Bug Bounty from Scratch E-Book

Bug Bounty from Scratch

A comprehensive guide to discovering vulnerabilities and succeeding in cybersecurity

Francisco Javier Santiago Vázquez

Bug Bounty from Scratch

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Kharwa

Senior Editor: Isha Singh

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Proofreaders: Isha Singh and Mohd Hammad

Indexer: Hemangini Bari

Production Designer: Alishon Mendonca

DevRel Marketing Coordinator: Marylou De Mello

First published: June 2024

Production reference: 1300524

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-80323-925-5

www.packtpub.com

I dedicate this book to you Valeria, the love of my life, my inspiration, my everything.

– Francisco Javier Santiago Vázquez

Contributors

About the author

Francisco Javier Santiago Vázquez is passionate about hacking, making his work more than just a profession: also a hobby and a philosophy of life. Throughout his career, he has collaborated with international clients across various sectors including banking, finance, telecommunications, government agencies, training, and department stores. His work has taken him to countries such as Spain, Brazil, Colombia, Peru, the USA, Chile, Argentina, Uruguay, Mexico, the UK, France, and Canada. Francisco has experience coordinating red teams, managing SOC operations, and working as a pentester in offensive security to discover vulnerabilities.

In his free time, he enjoys immersing himself in nature by surfing, body surfing, going to the gym, practicing meditation, hiking, and mountain biking, whenever his research and training in offensive security allow him to do so.

About the reviewers

Mohammed Haji is an independent security researcher, pentester, and bug bounty hunter with over 9 years of experience. He has found 1,000+ vulnerabilities in the software of more than 200 companies including Apple, Facebook, Microsoft, and PayPal. He has also worked as a product security engineer at VMware and as an information security specialist/consultant for government clients in the Middle East.

Dr. Shifa Cyclewala, the CEO and director of Hacktify Cyber Security, holds an honorary Ph.D. in cyber security from a German university. She has been recognized for her contributions in the field, being awarded the Women Influencer of the Year in Cyber Security by BSides-Bangalore 2023 and noted as one of the Top 20 Women Influencers in Security 2021 by Security Today.

A member of the boards of education at various universities, Dr. Cyclewala is also the author of a best-selling bug bounty course on several e-learning platforms. She has showcased her expertise as a trainer and speaker at numerous international conferences such as GISEC Global, California Tech Summit, OWASP, BSides-Bangalore, Wicked6, SIFS, and more.

Passionate about promoting women in cyber security, she spearheads the Mumbai Chapter for World Wide Women in Cyber Security (W3-CS).

My deepest gratitude to my family, whose unwavering support fueled this journey. To my mentors, your encouragement kept me going, and to the community contributors for the continued guidance.

Dr. Rohit Gautam, the CISO and director at Hacktify Cyber Security, was awarded the Cyber Security Samurai of the Year award by BSides-Bangalore in 2023. He has discovered various zero-day exploits in modern open source and commercial software. Dr. Gautam is a member of the boards of education at various universities and the author of a best-selling bug bounty course on e-learning platforms. He has also served as a trainer and speaker at numerous international conferences such as GISEC Global, California Tech Summit, OWASP, BSides-Bangalore, and many more.

Additionally, he actively mentors armed forces and defense personnel and is a certified instructor for the National Security Database.

I extend my sincerest appreciation to my family for their unwavering support. To my mentors, your encouragement was instrumental, and to the community contributors, thank you for your invaluable guidance throughout this journey.

Table of Contents

Preface

Part 1: Introduction to the World of Bug Bounties

1

Introduction to Bug Bounties and How They Work

Bug bounty platforms

The state of the industry

How do bug bounty platforms work?

Benefits of these platforms

Summary

Further reading

2

Preparing to Participate in a Bug Bounty Program

Understanding the program rules

Why is it important to understand the rules of bug bounty programs?

What rules must be followed?

