We will study the rules of bug bounty hunting in the following sections.
Rules of bug bounty hunting
Targeting the right program
Targeting a bug is not a matter of luck. Instead, it is considered to be a matter of skills and luck. Don't waste time on finding the already reported bugs. Otherwise, you may end up being depressed by the duplication. It is suggested to spend time on understanding the functionality of the application. Also, try making notes and have a track of suspicious endpoints. You are not going to earn a satisfactory amount for the known issues if you are too early or the first one to report. If you get to know about a program within 10 to 12 hours of its launch, don't waste your time in looking for the issues at the surface level; rather, take a deep dive into the application.
Approaching the target with clarity
If you are inspecting for vulnerabilities such as CSRF, XSS, subdomains, and so on, then you may end up getting several duplicates or not getting any bug at all. It is suggested to first check their documentation and then understand the functionalities and privileges of target users.
Keeping your expectations low
Don't expect any specific reward after reporting the bug. So, whenever you report a bug, close the report and start looking for other bugs and vulnerabilities. Develop a mindset of hunting bugs instead of hunting bugs in a matter of hours.
Learning about vulnerabilities
A pretty common scenario is that a lot of new bounty hunters just start searching for bugs without having a basic knowledge of how things work. As far as my personal experience is concerned, you will not get to know how an application works and the flow of the application until and unless you know how it is built. It is vital to know how the application is built in a programming language before you start breaking it.
Keeping yourself up-to-date
- Create a Twitter handle and go to the HackerOne leaderboard: https://hackerone.com/leaderboard/all-time.
- Go to their HackerOne profile one by one and follow them on Twitter. Keep on marking their pages.
- Read the HackerOne disclosed activity at http://h1.nobbd.de/.
- Join Bug Bounty World on Slack and keep reading their blogs, tools, general channels, and their conversations about testing, and share what you know.
Automating your vulnerabilities
In order to automate your vulnerabilities, you need to learn scripting and learning a programming language is highly recommended. JS, Python, Ruby, Bash, and so on. are some of the best scripting languages that even know some curl tricks for basic bash commands scripting.
Gaining experience with bug bounty hunting
It is saddening when a bug hunter receives no bounty. However, getting no bounty adds to experience and knowledge. You can always take bug bounty hunting in a positive way and motivate yourself.
Chaining vulnerabilities
Whenever you identify a vulnerability, the foremost question should be, what security impact is the bug going to make on the application? You can either start hunting with the goal of finding a bug or you can start hunting with a vision of looking for the best impact in the application. The former vision is an isolated one, whereas, the latter upholds a wider point of view.