext:"$" and inurl:/security "If you believe you've found a security vulnerability" intext:"BugBounty" and intext:"BTC" and intext:"reward" inurl:"bug bounty" and intext:"€" and inurl:/security inurl:"bug bounty" and intext:"INR" and inurl:/security "van de melding met een minimum van een" -site:responsibledisclosure.nl inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbugbounty inurl:/security.txt "mailto*" -github.com -wikipedia.org -portswigger.net -magento
Tools used in Bug Bounty
If you have selected Web Application for finding bugs, you’ll require Browser(I use Firefox) and BurpSuite (proxy-based tool) in the starting phase.
The list of tools will increase from person to person.
Learning Path for Bug Bounty
The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws
Web hacking 101
Mastering Modern Web Penetration Testing
4. Video Material for Bug Bounty
Recon and Automation in Bug Bounty
Recon and Automation are important in bug bounty.
If you want to make your Recon Game strong:
You guys might have read writeups where a particular Security Researcher has found a really simple Insecure Direct Object References (IDOR) for which he got paid $$$$.
Ever wondered why they were able to find that particular endpoint?
Yup, Correct. Recon !!
I have a habit of using various tools to enumerate subdomains Because I DON’T want to miss a single subdomain.
so here’s an example of how I have been doing it.
echo 'Started assetfinder' assetfinder --subs-only smshrimant.com | sort -u | tee -a 1DomainsfromAF.txt echo '' echo 'Completed assetfinder' echo 'Started subfinder' subfinder -d smshrimant.com | sort -u | tee -a 2DomainsfromSubfinder.txt echo '' echo 'Completed subfinder' echo 'Sorting and Merging Domains' sort 1DomainsfromAF.txt 2DomainsfromSubfinder.txt -u | tee -a UniqueDomains.txt
This is just an example of using 2 tools, you can add more tools of your choice 🙂
Wordlist for Bug Bounty
Bug Bounty Hunting is a sort of Black Box Penetration Testing, so we don’t have an idea what all endpoints exist. That’s where Fuzzing comes into the picture.
We do have a tool name ffuf which can be used for various tasks. Using ffuf in your recon methodology is great but it’s also important to be nice to servers.
We do require wordlist for fuzzing, Being a Beginner I would suggest to use the below wordlists:
Once you get experienced at it, try to make your custom wordlists.
Practice Attacks on Labs
After learning attacks we need to implement those, so you can test those on the below labs:
Checklist for Bug Bounty
It’s Important to make our checklist, This Checklist should comprise of:
1) Attacks you are Good at OR
2) Attacks to look for when you have given a website to PenTest
Being a Beginner, I would suggest BugCrowd’s VRT and start learning these attacks.
P1 = High Impact, Good Bounty
P4 = Low Impact, Less Bounty
(I started from P4 tho 🙂 ) It’s your choice You can start from P1 or P4
“Refer the trend, then modify it” – Shrimant
This means, start using Twitter and see what other Bug Hunters are reporting, Now learn those Techniques, and Try to increase the impact by modifying it according to that particular scenario.
We are lucky enough that we have an amazing community that is active and posting BugBountyTips on Twitter.
Whatever topic you want to learn, just use Twitter dorks and you’ll get “Lesser Known” amazing tips
xss bug bounty
I know you guys are creative, now make your Twitter dork and hit the search button.
Discord Groups for Bug Bounty
HackerOne and BugCrowd have public Discord groups which you can join using the below link.
Advantages: Most of the Bug Hunters are Active there and will reply to all your questions (Just make sure that you don’t ask silly questions like how to hack a Facebook account)