There are no software requirements associated with this section: you can explore all the resources listed here with just a standard web browser. In our case, that's Chrome (66.0.3359.139).

There are many different choices for bug bounty programs to participate in, but most boil down to two types: third-party marketplaces and company-sponsored programs.

Marketplaces are sites that match companies and researchers. They standardize the submission process, rules of engagement disclosure, and other documentation, while providing forums, teaching blogs, and other services to the community. Marketplaces are good sources of technical information and the metrics they typically collect – related to things such as a company's response time and average payout – can help you decide where to direct your efforts...

Once you've narrowed down the program you're going to participate in – or maybe you've skipped that and are just plowing through random sites, looking for easy pickings – you can start evaluating individual applications for testing.

Doing so requires an understanding of each application's attack surface. As a quick refresher, Wikipedia sums it up succinctly:

We'll get into actual Attack Surface Analysis in the next chapter, preparing for an engagement, but it helps to have a simple idea of it while evaluating different options.

Using that definition of an attack surface...

It's important before beginning an engagement to closely read the rules of engagement (sometimes also called a code of conduct) to understand the bounds of what is accepted within the program.

The Rules of Engagement lay out:

• What techniques are allowed in the source of testing
• What sites/domains/apps are open to pentesting
• What parts (if any) of those apps are excluded from testing
• What vulnerabilities merit the highest payouts
• What vulnerabilities will not receive a payout at all
• What credentials/account you should use as a security researcher (for a social network or something with authentication-restricted pages, companies will often offer pentesters a path to creating an account they can use to test user-restricted functionality)

The RoE are extremely important not just because they affect your ability...

This chapter discussed the criteria you can use to evaluate bug bounty marketplaces, programs, and individual pentesting targets. It covered different types of programs, their distinguishing features, and some of the basics of the bug bounties offered by Amazon, Facebook, Google, GitHub, and Microsoft, along with the learning resources and the general value of third-party bug bounty marketplaces such as Bugcrowd, HackerOne , Vulnerability Lab, BountyFactory, and Synack. It also went over the appeal of swag reward programs, the unique role of the Internet bug bounty Program, the nature of Coordinated Vulnerability Disclosure and the risks in using third-party brokers, along with how the Rules of Engagement/code of conduct for different bug bounty programs can differ. Finally, it covered setting up systems and processes within your own pentesting engagements to abide by...

1. What are some differences between third-party marketplaces such as Bugcrowd and bug bounty programs offered by individual companies?
2. Is it worth it to participate in programs that reward vulnerabilities with swag? Why or why not?
3. What's a private bug bounty program?
4. What are some resources you can use to find programs not covered in this chapter?
5. What makes a site more or less attractive as a hunting ground for reward-eligible bugs?
6. What is coordinated vulnerability disclosure?
7. What steps can you take to minimize your legal liability during a pentesting session?

You can find out more about some of the topics we have discussed in this chapter at:

• Google Alerts: https://www.google.co.in/alerts
• BountyFactory: https://bountyfactory.io/en/index.html
• Google Bughunter University: https://sites.google.com/site/bughunteruniversity/
• Firebounty: https://firebounty.com
• The internet bug bounty program: https://internetbugbounty.org/