Learning about the company and its systems

Understanding the enterprise

Identifying critical systems

Knowing the technologies used

Identifying entry points

Assessing the current security posture

Acquiring technical skills

Selecting the right tools

Information-gathering tools

Vulnerability scanning tools

Vulnerability exploitation tools

Choosing the right tool

Maintaining ethics and integrity

Summary

Further reading

3

How to Choose a Bug Bounty Program

Choosing a bug bounty program

Types of programs

Public programs

Private programs

Vulnerability disclosure programs

Main platforms

Summary

Part 2: Preparation and Techniques for Participating in a Bug Bounty Program

4

Basic Security Concepts and Vulnerabilities

Threats and attacks

APTs

Malware and viruses

Phishing

Spoofing

DDoS attacks

Ransomware

Social engineering

Zero-day attacks

Brute-force attacks

Code injection attacks

Vulnerabilities

Software vulnerabilities

IoT vulnerabilities

Network vulnerabilities

Configuration vulnerabilities

Web application vulnerabilities

Zero-day vulnerabilities

Hardware vulnerabilities

Social vulnerability

Vulnerability management process

Exploits

Buffer overflow

Code injection

Zero-day attacks

XSS

RCE

Exploits and the Dark web

Patches and updates

Security vulnerabilities

Bugs and glitches

Enhancements and new functionality

Proper management of patches and updates

Security assessment

Identifying and quantifying system vulnerabilities and weaknesses

Evaluating the effectiveness of existing security controls and measures

Evaluating compliance with relevant security standards and regulations

Providing recommendations and corrective actions to improve security

Summary

5

Types of Vulnerabilities

Software vulnerabilities

Types of software vulnerabilities

Patches and updates

Shared responsibility

Audits, security testing, and bug bounties

Disclosed liability

Network vulnerabilities

Types of network vulnerabilities

Impact of vulnerabilities

Vulnerability assessments

Security practices

Proactive cybersecurity

Configuration vulnerabilities

Weak or default passwords

Excessive permissions and access

Unnecessary open services and ports

Lack of encryption

Weak security configurations

Updates and patches not applied

Lack of security audits

Insecure default configurations

Lack of MFA

Exposure of sensitive files and directories

Zero-day vulnerabilities

Secret discovery

Targeted attacks

Security threats

Patches and mitigations

Black market value

Hardware vulnerabilities

Spectre and Meltdown

Rowhammer

BadUSB

Malicious firmware

Attacks on IoT devices

Smart card attacks

Vulnerabilities in medical devices

Physical attacks

Side-channel attacks

Hacker toys

Social vulnerability

Phishing

Social engineering

Social network attacks

Infiltration of organizations

Online influence and disinformation campaigns

Privacy risks and publication of personal information

Summary

6

Methodologies for Security Testing

Methodologies for pentesting

Phases of a pentest

Reconnaissance

Vulnerability analysis

Exploitation

Post-exploitation

Report and recommendations

Validation and retesting

Guidance and recommendations based on my experience

Note-taking

JavaScript files also exist

Analyzing the API

File upload, winning horse

Summary

7

Required Tools and Resources

Security certifications

ExploitDB

Tools

Maltego

Burp Suite

Nmap

SQLmap

WhatWeb

Shodan

Gitrob

Google Dorks

WPScan

SecLists

Dirsearch

MobSF

Wireshark

Metasploit

Shellter

Aircrak-ng

Netcat

Mimikatz

John the Ripper

Sslscan

NmapAutomator

Distros for security

Kali Linux

Parrot Security OS

BlackArch Linux

BackBox

OWASP OWTF

Blogs

Training for bug hunters

YouTube channels

Summary

8

Advanced Techniques to Search for Vulnerabilities

A brief review of basic vulnerability search techniques

Exploring human errors

robots.txt

Wayback Machine

Information leaks

Google dorking

Subdomain takeover

GitHub

LFI

Advanced enumeration

Obtaining metadata

Scanning of domains/IPs/ports/versions/services

DNS analysis

Identification of services and technologies

Enumeration of files and directories

Enumeration of users

SSL analysis

Code injection

Application logic vulnerabilities or business logic flaws

SQL injection

XSS

RCE

Server-side request forgery

CSRF

IDOR

Privilege escalation

Practical example of privilege escalation

Horizontal privilege escalation

Vertical privilege escalation

Tools

Reverse engineering

Analysis of mobile applications

Summary

9

How To Prepare and Present Quality Vulnerability Reports

The structure of a vulnerability report

Examples of vulnerability reports

Using automation to create reports

Tips for preparing a report

Post-report documentation

Summary

Part 3: Tips and Best Practices to Maximize Rewards

10

Trends in the World of Bug Bounties

Increasing popularity of bug bounty programs

Diversification of program targets

Collaboration between companies and ethical hackers

Strengthening the relationship

Benefits of collaboration

Advances in tools and technologies

Automation and machine learning

Collaborative platforms and specialized tools

