Lately Bug Bounty Hunting has become quite a buzzword. But what exactly is it and how can somebody start?
Over time, applications became more complex. The more intricate a process is, the more things there are that can go wrong. In the era when most application code sizes lie in the millions, the security assessment of both the codebase and the resulting application has to be carried out by professionals. In addition to the above, developers might not always be security-savvy or they disregard secure coding basics for multiple reasons.
Almost every software company performs security assessments on their products either by using security professionals that it has already hired or outsources them to one or more cybersecurity companies. Sometimes both. Nowadays there are tools claiming they can automate the code reviewing process and scanners claiming they can detect most of the known vulnerabilities of software. So how can security bugs still be a thing?
What is bug bounty hunting program?
While there are security issues that arise from changes in technology and other external factors, the main answer is that at its base hacking is creative thinking and creative people can think in wildly different ways.To put it simply if there is a security issue in a company’s product, the company wants to be one of the first to find out, so they are willing to reward anyone that reports one. When a company comes forward and states that it is willing to reward individuals for reporting bugs, it is posting a Bug Bounty Program (BBP). By doing this, the company gets a much larger number of people to test their products, security professionals have an alternative or complementary way of income by doing what they do best, and the users get a much safer digital experience. Everybody wins!
It should be noted that a Bug Bounty Program is not a playground for hackers. Bug bounty hunters must adhere to the code of conduct/policy of each Bug Bounty Program or bug bounty platform, not only to meet expectations for behavior, but also because by doing so they can become more effective and successful during their bug report submissions.
Adding to the above, the exposed web assets of a company can be often an attractive path for an attacker. Nowadays, EDR and Identity Management systems make it really hard for an attacker to get an initial foothold in an organisation in another way. By including these assets in the scope of a bug bounty program, organisations supplement the internal code audits and penetration tests with continuous and proactive security testing and round up their vulnerability management strategy.
These bug bounty programs usually have documentation that specify the rules that must be followed for an award to be rewarded, the types of bugs that each company considers “bounty -worthy” and the price that they are willing to pay for each category of bug. The latter can start from just an honourable mention or a piece of swag and get up to more than $50,000. Over the last few years, bug bounty hunting has become a valid career option.
Bug bounty hunting 101
While bug bounty hunting can be proven highly lucrative, and it certainly has been for some people, there are also different reasons that people choose this professional path. First of all, being the boss of your own self gives you a lot of freedom. You do not have to be hired and your skills are the only thing that matters,so nobody is going to judge you based on your looks, personality etc. There are people that started their cybersecurity journey late and do not have a computer science degree. Working as a freelance bounty hunter allows a massive amount of flexibility for people that can not work on a 9-5. Also, these platforms allow people from less wealthy countries to have much higher earnings in comparison to having a regular job.
Just reading through these bug reports can be a fun learning experience for most hacking enthusiasts. Some of them are really complex and can give you a headache just by reading them but not all of them. In 2016 a researcher disclosed a bug to facebook that could allow him to reset the password and take control of any account. When you would request to change your password, Facebook would send a 6-digit PIN in either your phone or mail that you had to submit. You had a limited number of tries to get this password right before you get locked out. What the researcher found out, was that the lockout mechanism was not implemented on beta.facebook.com and mbasic.beta.facebook.com. This is a very clever hack but it does not sound that complicated, probably a lot of readers could replicate this if this was still applicable. So next time somebody asks you “Can you hack a Facebook account for me?” after learning that you are a hacker, you can reply “If I ever find a way I will probably report it for thousands of dollars, sorry”.
You too can become a bug bounty hunter! No buts!
But, I don’t think I am that good yet...
Relax. Most likely, you won’t start their bug bounty journey by discovering a 15.000$ bug on Facebook. There are tons of companies with bug bounty programs, and not everyone is working on everything. So there are plenty of low hanging fruit for someone to go for, before you sharpen your skills and build your confidence.
Learning the basics of web penetration testing can be a daunting task. Hack The Box can help in flattening the steep learning curve through both web-related Machines on its hacking playground and the Bug Bounty Hunter job role path on HTB Academy. The latter is recommended, if guided training is your cup of tea.
In addition, you can go for strictly technical vulnerabilities or you can try to understand the flow of the application and go for what is known as “business logic” vulnerabilities, you may find a flaw in the process that nobody has noticed yet!
But it sounds illegal, is it?
Nope. Going blind and trying to attack everything that comes your way is not recommended. A certain degree of professionalism is expected, that includes everything from the way you communicate and interact with the companies to being mindful of what exploits you use and where you use them. You can find online information on which companies offer bug bounties. These programs can be found either in their websites or in one of the bug bounty platforms that are available. HackerOne has the most comprehensive list of companies with bug bounty programs, a webpage that aspiring bug hunters should bookmark. Even if you came across a vulnerability by accident(as a pentester this is often the case) the responsible thing to do is to report it to the affected company and/or website and they may even reward you regardless.
But do I have to use a specific method to do this?
Yes and no. Most bug bounty hunters fall under two categories, they either are very good at specific techniques (e.g. XSS) and try to apply this on everything or they take each application as a new project and work on it from start to finish checking everything(this is where most business logic errors are discovered). There is no correct way to do this. While there are specific methodologies that are battle-tested, and a lot of automated processes that get used to get ahead of the competition in this highly competitive and often time-sensitive field, thinking outside of the box is still crucial. Do not forget, each individual thinks creatively in a different way! Do what works best for you and by gathering experience you will form your own process.
Bug Bounty Hunting vs Penetration Testing
The terms Bug Bounty Hunting and Penetration Testing should not be used interchangeably. Find below some key differences.
- Can be continuous - Time-limited.
- Can be more specialized (in terms of both scope and skills required) - Usually broader.
- Maximum impact is usually showcased - Showcasing maximum impact depends on the engagement’s time-sensitivity.
- Multiple perspectives coming from the numerous involved researchers - Limited perspective coming from the hired firm.
- No remediation advice required usually - Remediation advice required.
- Both require professionalism to be successful.
- Both do not require a degree or certification.
Where to start?
An expensive setup, commercial-grade tools and specialized equipment are not required. All these things are quality of life improvements but they are not by any means necessary. A mid range laptop and a decent Internet connection is usually enough and while there are expensive software tools, most of the tools that hackers use are free. Plus, it is not very likely to get paid for something that comes off as a result of a scanner because it will probably be already reported.
If you read all this and think to yourself “Now I want to be a bug bounty hunter too”, you should definitely! You can totally try it for a few weeks to see if this is a journey you would like to take. It can be a side project in your spare time or you can try hard to try to get results fast.
Not sure where to start? One of the best online resources to identify bug bounty programs of your liking is HackerOne’s Directory. HackerOne’s directory can be used for identifying both organizations that have a bug bounty program and contact information to report vulnerabilities you have ethically found. You can also draw inspiration from HackerOne’s hacktivity that includes public bug reports.