What is Bug Bounty? A Complete Beginners Guide to Bug Bounty World
Bug Bounty is a great opportunity for students, job seekers and cyber security enthusiasts who want to step into the field of information security. Hackers are using sophisticated techniques to breach the network and server to steal confidential information. With the intention of safeguarding this data, the concept of bug bounty was introduced. It is when companies use crowdsourcing to help find security breaches or bugs in a website.
Bug bounties are also known as responsible disclosure programs or even a vulnerability rewards program. Some companies choose to reward a researcher with a bounty, i.e a cash prize, swag or list them in their hall of fame. Bug bounty is a program that rewards hackers for finding bugs and reporting it to the company. A technical team will revise all the submissions submitted, and go through them as they verify valid bugs and send out rewards as bounties.
Bug bounty programs allow companies to limit spending and control budget as to hire a professional; it could cost them 1000s of dollars depending upon the scale of the vulnerabilities. So came the concept of bug bounty started becoming more and more popular. Companies such as bugcrowd, hackerone, github, bounty source and bounty factory run and manage bug bounty programs on behalf of their customers, they look over bug reports and validate them, as well as paying the bounties.
A bug bounty program is by many website and software developers by which individuals can receive rewards and recognition for reporting bugs, especially those related to website exploitation and security vulnerabilities. These programs help the developers to find these bugs and correct them before the general public even finds out about it, preventing widespread breaches due to hackers.
Why Bug Bounty
Bug Bounty programs provide hackers with an opportunity to gain real time experience, in the field and it allows them to gain some sort of reward in the process of doing so, while encouraging good professional and moral ethics as they are expected to report the loopholes.
By utilizing bug bounty programs companies are able to find bugs before they are open to the general public, so that they can prevent a general misuse of the system. They set up a technical team who reviews the bugs that were submitted to them, for validation before payouts. We believe that bug bounties are a good way to raise some capital to sustain yourself, especially as an amateur hacker.
Misconceptions about Bug Bounty
It is believed that a bug bounty hunter needs to be an expert in coding. I would not say that it is futile. Coding definitely helps but it is not a mandatory prerequisite. You can learn the basics of bug bounty on your own.
Besides , people think that they can become rich overnight by bug bounty hunting. That’s not true. You will be rewarded only for bugs which are serious threats to the company’s security and doing that is not as easy as it seems. You need to have high expertise and spend a lot of time to find a bug that fits the criteria for payment.
Implementing Bug Bounty Programs
Organizations of different sizes resort to different ways for finding the bugs or flaws depending on how much they can afford. Here’s how they plan their programs.
Large organizations like Google, Facebook have vast technical as well as financial resources. Therefore they have the capability of running their own bug bounty programs to find the flaws which the developers or security teams couldn’t spot. These companies easily manage all the aspects of the program, from setting the fees to spotting the flaws to corresponding with security researchers.
Mid sized and small enterprises lack the resources to run their own programs. Therefore, they turn to bug bounty service providers for the purpose. They manage the multiple steps involved in the process . The service providers communicate with security researchers, recruit them, bug analysis is done and even manage the payment. This seems to be a fairly simple and affordable task.
There are other companies who schedule bug bounty programs at regular intervals. Researchers are asked to find the flaws within a stipulated time and are paid if the flaws are worthy of payment.
Advantages of Bug Bounty Programs
Let’s focus on what benefits these bug bounty programs have.
Cost effective: setting up bounty programs are way cheaper than hiring security experts to find flaws. Regular payments need not be made. Only when a high quality bug is found, companies give away the reward.
Finding security loopholes: Researchers spot the vulnerabilities which slip past developers and security teams. Reporting them on time prevents a lot of undesirable, malicious attacks on the company’s systems.
Continuous testing: a lot of researchers scattered all over the world take part in the programs. The system gets scanned 24/7 with various techniques and tools. So the security is strengthened and the companies have to pay only when original bugs are spotted.
Analysing system security: During the bug bounty program , ethical hackers will completely scan your security system. They will suggest you with necessary and alternate updates and will also let you know which security measures are effective and which are not.
