How to get started with Bug Bounty?

What is Bug Bounty?

Bug Bounty is a program arranged by companies to add an extra layer of web security to their websites and online software. It is a crowd-sourced penetration testing program which rewards the participants for finding the bugs in the system and providing the solution to resolve the bugs. For the students, researchers or web security experts, it is an excellent opportunity to test their web security and domain-specific skills, and they will get paid as well if they find any security bugs.

The number of companies which are organizing these crowd-sourced programs is increasing day by day, so the number of opportunities for bug finders is also increasing.

Apart from the old knowledge of programming, bug bounty hunters should have additional skills to perform well in this program. There are different types of bug finders. Some are good at web development, while some are experts in cybersecurity.

So, we will discuss the steps and skills required to become a bug bounty hunter: :

1. Learn Computer Networking

Computer Networking is the primary and necessary skill that bug bounty developers should have. Although, so much of expertise is not required in the computer networking but all the basics should be clear. The developer should have a clear idea about the fundamentals of networking, OSI model (Open System Interconnection), IP (Internet Protocol) address, MAC (Media Access Control) address, TCP/IP model etc. To clear the basics of computer networking, you can learn from many good websites like javatpoint.com

2. Get Familiar with Web Technology

Bug Bounty hunters should have a clear idea about the basics of web development. He should have a clear conceptual idea about HTML, CSS and JavaScript, which is more than enough to start a career as a developer. We can also learn different protocols used in web development like HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol), TLS etc.

There are various resources available online and many books to learn web technologies.

3. Learning Web Application Security Measures and Hacking Techniques

This skill includes the basic security mechanisms, general bugs and vulnerabilities in the system software and different ways to resolve those bugs.

There are some books to learn these skills:

• Web Hacking 101
• Web Application Hacker’s Handbook
• Mastering Modern Web Application Penetration Testing

4. Practicing and polishing the basic skills

If we work on our existing skills more and more, it will be better every time. So, in web security, if we try different targets with different difficulty levels, then it will be easier to find out the bugs even if the website is too secure or already tested by the testers.

We can use the following resources to enhance our skills:

Vulnerable web applications

These are the web applications which are intentionally designed with vulnerabilities and bugs. There are a lot of variants of these applications based on the different kinds of vulnerability so that the developer can practice their skills through these apps.

Some of the examples of these apps are:

• OWASP Webgoat
• Cyclone Transfer
• BWapp
• DVWA (Damn Vulnerable Web Application)
• Juice Shop
• SQLol
• Rails Goat
• Bricks
• Hacme
• Butterfly Security Project

In the above applications, DVWA, BWapp and Webgoat are the best if you are a beginner.

5. Real Testing Targets

If you follow the above four steps, then you have a sufficient skill set as well as practice for the bug bounty hunter. Now you can do the real testing by implementing your skills on real websites. There are many websites which organize their bug bounty program. Some of them are as follows:

• https://www.hackerone.com/
• https://www.bugcrowd.com/
• https://www.intigriti.com/
• https://yogosha.com/
• https://www.yeswehack.com/

These are the top websites that pay a high amount of reward to find the bugs in their websites. However, it is very difficult to find out the bugs because competition is tough, and the world’s top developers or bug bounty hunters are also working on the same.

6. Staying Current on the Latest Vulnerabilities

With this skill, you can follow famous researchers and analyze their works in the same field. We can also read the reports which are disclosed from the various platforms like HackerOne etc.

Some of the researchers you should follow are:

• PortSwigger
• Exploitdb
• Geekboy
• Jason Haddix
• Jobert Abma
• Frans Rosen

If you want to become a bug bounty hunter then your academic background does not matter. The only thing that matters is your skills.

Bug Bounty Hunting Tips & Tricks

Here are some things you should consider when starting as a bug bounty hunter:

1. Be patient. This isn’t something you can rush. If you don’t like sitting around all day, bug bounty hunting probably isn’t for you. However, if you enjoy spending hours upon hours trying to find vulnerabilities in various websites, then bug bounty hunting will suit you well.
2. Find the right bug bounty training tools early on. Many bug bounty training resources available online teach you everything about hacking software applications. Some tutorials focus solely on web apps, while others cover mobile app development. Regardless of where you begin learning, take advantage of every resource possible to know what to do next.
3. Learn everything there is to learn about security. Countless online books teach you everything from basic hacking techniques to advanced penetration testing methods. You’ll increase your chances of finding exciting bugs by learning as much as possible.
4. Stay safe. Hackers need to remain anonymous while performing their duties. To do this, they usually utilize VPNs. These allow users to access networks anonymously through different servers located worldwide. Also, avoid downloading suspicious files and check file extensions before opening them. Finally, never share personal details over social media platforms. Doing so could put your identity at risk.
5. Don’t forget to document everything! Once you’ve identified a flaw, take screenshots of the affected website and its URL. You may also want to record video footage or audio recordings of the attack itself. The more evidence you collect, the better your chance of getting paid.
6. Keep track of your progress. As mentioned earlier, many companies offer bounties on certain types of bugs. So make sure you log any exploits you discover. This way, you won’t miss out on anything important.
7. Always report responsibly. Never trick anyone into thinking you found a serious issue just because you’re looking for money. Instead, inform the site owner first and let him decide whether he wants to pay you for his mistake.
8. Practice makes perfect. Even though you should know how to code already, practicing coding challenges helps improve your bug bounty knowledge. Plus, it gives you practice identifying flaws within applications.
9. Get creative. If none of the above tips appeal to you, then consider becoming an ethical hacker. Ethical hackers don’t use illegal means to identify website vulnerabilities; they find them using legitimate software like Metasploit. However, keep in mind that not all jobs are created equal. Some positions can pay significantly less than others.
10. Hone your bug bounty hunting skills and hack responsibly. While some hacks require little effort, others involve breaking into systems or stealing data. Before attempting such tasks, make sure you understand the risks involved.