I had written this post a little while on www.breakthesecurity.com, but I thought to share it here too as this post built quite an interest among most of the Beginners who want to start BUG BOUNTY.
After presenting this topic at NULL Bangalore Jan Meet, I got loads of appreciation from various people , and one such appreciation I got was from my friend Sabari Selvan. And that’s why I decided to write an article about the presentation I gave.
This article gives you an insight with hunting bugs, and hopefully it becomes a kick-starter guide for the beginners who want to start off with bug bounty.
Well, today hunting bugs in the wild has become a new trend. Coz almost every company has started a responsible disclosure page and hence allows hackers like us to make some name, fame and money…:P I too was fascinated to start off with bug bounty when I saw my friends around me getting those flashy Facebook Bug Bounty Whitehat Card or when they got a new payment for finding a bug or when they got a new T-Shirt from a company.
Before knowing about BUG BOUNTY, let’s see the types in which the Vulnerability Disclosure is done.
We generally have two ways of disclosing vulnerabilities:
- Full Disclosure
- Responsible Disclosure
Full Disclosure is when a person goes onto his blog or any other form of public media and writes about the vulnerability that he discovered in the wild most of the times without informing the company where he found the vulnerability. This would allow various other hackers around the world to exploit this vulnerability. This would sometimes lead to problems because the company where you found the bug has got every right to take legal actions against you for letting out the information.
Responsible Disclosure is where the person who finds a vulnerability in a website directly tells it to the authorities of that website, so that they can rectify the issue as early as possible. And most of the companies reward them in return for reporting the vulnerability. And this is what is BUG BOUNTY.
Well, bug bounty is indeed really a nice way to earn money. But more than money when your name comes up in their HALL OF FAME or the company’s RESPONSIBLE DISCLOSURE page, then that’s priceless. Coz that is what gives your resume some extra weightage and makes you stand out when compared to your peers.
Books to read before Hunting Bugs:
Well, these are the book I generally recommend anyone who wants to start off with web application pen-testing or particularly BUG BOUNTY.
- Web Application Hackers Handbook , Second Edition(Considered to be the Bible of Web Application Pen-testers)
- Hacking- The Art Of Exploitation
- OWASP Testing Guide v3.0
BUG Hunter’s TOOLKIT:
These are the basic tools that most of the bug hunters generally use and suggest.
- Burp Suite
- Web Scarab
- Paros Proxy
Mozilla Firefox is the best browser if you want to hunt bugs. And it is the best one coz of its awesome addons that ease our job.
Mozilla Firefox ADDONS:
- Tamper Data
- Web Developer Extensions
- Live HTTP Headers
- XSS Me Sidebar
- And many more…
Other Useful Tools:
Camtasia Sreen Recorder and Snipping Tools (Useful for creating Proof Of Concepts).
List Of BUG BOUNTY Programs:
Well here is the link that provides you a BIG list of Bug Bounty Programs and Responsible Disclosure Pages.
Other ways to earn BOUNTY:
Recently I came across this new startup called BugCrowd that manage organized Bug Bounty for various companies.
Just register yourself to start off with hunting bugs and earn money.
It’s a nice initiative indeed where in it’s a win-win situation for everyone. The company gets its site tested from best of the best hackers across the globe and indeed the hackers get paid for finding bugs and reporting it to them.
Anyways, I hope the above article gives enough info to start off with Bug Hunting. Anyways I wish ALL THE BEST to all the beginners who want to start off with Bug Hunting.
“If you’re good at Something, then never do it for FREE…!!!”