Impact on efficiency and speed of response

Big bugs

Intermediate bugs

Quick wins

Summary

11

Best Practices and Tips for Bug Bounty Programs

Tip No. 1 – Always be polite and courteous

Tip No. 2 – Sleep on it

Tip No. 3 – Don’t sell the bear’s skin before it’s hunted

Tip No. 4 – Read, read, and then read

Tip No. 5 – Add a POC and risk level

Tip No. 6 – Always keep learning and improving

Tip No. 7 – Use the ideal tool for each case

Tip No. 8 – Search for the forgotten

Tip No. 9 – Don’t be so quick to report

Tip No. 10 – Bug bounty as a hobby

Tip No. 11 – Be flexible

Tips for keeping up to date on offensive security

Tips for continuous improvement in offensive security

Tips for maintaining an ethical approach to offensive security

Summary

12

Effective Communication with Security Teams and Management of Rewards

Considerations

Clarity in policy

Open communication channels

Clear and detailed reports

Using professional language

Following program guidelines

Providing sufficient evidence

Explaining impact

Maintaining professionalism and respect

Following program updates

Prompt responses to requests for additional information

Soliciting feedback

Psychological management in bug bounty

Summary

13

Summary of What Has Been Learned

Introduction to Bug Bounty and How it Works

Preparation and Techniques for Participating in a Bug Bounty

How to Choose a Bug Bounty Program

Basic Security Concepts and Vulnerabilities

Types of Vulnerabilities

Methodologies for Security Testing

Required Tools and Resources

Advanced Techniques to Search for Vulnerabilities

How to Prepare and Present Quality Vulnerability Reports

Trends in the World of Bug Bounty

Best Practices and Tips for Bug Bounty

Effective Communication with Security Teams and Management of Rewards

Predictions on the future of bug bounty

Conclusion

Index

Other Books You May Enjoy

Preface

The world of cybersecurity is vast and constantly evolving. Amidst this landscape, bug bounty programs have emerged as a powerful tool for both companies looking to strengthen their security and professionals who wish to test and expand their skills. Bug Bounty from Scratch was born out of the need to provide a comprehensive and accessible guide for those who wish to enter this exciting field from the ground up.

As the author of this book, I have witnessed the growing interest in bug bounty programs and the opportunities they offer for individuals from diverse backgrounds. My own motivation for writing this work comes from the combination of years of cybersecurity experience and a passion for sharing knowledge. I have observed how bug bounty hunters can not only help protect global digital infrastructure but also build successful and rewarding careers in the process.

In Bug Bounty from Scratch, we will address everything from basic concepts to advanced techniques through a series of structured and practical chapters, which will provide you with the tools and strategies necessary to become effective and ethical bug hunters. You will find clear explanations, real examples, and practical exercises that will guide you step by step in your learning. In addition, I will share anecdotes and personal experiences that illustrate the challenges and rewards of this profession. My goal is for this book to be not only a source of technical knowledge but also an inspiration for you to pursue your goals with determination and confidence.

I hope you enjoy this journey as much as I have enjoyed creating it. May this book be the beginning of a journey full of discoveries, learning, and successes in the fascinating world of bug bounties.

Welcome to Bug Bounty from Scratch!

Who this book is for

This book is aimed at anyone interested in learning about bug bounties, from cybersecurity and ethical hacking enthusiasts to students and pentesters. It also aims to address the basics of these bug bounty programs, such as their structure, the main tools, certain methodologies, and the most common vulnerabilities, all from a practical point of view by analyzing public reports made by community hackers.

What this book covers

Chapter 1, Introduction to Bug Bounties and How They Work, describes what a bug bounty is. It is a reward program offered by an organization or company to security researchers who discover and report security vulnerabilities in their systems. You will be given an insight into bug bounties, as in recent years, bug bounty programs have experienced a boom.

Chapter 2, Preparing to Participate in a Bug Bounty Program, will encourage you to get started in the wonderful world of bug bounties. Participating in a bug bounty program can be an exciting and rewarding experience, but to be successful, you need to be prepared. In this chapter are some important considerations to keep in mind before you start looking for vulnerabilities in a bug bounty program.

Chapter 3, How to Choose a Bug Bounty Program, introduces you to bug bounty programs. These programs are available from a variety of companies and organizations. As the popularity of these programs grows, it can be difficult to know which program is the right one to participate in. In this chapter are some factors to consider when choosing a bug bounty program.

