Rules of Bug Bounty
Targeting a Bug Bounty Program
How long you target a program?
“some hours or a night” if this is your answer Then That’s where you are doing everything wrong. Bug Hunting is Matter of Luck and Skill’s .Spending just a few hours on a program could be waste of time Because those bugs are mostly reported by someone else. You May end up getting depressed by duplicates , at least Spend a week on it . Take time to understand the how an application work. keep notes and track of Suspicious endpoints.
you’re not going to earn for well-known issue unless you’re very early to report. If you find out about a public program after 10 or 12 hours of its launch. Don’t waste time looking for known issues or low hanging fruit. Just take deep dive into the application.
How do you Approach the Target?
if your Answer is Just by signup at your Target, Checking For Vulnerabilities like XSS, CSRF, Subdomain’s etc, Then This Could be the problem where we end up getting many duplicates or worse not getting any bug. So first check their documentation . Recon your Target. Understand the privileges of the user’s in target and target functionalities. Check their doc’s, Information Gathering.
Don’t Expect Anything!
This is the most common thing we do After Reporting a Bug, we expect the upcoming reward amount. Don’t Expect anything just submit your report and start looking for other bug’s Because this is how you can find more vulnerability.
If we made the mindset that we are going to hunt bugs in matter of hour’s or a day then most of the time it will not work. Maybe you will not get bounty every time but you will get experience for sure.
Less Knowledge about Vulnerabilities and Testing Methodologies
This is also common scenario for lot of new bounty hunters. we start looking for bug’s without basic knowledge of how things are working in the target. First, we should now how things work what are the reason for a vulnerability to trigger. it is necessary for us to first know how this application is Built with Programming language before we start breaking it.
Surround yourself with Bug-Bounty Community to keep yourself Updated.
“You Become Your Surroundings” surrounding yourself with Bug Bounty community will not only help you in getting knowledge it will help you in going into right direction.
“Automation is Power” Need of scripting is also important. It Is highly important to learn some programming languages. Some of the Best scripting languages are: PYTHON, BASH, RUBY, JS, even knowing some of curl tricks or basic bash scripting, we have power in our hands for automate a lot of work.
GET BOUNTY or GET EXPERIENCE
As a Bug Hunter, sometimes we feel sad when no bounty is rewarded it can be of any reason duplicate or maybe something else. However, we always gain knowledge, experience and our skills are improved. lot of our life’s part is made by emotions; is about how we feel our life moment after moment. So sometimes taking a break can help you a lot. doing all the things that make you happy: so! if you do bug bounties, be happy, be fun, that’s the final goal of everything.
FIND THE “BUG” or FIND A “BUG’S CHAIN”
If you find a BUG, always ask yourself: what kind of security impact it will make on the application. So, when you start hunting rather then thinking of “finding a bug” start thinking like “impact of your bug on the application”. Because in final your reward is based on your bug’s impact on the application. So always think how can a low severity bug can lead you to a high severity bug.
FOLLOW MASTER’S PATH
Always ask yourself how to improve your skills, for that follow awesome hackers write-ups follow them on social media check for the new vulnerability and always try to learn about a new bugs or a vulnerability .
RELAX & ENJOY LIFE:
In the final relax and enjoy life because when we hunt with a rested mind, we can see beyond the bugs and all of the important details that counts for a successful attack or PoC.