How to get started into Bug Bounty: The Guide
This post contains excerpts from my book Black Hat Rust where you'll learn Rust, offensive security and cryptography.
Bug bounty 101
Bug bounty programs are the uberization of offensive security. No interview, no degree asked. Anyone can join the party and try to make money or a reputation by finding vulnerabilities.
If you are lucky, you could find a low-hanging fruit and make your first hundreds to thousands of dollars in a few hours (hint: subdomain takeover).
If you are less lucky, you may quickly find vulnerabilities, or manually, then spend time writing the report, all that for your report being dismissed as non-receivable. Whether it be a duplicate, or, not appreciated as serious enough to deserve a monetary reward.
This is the dark side of bug bounties.
I recommend you to only participate in bug bounty programs offering monetary rewards. Those are often the most serious people, and your time is too precious to be exploited.
Engineers are often afraid to ask for money, but you should not. People are making money off your skills, you are in your own right to claim your piece of the cake!
Public vs Private bug bounty programs
Some bug bounties programs are private: you need to be invited to be able to participate.
My limited experience with private bug bounty programs was extremely frustrating, and I swore to never (even try to) participate again: I found an SSRF that could have been escalated into something more serious. I found that the company was running a bug bounty program, so maybe I could take time to report it.
But the program was private: you needed an invitation to participate. I had to contact the owners of the platform so many times. Unfortunately, it took too much time between the day I found the vulnerabilities and the day I was finally accepted to join the bug bounty program that I was working on something completely different, and I had lost all the interest and energy to report these bugs 🤷♂️
Another anecdote about private a bug bounty program: I found an XSS on a subdomain of a big company that could have been used to steal session cookies. As the company was not listed on any public bug bounty platform, I privately contacted them, explaining the vulnerability and asking if they offer bounties. They kindly replied that yes, they sometimes offer bounties, depending on the severity of the vulnerability. Apparently a kind of non-official bug bounty program. But not this time because they said the vulnerability already had been reported. Fine, that happens all the time, no hard feelings. But, a few months later, I re-checked, and the vulnerability was still present, and many more. Once bitten, twice shy. I didn't report these new vulnerabilities, because again, it seemed not worth the time, energy, and mental health to deal with that.
All of that to say: bug bounty programs are great, but don't lose time with companies not listed on public bug bounty platforms, there is no accountability, and you will just burn time and energy (and become crazy in front of the indifference while you kindly help them secure their systems).
Still, if you find vulnerabilities on a company's systems and want to help them, because you are on a good day, don't contact them asking for money first! It could be seen as extortion, and in today's ambiance with all the ransomware, it could bring you big problems.
First, send a detailed report about the vulnerabilities, how to fix them, and only then, maybe, ask if they offer rewards.
Unfortunately, not everyone understands that if we (as a society) don't reward the good guys for finding bugs, then only the bad guys have incentives to find and exploit those bugs.
Here is another story of a bug hunter who found a critical vulnerability in a blockchain-related project and then has been totally ghosted when it came the time to be paid: https://twitter.com/danielvf/status/1446344532380037122.
Bug bounty platforms
How to succeed in bug bounty
From what I observed, the simplest strategy to succeed in bug bounty is to focus on very few (2 to 3) companies and have a deep understanding of their technology stack and architecture.
For example, the bug hunter William Bowling seems to mostly focus on GitLab, GitHub, and Verizon Media. He is able to find highly rewarding bugs due to the advanced knowledge of the technologies used by those companies.
The second strategy, way less rewarding but more passive, is to simply run automated scanners (if allowed) on as many as possible targets and to harvest the low-hanging fruits such as subdomain takeovers and other configuration bugs. This strategy may not be the best if you want to make a primary income out of it. That being said, with a little bit of luck, you could quickly make a few thousand dollars this way.
Bug bounty report template
Did you find your first bug? Congratulation!
But you are not sure how to write a report?
In order to save you time, I've prepared a template to report your bugs.
You can find it in the accompanying GitHub repository: https://github.com/skerkour/black-hat-rust/blob/main/ch_14/report.md.