What needs to be learnt?
Finding bugs requires you to have sound knowledge on a lot of associated topics. Start by learning computer networking. This is a must and will help you to find any kind of security flaw in the system.Further you have to focus on fundamentals of inter networking, IP and Mac addresses, the OSI and TCP/IP stacks.
Now you need to understand everything that can go wrong with the system security, both in web and mobile applications. It is because if you do not know what the issue is you cannot pick it out. Then, the time comes to find your favourite. Choose whether you want to find bugs in the web or in mobile applications. A lot of people choose web security as they find it easier. But this is no verdict to stick to. You must explore what suits you better.
If you choose web security then learn about web programming and multiple protocols like HTTPS, PHP,TLS etc. But if your choice is security of mobile applications, then learn about how data is stored by them. Educate yourself on tools like Android studio, Kotlin etc.
After you are confident with the knowledge required then make an attempt to put them into action.
What to do before spotting your first bug?
Now the time has come to start working. So the most important thing is to decide a platform where you would work as a hunter. There are several platforms like Cobalt, Synack,HackerOne etc. Since this field demands a lot of experience , initially choose a platform that does not have a lot of experienced workers so that the intensity of competition won’t be too high.
While starting out, join unpaid programs. They are a great way of gaining experience and recognition. In Fact that will open doors for you into paid programs.
Read the tips before finding your first bug. You can use them in your further journey too.
As you start, spot bugs and report to public programs. This will give you recognition. You can then be invited to private programs.
Avoid spamming. You will lose points.
Be decent in your approach. A rude approach will reduce your possibility of receiving private invites.
Explore. Search for different types of bugs. You will gradually recognise your niche.
Don’t look for different classes of bugs at a time. This leads to confusion and unnecessarily makes things difficult.
Go through the terms
Before you start, make it a point to read the terms and conditions and stick to it. Stay within the scope. Remember, for whatever happens you will be held responsible. After you find a bug, give the companies enough time to fix the flaws. Until it is done, do not post it publicly.
Finding your first bug can drive you crazy. But don’t forget the responsibilities you have. The first thing that you need to do right after spotting a loophole is to start preparing a COP(Proof of Concept). In that you need to explain how you found it, how serious it is and what the solution is. Go through the reports submitted by other hunters. You can easily find a lot on HackerOne’s hacktivity. You will get a fair idea on various vulnerabilities and how to prepare a report after discovering one.
Responsibilities of a bug bounty hunter
You almost know what you have to do as a bug bounty hunter. Still let’s summarise the responsibilities.
Spotting the bugs present in the system.
Listing the vulnerabilities detected.
Preparing a Proof of Concept to exploit the bugs.
Want to continue bug bounty hunting?
Sticking to bug bounty throughout your life is indeed a challenging thing to do. Don’t get discouraged, since it’s not impossible. But you can’t rest just after getting your first task. Keep learning every time about the evolving tools and technologies. Do not make the mistake of considering yourself as smart alone.
Hackers too grow every day. They might easily outwit you. So stay updated with the latest vulnerabilities and learn how to overcome them. Keep practicing. If you lose touch then you will lose efficiency in your work too. Explore the hacking world completely and keep running with your competitors.