Chapter 4, Basic Security Concepts and Vulnerabilities, covers security, which is a critical aspect of any system or application and refers to the ability to prevent, detect, and respond to threats and attacks. Vulnerabilities are weaknesses in a system or application that can be exploited to compromise security. This chapter has some basic concepts of security and vulnerabilities.

Chapter 5, Types of Vulnerabilities, is where the different types of vulnerabilities will be discussed in depth. Vulnerabilities are weaknesses in a system or application that can be exploited by attackers to compromise its security. There are many different types of vulnerabilities, which can be classified according to their origin or the way in which they can be exploited. This chapter will discuss some of the most common types of vulnerabilities.

Chapter 6, Methodologies for Security Testing, looks at how the methodology to be followed for bug bounties is very important. Security testing is an essential part of bug bounty programs and the security management of any system or application. Security testing is performed to identify vulnerabilities in a system or application before they can be exploited by attackers. This chapter contains the steps of a basic methodology for conducting security testing.

Chapter 7, Required Tools and Resources, covers how, to participate in bug bounty programs, it is necessary to have certain tools and resources to help identify and report vulnerabilities in systems and applications. This chapter talks about some of the tools and resources most commonly used in bug bounty programs.

Chapter 8, Advanced Techniques to Search for Vulnerabilities, goes much deeper into vulnerabilities. The importance of combining several techniques and tools to find complex vulnerabilities and final recommendations are covered.

Chapter 9, How to Prepare and Present Quality Vulnerability Reports, emphasizes the importance of making a good report. We cover what a good structure for a vulnerability report looks like, the elements to be included, examples, tips, and so on.

Chapter 10, Trends in the World of Bug Bounties, contains general guidance on how to write an effective vulnerability report, what a good vulnerability report structure looks like, tips on how to write a vulnerability report, and so on.

Chapter 11, Best Practices and Tips for Bug Bounty Programs, gives a brief explanation of the importance of continuous improvement in offensive security and the importance of being updated in the field of offensive security.

Chapter 12, Effective Communication with Security Teams and Management of Rewards, provides an explanation of the importance of effective communication in IT security management and bug bounty management.

Chapter 13, Summary of What Has Been Learned, is a summary of everything you will have learned in the book. You will be able to see how you have progressed.

To get the most out of this book

You will need to have an understanding of the basics of computer science, networks, and systems.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You can use DNS record lookup tools, such as nslookupor dig.”

A block of code is set as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “In the following screenshot, you can see the Shopify company tab on the HackerOne platform:”

Tips or important notes

Appear like this.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Neither Packt Publishing nor the author of this book takes any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Bug Bounty from Scratch, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781803239255

Part 1: Introduction to the World of Bug Bounties

This first part of the book will be introductory; that is, it will familiarize you with everything to be found in the book. It will prepare you for all the chapters that follow.

This part has the following chapters:

1

Introduction to Bug Bounties and How They Work

Congratulations! You are about to enter the wonderful world of ethical hacking, and more specifically, bug bounty programs. This book is a guide that goes from the basics to an advanced level on the topics involved in finding and reporting vulnerabilities for white-hat hackers and cybersecurity experts. Thanks to this book, you will be prepared to participate in bug bounty programs and know how to choose a bug bounty program to get involved with.

As you advance through the book, you will learn basic computer security concepts and the types of vulnerabilities. You will also learn methodologies, tools, and resources needed to discover bugs. With all these skills acquired, it’s time to become proficient with advanced techniques for finding vulnerabilities and how to prepare and submit quality vulnerability reports.

Finally, in the last part of this book, you will discover the current and future trends in the bug bounty world, as well as the best practices and tips to take advantage of and improve your skills every day. You will also learn how to communicate effectively with your security team, manage rewards, and get the most out of your work.

But first, this chapter describes to the reader what a bug bounty is, what platforms exist, how they work, and the state of the industry and its benefits.

In this chapter, we will cover the following topics:

Bug bounty platforms

A bug bounty is a reward program offered by an organization or company to security researchers who discover and report security vulnerabilities in their systems. These programs are an effective way to improve the security of computer systems by rewarding those who discover and report bugs before they can be exploited by malicious attackers. Bug bounty platforms act as intermediaries between companies and bug hunters, facilitating the process of reporting and fixing security issues.

