While I was looking for ways to learn more about security without causing real world damage or getting the feds knocking on my door, I started reading about bug bounties and had gained more interest in doing bug bounties for a lot of reasons.  Not just the normal reasons like “they’re fun”, or “they’re a good learning experience”, or even “I could make money”.

Don’t get me wrong those are all valid reasons, and it wouldn’t be wrong to assume they weren’t mine, but I had something simpler in mind:  This is a skill that has absolutely no barrier to entry beyond tenacity and the discipline to teach yourself some skills, and in return a bounty hunter can make a few bucks independent of any company or organization.The notion of being able to utilize a useful skill independently appealed to me meant a form of independence.

How’d we get here (a brief history of sorts)

Without going into too much details, companies have high expectations of delivering secure web applications for their customer base, but in between a lower volume of staff than adversaries, independent researchers have been useful in discovering vulnerabilities.

The challenge with independent researchers comes from multiple angles.  On one hand, a researcher working for free does not have legal protection and there are instances where a company may choose to prosecute a security researcher attempting to disclose vulnerabilities.

“On the other hand, there are researchers that argue that the value of software vulnerabilities often doesn’t get pass on to independent researchers to find legitimate, serious flaws in commercial software.” (Gray Hat Hacking, pg 24)

Preparation

After doing a bit of research I will sum up what I know (thus far) about getting started on a bug bounty.  As per usual on my blog, I included links for many of the resources you will need for these adventures.  Regardless of your target and/or approach here are a few things to keep in mind:

  • Get your computer set up (install a web application testing tool like Burp Suite or OWASP ZAP)
  • Configure your browser to use the tool as a proxy.  You will funnel your web traffic through Burp.  I use Firefox and FoxyProxy.
  • Set up an account on the bug bounty site.  Some sites will overlap in terms of companies with a bounty.  Your miles may vary.
  • Review the rules of engagement for the bounties.  Some will be more stringent than others, and some bounties require you to create an account on their site to test from.
  • Once you discover the bounty, disclose it with a sense of urgency.  Aside from the possibility of someone beating you to the punch, Some companies may interpret your findings and lack of disclosure as a form of extortion.  Not good for you, and not good for the community at large.

Resources

Bugcrowd

HackerOne

Zero Day Initiative

Facebook’s Bug Bounty Program

United Airlines (your ‘miles’ may vary)

OWASP ZAP

Burp Suite

Foxy Proxy