Module 01 : Introduction to Bug Bounty Hunting
Module 02 : Risk of Web Applications
Module 03 : Web Server Hacking
Module 04 : Broken Authentication and Session Management
Module 05 : Denial of Service (DOS) Attack
Module 06 : Mastery on Burp Suite
Module 07 : Open and URL Redirection Concepts
Module 08 : Parameter Tampering
Module 09 : HTML Injection
Module 10 : Host Header Injections
Module 11 : Missing SPF/DMARC Records
Module 12 : File Inclusion
Module 13 : Server Side Request Forgery
Module 14 : Cross Site Request Forgery
Module 15 : Cross Site Scripting Findings and Exploitations
Module 16 : Insecure Cross Origin Resource Sharing
Module 17 : Critical File Disclosure
Module 18 : Source Code Disclosure
Module 19 : Subdomain Takeover
Module 20 : Remote Code Execution
Module 21 : XML External Entity
Module 22 : No Rate Limitation
Module 23 : Practice on Vulnerable Applications and CTF
Module 24 : Responsible Disclosure – Writing reports
HTTP Protocol
Overview of RFC 2616
HTTP Messages & Entities
HTTP Request, HTTP Response
HTTP Status Codes
Various types of encoding schemes
Web servers and clients
IIS Server, Apache Server and Other Servers
Browsers
Browser’s same origin policy
Other Web enabled Clients
Server-side and Client-side security controls
Input Validation & Output validation (encoding)
Insufficient input & output validations
Validation approaches
Bypass thin/thick(decompile) client validations
Leveraging Ajax and web 2.0 in attacks
Bypass Server-side validations
Mastering Burp suite
Introduction to burp suite
Configuring burp suite
Burp proxy, Burp Spider, Burp Intruder, Burp Repeater, Burp Sequencer
Injections
SQL Injection, Blind SQL Injection, Command Injection, LDAP Injection, XPATH Injection, SOAP Injection
Other Injections
Implications of Injections
Test methodology for injections
Remediation
Cross-site Scripting
Reflected XSS, Stored XSS, DOM XSS
Implications of XSS
Test Methodology for XSS
Remediation
Cross-site Request Forgery
CSRF with GET method
CSRF with POST method
Implications of CSRF
Test methodology for CSRF
Remediation
Authentication testing
Guessable Passwords
Failure Messages
Brute forcing login
Plain text password transmission
Improper implementation of forgot password functionality
Remember Me Functionality
Guessable User names
Multi factor authentication flaws
Fail-Open Login Mechanisms
Insecure Storage of Credentials
Remediation
Authorization testing
Introduction to authorization
Implementation weaknesses in authorization
Horizontal privilege escalation
Vertical privilege escalation
URL, Form, cookie based escalation
Reconnaissance
Footprinting Domain details
OS and Service fingerprinting – Netcraft.com, Banner grabbing, HTTP print
Google hacking
Load balancer Identification
Spidering a website (wget, Burp spider)
Application flow charting
Relationship analysis within an application
Software configuration discovery
SSL & Configuration testing
Testing SSL / TLS cipher
Testing SSL certificate validity–client and server
Infrastructure and Application Admin Interfaces
Testing for HTTP Methods and XST
Testing for file extensions handling
Old, Backup and Unreferenced Files
Application Configuration Management Testing
Session Management testing
Need for session and state
Ways to implement state
How session state work
What are cookies
Common Cookies and Session Issues
Man in the middle
Brute force web applications
Brute force authentication, Brute force Authorization, Brute force web services, Brute force web server, Brute force .htaccess
Parameter Manipulation
Query string manipulation, Form field manipulation, Cookie manipulation, HTTP header manipulation
Other Attacks
Sniffing, Phishing & Vishing
D(D)OS Attacks
Unvalidated Redirects and Forwards
Firefox security Add-ons
Tamper Data
SQL inject me
XSS me
Firebug
Live HTTP headers
Foxy Proxy
Web Developer
Automated Scanners
Acunetix, IBM App Scan, Burp Scanner
Effectiveness of Automated tools
Reduction of False positives and false Negatives
Top 10 OWASP Vulnerabilities
Injection attacks
Broken authentication
Sensitive Data Exposure
XML external entities (XXE)
Broken access control
Security misconfigurations
Cross site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging and monitoring
Cross site request forgery
Server side request forgery
Conclusion
Though bug bounty has become quite a common word nowadays not all know what exactly that means. Probably you too were confused about it. Since you are reading this, I assume that you have gone through the entire article. I hope that has helped you get a grip over some important concepts related to it.
And yes, it must have been amazing to discover that you can take up this as a career too. During the initial times, though things will be difficult to cope with, they will take proper shape with experience and the right amount of time invested.
We have discussed in detail about what you need to learn, how you need to start working and what all you should follow as a bug bounty hunter. Indeed it is a demanding field that doesn’t remain stagnant but being a part of it is extremely interesting. Just keep learning and no one can stop you from growing.