Bug bounty programs have begun to be used by companies outside the technology sector, including traditionally cautious organizations such as the U.S. Department of Defense.

Bug bounty programs are beneficial to companies because they allow them to leverage the expertise of hackers to find vulnerabilities in their code. By having access to a large community of hackers and testers, these programs increase the chances of detecting and fixing problems before cybercriminals can exploit them.

Bug bounty programs can be a valuable tool for improving a company’s public image. By implementing these programs, companies can demonstrate to their customers that they are aligned with security and have an advanced perspective on managing vulnerabilities in their systems.

Bug bounty programs are expected to continue to be popular in the future, as they have become a well-established practice in the industry today and will likely be implemented by all companies in the future. Bug bounty programs offer security researchers the chance to earn money and recognition for finding and reporting vulnerabilities in company software. Some hackers make it their full-time job, as all the money they earn provides them with a comfortable living, while for others it is a way to supplement their income. In addition, participating in these programs can be a great way to gain hands-on experience, similar to what happens with Capture the Flag (CTF), as well as working with top companies in the industry. You may be wondering what a CTF is. It is a type of competition where teams or participants are faced with a series of challenges that they must solve. The objective is to collect or solve as many flags in the shortest time possible to win the competition. Each challenge overcome provides a flag as proof of its resolution.

For example, working at a regular company, such as a cybersecurity startup or consulting firm, you are unlikely to be able to do penetration testing at giants such as Facebook, Apple or Google, but by participating in a bug bounty program you may have the opportunity to do so.

Bug bounty programs can give participants the opportunity to connect with members of a company’s security team and learn from them – but learn what and how? Well, learning from their experience is possible, since they work in the security department, plus you also learn since they manage hundreds of security reports for the company. On the other hand, you also learn in a practical sense since you will test your skills in a legal and fun way. By participating in these programs, investigators can challenge themselves and test their skills against large companies and government agencies.

Bugcrowd and HackerOne are the most important bug bounty companies worldwide. These platforms work with their clients, which are large organizations, together with the expertise of hackers to help improve security. So, HackerOne acts as an intermediary providing infrastructure and communication between companies and hackers.

The most essential piece of a good bug bounty program, or any vulnerability reporting system, is the safety of the researchers; that is, that those who report vulnerabilities to whom they may concern are protected, legally or otherwise. It also adds the qualities of transparency and speed.

Before continuing, it is necessary to pause briefly so as not to confuse bug bounty work with penetration testing. Above all, if you come from the pentesting world, it is common to make mistakes and confuse terms that is, to confuse the two types of work.

The differences between the two are as follows:

Bug bounties

Penetration testing

Practitioners are given the freedom to prioritize the depth of evidence.

Ensures a standardized methodology that prioritizes breadth of coverage.

Less readily accepted for compliance.

More readily accepted for compliance.

Longer test durations ensure continuous coverage at different intensities.

Spot testing ensures an intense testing period.

Access to a large pool of experienced and knowledgeable professionals.

Uses fewer hand-selected testers for the target environment.

The cost of the service is based primarily on the vulnerabilities identified.

Cost of service is based on time spent evaluating the system.

Focuses primarily on deep technical vulnerabilities.

Provides feedback on people and process as well as technology.

Incentives for quality and severity of failures. That is to say, it pays more if a security failure is found with a high criticality than a low one. Payment by results model.

Incentivized by number of failures found. Pay-per-effort model, i.e. payment is based on the number of failures and not on quality.

Involves testing of more sophisticated vulnerability scenarios.

Involves testing of limited vulnerability scenarios because of the limited group of security researchers.

Very competitive environment. The one who reports a bug first gets the rewards.

Not exposed to a competitive environment, which can affect quality of work.

Pricing is based on a pay-per-bug model.

Pricing is based on the basic report.

Create a culture of openness and adoption of information security practices.

Creates a culture of fear and meeting compliance requirements.

Access to thousands of security research with diverse skill sets.

Limited group of security researchers.

Gives practitioners the freedom to prioritize depth of evidence.

Ensure a standardized methodology that prioritizes breadth of coverage.

Table 1.1 – Differences between bug bounty programs and penetration testing

As you can see in the preceding table, there are multiple differences between the two worlds. The following section will provide an overview of the state of the bug bounty industry.

