The ABCs of Bug Bounty Hunting

One of the trends in the cyber security world that has reached a popular level and even to the dictionary of the layman is bug bounty. While not everyone is quite knowledgeable about its meaning and what happens behind the scenes, people have been acquainted with the word bug more than the entire phrase, bug bounty. Let us understand the basics of bug bounty.

What is Bug Bounty?

A bug bounty is a reward offered to security researchers, developers, or anyone else for finding critical flaws like vulnerabilities in software. The bounty could be a monetary reward, being mentioned in a “Hall of Fame” list or merchandise from the company or any combination of these. Rewards can range from hundreds to thousands of dollars depending on the impact and severity of the vulnerability. 

Bug bounties are deals that organizations, websites, and software developers offer to individuals for reporting bugs that pertain to security exploits and vulnerabilities. While the term refers to a bounty given for finding bugs, it is slightly a misnomer. Bug bounties aren’t awarded for every bug that is found but are actually kept for bugs that can cause security concerns for the users using the application.

Bug bounties are increasing exponentially and the public bug-bounty platform BugCrowd reported that they prevented up to $8.9 billion in cybercrime in 2019. Another interesting statistic they’ve reported is that there was a frightening increase in the number of hackers from India with 83%, much higher than any other country. 

Misconceptions about Bug Bounty

A common misconception about bug bounty is that a strong background in coding, programming, and/or computer science is needed to be a bug bounty hunter. While such a background is helpful, it is never a prerequisite. The fundamentals of these fields can be learned on your own.

Another misconception is that bug bounty allows you to earn a lot of money in a short span of time, which is hardly the case. It takes days, weeks or sometimes months before you barely find a bug and that is just the first step. Becoming a perfect bug hunter is something that takes a lot of time to be invested. You’ll need the drive to learn something new every day. You need a curiosity that drives you to learn new things and do some exploring on your own. 

Read More About Phishing Scams: A side effect of the coronavirus

Choosing your Path

Before you begin to learn, there is a choice you need to make. Bug bounty is majorly spread across two areas –

• Web Application Security Testing
• Mobile Application Security Testing

Just like the names, one of them deals with the bugs found in web applications and the other handles those in mobile applications. The choice you need to make is regarding which of these fields you’ll be dealing with. The choice depends on your area of interest, but a lot of people move into Web Security, as it is felt to be the easiest one among the two. Before choosing, you should understand both paths and what are the differences before you move into one of them.

To know more about the vulnerabilities occurring in web applications, you can give this one a read. For knowing those related to mobile applications, this is the one to read.

What should you Learn?

Learning to find bugs requires you to know about a wide range of information, but the basics stay the same for all kinds of bugs. A good place to start is getting to know about the fundamentals of certain topics. The topics, to begin with, are computer networking, which is the Holy Grail to finding any kind of security vulnerability, which is then topped up by the basics of inter-networking, IP and MAC Addresses, the OSI, and TCP/IP stacks.

Since finding bugs mainly deal with security issues, one needs to know about all kind of issues that can happen when devices are connected to a server, which is found in both Web and Mobile Applications. Once you’re done with the basics, you can move on to field-related areas depending on whether you’ve chosen to be a bug bounty hunter for web or mobile applications.

To move ahead with learning to test the security of web applications, an understanding of Web programming and protocols is needed. Once this is done, you’ll need to know about different protocols like HTTP, FTP, and TLS among others. Knowledge of different programming languages is also needed.

On the other hand, when it comes to finding bugs in mobile applications, a mandatory prerequisite is learning about how mobile applications store their data. Apart from this, knowledge of web application building tools like Android Studio, Kotlin, and React Native among others, both native and cross-platform tools.

Now that you know what to learn, where do you find it? On the web, of course. There a lot of books and videos available online. While not all of them are free, there are online courses on many of these topics for those who are willing to go the extra mile.

Here are a few resources:

• Introduction to Bug Bounty Hunting – EvilHoursX – EvilWeek Recorded Session
• Hackersploit  – YouTube channel
• Web Hacking 101 – book by Peter Yaworksi
• IppSec – YouTube channel
• Breaking into Information Security – book by multiple authors
• LiveOverflow  – YouTube channel 
• The Web Application Hacker’s Handbook – book by Dafydd Stuttard and Marcus Pinto
• Nahamsec  – YouTube channel
• Crypto 101 – book by Laurens Van Houtven
• Stok  – YouTube channel

Tips to Finding Your First Bug

Now that you know what to learn, all that is left is to do is to find some bugs. The first thing to do before finding a bug is to decide what platform you’re going to work on. There are a lot of public platforms available like HackerOne, BugCrowd, Cobalt and Synack. Bug bounty requires a  lot of experience and a good way to begin is by picking a program where the number of experienced hunters to avoid competition. 

The best way to earn some recognition is by starting with some unpaid programs. While they may not earn you any money, it helps you to earn some points and recognition which is more important in the early stages of your career. Such recognition also increases your chances to get invited to private, paid programs.

Here are some tips to help you find your bug and move ahead in your bug bounty career:

1. Submit bugs to public programs first. This is the only way to earn recognition.
2. Don’t spam. Spamming reduces your points. 
3. Be polite and courteous. Behaving rudely might get you banned and prevent you from receiving any private invites.
4. Begin by looking into all kinds of bugs. This helps you to find your niche and have a good idea of what comes naturally to you.
5. Start with the easiest bug classes like Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), Cross-Site Request Forgery (CSRF), Race Conditions and Information Disclosure. Looking into more than one class of bugs at a time gets you confused about each of them, making things difficult.

Read More About Privac

Sticking with Bug Bounty

Bug bounty like any other field of cybersecurity is not as easy as it sounds. You need to be knowledgeable about the kind of bugs you are hunting. With cybercriminals finding new tricks, you need to stay updated on all the advancements in technology and the new vulnerabilities and security flaws that come along with them. The only way to stay at the top of your game is by practicing and never losing touch with what’s happening around you in this field.

Contributors : Labeeb Ajmal, Basil Gafoor