2017-06-19

Little experience in bugbounty hunting

Hello friends, hope you are doing well. Yesterday, I had gone for LinuxChix india meetup. I found some people interested in magic the bugbounty hunters do in finding the security loopholes. So I am sharing some resources as well as my experience. Oh, let me introduce myself, My name is Abhishek Bundela, undergraduate from Shri Mata Vaishno Devi University. I do bugbounty for the feeling of excitement and of course, for the cash. Currently, I am learning android app testing. You can find me on twitter. My hackerone handle is encrypt.

My senior Aditya Agarwal introduced me to bugbounty. Thanks sir jee. I spent 6 months testing vulnerable web apps and reading web application hacker’s handbook, owasp testing guide. After that I thought it is right time to start testing some real world applications. Weeks spent without finding single bug since I was targeting big boy (Facebook). After defeat from facebook, I selected a new program on bugcrowd. I submitted my first bug on bugcrowd to smartsheet. Yup, it was duplicate but I was happy since I got my first Hall Of Fame from smartsheet. I submitted some more bugs to others program but all were duplicate. At that point, I felt something is going wrong. I took a break from bugbounty and decided that I will submit bugs to old programs since I was submitting bugs to new programs and I was not as fast as other successful bug hunters. After some time, I started to look for some programs on hackerone. I submitted a bug to a private program on hackerone and it got accepted and they paid me $125 bounty !!! the feeling was amazing. I started digging more and more and got cool bounties. Sometime I got duplicates, I am lying if I say that dupes don’t affect me. Ya, dupes are pain but that’s how bugbounty works, sometime time defeats us. Time teaches us lesson to use our time efficiently (be accurate & fast). Try to do automation as much as possible. So you don’t find yourself doing repetitive tasks.

Time to share some resources. There are lot of resources about bug bounty hunting on web. I will suggest to follow cool infosecs on twitter. You will learn a lot by these smart people. These people share their bug hunting tactics, their achievements (bounties, swag, hof) and cool jokes. Something, I believe worth sharing.

How to Build a Successful Information Security Career ?
https://danielmiessler.com/blog/build-successful-infosec-career/#gs.wARu9Ks

How to become bugbounty hunter ?
https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
https://www.quora.com/How-does-one-become-a-bug-bounty-hunter
https://www.hackerone.com/blog/become-a-successful-bug-bounty-hunter

Best Bugbounty hunter’s AMA : https://bugbountyforum.com/blogs/

What are the ways in which a bug can be discovered in bug bounty program ?
https://www.quora.com/What-are-the-ways-in-which-a-bug-can-be-discovered-in-bug-bounty-program

Pete hacking resources : https://www.torontowebsitedeveloper.com/hacking-resources

Learn, Build and Break !!! Stay tuned for next post.

Stay safe,

Thanks