New to bug bounty hunting?

Bug Bounty is a term for defining the activity of finding vulnerabilities or exploits in major vendor or web applications. However, the activities referred in this book will focus solely to finding bugs in web applications such as Facebook, Ebay, or Gmail , among other companies that have Bounty programs.

In theory, during a pen testing exercise, organizations such as Google or Facebook should be able to find all major bugs as part of their development life cycle, but even when this is properly done, it does not guarantee that the application will be free from big bugs. Bounty Programs are a way to find those bugs that are not simple to discover and which might required intensive testing with a high dosses of creativity.

Our Targets: The vulnerable applications

Pen testers that are willing to spend their free time (yes free time or full time if you want to be a dedicated Bug hunter) into bug bounty hunting, have a deep desire to discover bugs no one has been capable of doing it so far. Most of the bug hunters do this part-time since there is no guarantee you will get paid for the founded bug. The bug you catch has to be ‘highly priced’ and acknowledged by the organization in order to get paid good money for.

This daunting activity is definitely not for the faint of heart. It can be very fruitful but also very frustrating. If you are new to bug bounty programs, our advise is to focus on having fun and see this as a great opportunity to learn and become a ninja ZAP user. If you are having fun and learning during this activity, you will enjoyed much more, alone from the fact that maybe, just maybe , there is always a chance you will find a bug worth of some dollar$.

Eye$ on the price

Keep in mind that the bugs we are looking for must match the bounty price the application owner is willing to pay for. For example, Yahoo’s bounty program has clear specifications regarding which websites are part of the program and what kind of bugs are eligible. Be sure to read the disclosure agreements related to the bounty program. Also, make sure to read careful the scope exclusions. Finding bugs in applications that already had a testing cycle is not easy. It can be very disappointing to find out that the bug you found won’t receive a bounty, after you spent your entire weekend searching for bugs and declined that offer from that sexy neighbor to join her/him during Friday night or have fun with your friends and family. Therefore, have a clear strategy such as:

  • Understand the bounty scope
  • What kind of vulnerabilities should you focus on finding
  • Which web applications fall within the scope