micahlerner.com

Getting started in Bug Bounty Hunting

Published December 17, 2019

Last week my first vulnerability was resolved and disclosed on HackerOne! The adrenaline I felt when I found my first vulnerability has been hard to replicate, and I have kept searching for new issues in my free time. Before I moved past that initial excitement, I wanted to stop and write a bit about my journey into bug hunting so far, what it is, and advice on diving deeper into it (if the reader was so inclined).

For context, over the past couple of weeks I have been participating in a few bug bounty programs for fun and profit. These programs are started by companies large and small on platforms like HackerOne or BugCrowd (these two are the big games in town). Companies like Google, Facebook, and others do this to incentivize “ethical hackers” (hackers who use their powers for good, not evil) to find vulnerabilities in their software. Many of these programs focus on a company’s web presence, but a few also cover their API, mobile, and desktop apps.

I initially decided to start hunting after learning more about web vulnerabilities while playing and practicing for CTFs. I realized I was fairly good at solving this category of challenges given my background in building web applications and “cloud” infrastructure (an area where some of the more complex challenges head).

I am still far from the top of the bug bounty leaderboard, but a few resources along the way have been important in helping me grow my skills:

Once you’ve trained your skills up to a certain level and are aware of the different classes of bugs, I would suggest jumping right into searching for your first issue, along with your trusty friend Burp Suite. I decided to start my search by looking for bugs in an unpaid “Vulnerability Disclosure Program”. The private programs you should have been invited to as a result of playing the Hacker101 CTF could also be a good place to start. While some in the security community advise against bug hunting in programs without cash rewards (they argue it devalues security work), I found my first few bugs there. Often times the fruit is lower-hanging, given that more experienced bug bounty hunters are poking at applications with large cash rewards.

After finding my first bug on HackerOne, the snowball of invites seems to have kept rolling.

On that note, I have thought a bit more about how to continue to sharpen my skills. In particular, I have been watching the livestreams of a few successful bug bounty hunters, including @NahamSec and Jason Haddix. They stream their “recon” process for discovering web assets that a company owns as well as the tools they use to perform common tasks. Their interactions with viewers have also been quite useful to see, in particular when someone asks “why didn’t you try it this other way?”. Another way I’ve been enjoying my new hobby is by reading new reports on HackerOne. When a company fixes an issue that a bug hunter finds, they will often agree to disclose the report so that others in the community can learn from the findings. I’m actively looking for new ways to learn more about the space, and I think the importance of continued learning and the friendliness of the community have succeeded in pulling me in.

Until next time, happy hacking!