The ABCs of Bug Bounty Hunting
One of the trends in the cyber security world that have reached a popular level and even to the dictionary of the layman is bug bounty. While not everyone is quite knowledgable about its meaning and what happens behind the scenes, people have been acquainted with the word bug more than the entire phrase, bug bounty. Let us understand the basics of bug bounty?
What is Bug Bounty?
A bug bounty is a reward offered to security researchers, developers or anyone else for finding critical flaws like vulnerabilities in software. The bounty could be a monetary reward, being mentioned in a “Hall of Fame” list or merchandise from the company or any combination of these. Rewards can range from hundreds to thousands of dollars depending on the impact and severity of the vulnerability.
Bug bounties are deals that organisations, websites and software developers offer to individuals for reporting bugs that pertain to security exploits and vulnerabilities. While the term refers to bounty given for finding bugs, it is slightly a misnomer. Bug bounties aren’t awarded for every bug that is found but is actually kept for bugs that can cause security concerns for the users using the application.
Bug bounties are increasing exponentially and the public bug-bounty platform BugCrowd reported that they prevented up to $8.9 billion in cybercrime in 2019. Another interesting statistic they’ve reported is that there was a frightening increase in the number of hackers from India with 83%, much higher than any other country.
Misconceptions about Bug Bounty
A common misconception about bug bounty is that a strong background in coding, programming and/or computer science is needed to be a bug bounty hunter. While such a background is helpful, it is never a prerequisite. The fundamentals of these fields can be learnt on your own.
Another misconception is that bug bounty allows you to earn a lot of money in a short span of time, which is hardly the case. It takes days, weeks or sometimes months before you barely find a bug and that is just the first step. Becoming a perfect bug hunter is something that takes a lot of time to be invested. You’ll need the drive to learn something new every day. You need a curiousness that drives you to learn new things and do some exploring on your own.
Read More About Phishing Scams: A side effect of the coronavirus
Choosing your Path
Before you begin to learn, there is a choice you need to take. Bug bounty is majorly spread across two areas –
- Web Application Security Testing
- Mobile Application Security Testing
Just like the names, one of them deals with the bugs found in web applications and the other handles those in mobile applications. The choice you need to make is regarding which of these fields you’ll be dealing with. The choice depends on your area of interest, but a lot of people move into Web Security, as it is felt to be the easier one among the two. Before choosing, you should understand both paths and what are the differences before you move into one of them.
What should you Learn?
Learning to find bugs requires you to know about a wide range of information, but the basics stay the same for all kind of bugs. A good place to start is getting to know about the fundamentals of certain topics. The topics to begin with are computer networking, which is the Holy Grail to find any kind of security vulnerability, which is then topped up by the basics of inter-networking, IP and MAC Addresses, the OSI and TCP/IP stacks.
Since finding bugs mainly deal with security issues, one needs to know about all kind of issues that can happen when devices are connected to a server, which is found in both Web and Mobile Applications. Once you’re done with the basics, you can move onto field-related areas depending on whether you’ve chosen to be a bug bounty hunter for web or mobile applications.
To move ahead with the learning to test the security of web applications, understanding of Web programming and protocols are needed. Once this is done, you’ll need to know about different protocols like HTTP, FTP and TLS among others. Knowledge of different programming languages is also needed.
On the other hand, when it comes to finding bugs in mobile applications, a mandatory prerequisite is learning about how mobile applications store their data. Apart from this, knowledge of web application building tools like Android Studio, Kotlin and React Native among others, both native and cross-platform tools.
Now that you know what to learn, where do you find it? On the web, of course. There a lot of books and videos available online. While not all of them are free, there are online courses in many of these topics for those who are willing to go the extra mile.
Here are a few resources:
- Introduction to Bug Bounty Hunting – EvilHoursX – EvilWeek Recorded Session
- Hackersploit – YouTube channel
- Web Hacking 101 – book by Peter Yaworksi
- IppSec – YouTube channel
- Breaking into Information Security – book by multiple authors
- LiveOverflow – YouTube channel
- The Web Application Hacker’s Handbook – book by Dafydd Stuttard and Marcus Pinto
- Nahamsec – YouTube channel
- Crypto 101 – book by Laurens Van Houtven
- Stok – YouTube channel
Tips to Finding Your First Bug
Now that you know about what to learn, all that is left is to do is to find some bugs. The first thing to do before finding a bug is to decide what platform you’re going to work on. There are a lot of public platforms available like HackerOne, BugCrowd, Cobalt and Synack. Bug bounty requires a lot of experience and a good way to begin is by picking a program where the number of experienced hunters to avoid competition.
The best way to earn some recognition is by starting with some unpaid programs. While they may not earn you any money, it helps you to earn some points and recognition which is more important in the early stages of your career. Such recognition also increases your chances to get invited to private, paid programs.
Here are some tips to help you find your bug and move ahead in your bug bounty career:
- Submit bugs to public programs first. This is the only way to earn recognition.
- Don’t spam. Spamming reduces your points.
- Be polite and courteous. Behaving rudely might get you banned and prevent you from receiving any private invites.
- Begin by looking into all kinds of bugs. This helps you to find your niche and have a good idea of what comes naturally to you.
- Start with the easiest bug classes like Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), Cross-Site Request Forgery (CSRF), Race Conditions and Information Disclosure. Looking into more than one class of bugs at a time gets you confused about each of them, making things difficult.
Read More About Privac
Sticking with Bug Bounty
Bug bounty like any other field of cybersecurity is not as easy as it sounds. You need to be knowledgable about the kind of bugs you are hunting. With cybercriminals finding new tricks, you need to stay updated of all the advancements in technology and the new vulnerabilities and security flaws that come along with them. The only way to stay at the top of your game is by practising and never losing touch with what’s happening around you in this field.
Interested to know more about bug bounty and how to find bugs? We have more to offer through our ethical hacking coaching. To learn more in the field of cybersecurity, join our ethical hacking training program. We train people in the best way possible, experiencing it in the real world while working as a part of our ethical hacking internship. For more cybersecurity lessons in similar topics, join our ethical hacking internship program.
Contributors : Labeeb Ajmal, Basil Gafoor