The state of the industry

It has been 28 years since the beginning of this phenomenon. In 1995, Netscape created the first bug bounty program as we know it today and decided to reward any security researcher who found and reported any bug in their Netscape Navigator 2.0 browser.

The following screenshot presents the history of the adoption of bug bounty programs:

Figure 1.1 – The history of bug bounty programs

Today, bug bounty programs are a common practice among companies and organizations, both large and small. Many technology companies, such as Microsoft, Apple, and Facebook, have their own in-house bug bounty programs, while other companies use third-party platforms to administer their programs.

In the following screenshot, you can see Apple’s bug bounty program. Undoubtedly it is a great challenge and achievement to find security bugs in a giant corporation such as Apple:

Figure 1.2 – Apple bug bounty program

Let’s get an idea of the numbers and the scope of the market for bug bounty programs, as these have been booming in recent years. The HackerOne platform offers the following data on the year 2021:

Adoption of hacker-driven security programs is growing across all industries, with the total number of hacker-driven customer programs increasing by 34% in 2021, as shown in the following diagram:

Figure 1.3 – Adoption of hacker-powered security programs

In early 2022, a security researcher named satya0x won $10 million for discovering a vulnerability in the Wormhole cryptocurrency platform: https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-reward.

The bounty was paid through Immunefi and, at least so far, one of the largest bug bounties paid to date. While another eight-figure reward has yet to be awarded, it is clear that there is a trend of increasing payouts. For example, another Immunefi user, pwning.eth, recently won $6 million for reporting a critical vulnerability in the Aurora cryptocurrency service: https://cointelegraph.com/news/aurora-pays-6m-bug-bounty-to-ethical-security-hacker-through-immunefi.

It’s turning into a real gold rush, as depicted in the following screenshot:

Figure 1.4 – Rewards paid through Immunefi

Exciting, isn’t it? But how do these platforms work? In the next part we will see how.

How do bug bounty platforms work?

Some of the most popular bug bounty platforms include the aforementioned HackerOne, Bugcrowd, Synack,Intigriti, Cobalt, Immunefi, and YesWeHack, among others. These platforms offer various tools and features to help companies manage their bug bounty programs, and allow bug hunters to find and report security issues effectively.

Bug hunters can register on these platforms and search for bug bounty programs that are a good fit for their skills and experience. Once they find a program that interests them, they can start looking for security issues and report them through the platform. Companies then review the reports and award bug bounties to the bug hunters for their work.

Bug bounty rewards vary by platform and program, but can be significant, reaching hundreds of thousands of dollars for finding critical vulnerabilities. In addition to financial compensation, bug hunters can gain recognition for their work and build their reputation in the security community.

All in all, bug bounty platforms are an effective way for companies to identify and fix security issues in their digital systems, while bug hunters can earn financial rewards and recognition for their work.

A bug bounty program usually begins with a statement from the company or organization setting out the terms and conditions of the program, including the type of vulnerabilities being sought and the rewards offered for each vulnerability discovered. These bounties can range from a few hundred dollars to tens of thousands of dollars, depending on the severity of the vulnerability as mentioned previously.

Once the program’s conditions have been established, security researchers can start looking for vulnerabilities in the company’s or organization’s systems. If a researcher discovers a vulnerability, they must report it to the company or organization through the channels specified in the program’s terms and conditions. The company or organization then verifies the vulnerability and determines whether it is valid and deserves a reward.

Before proceeding further, the steps of the security vulnerability notification process that is normally used by bug bounty platforms are detailed in the following figure:

Figure 1.5 – Steps in the security vulnerability reporting process

If the vulnerability is determined to be valid, the company or organization will pay a bounty to the security researcher. Often, the researcher is required to provide technical details about the vulnerability, as well as a proof of concept or additional information to help the company or organization remediate the flaw.

It is important to note that bug bounty programs are not licensed to attack computer systems. Security researchers must always comply with the company or organization’s policies and terms of use and must work collaboratively with the organization to report and remediate any discovered vulnerabilities. In some cases, companies may even sue researchers who violate program terms or damage computer systems.

t should be noted that some platforms do not pay rewards, but rather reward bug hunters with points. In addition to platforms, there are also multinationals such as Disney, for example, that do not pay directly. If you report a vulnerability, they offer you HackerOne points. I do not recommend participating in such programs because ultimately, you are working for free. I have never done it. There are people who do it because they get points on the platform. Those points are used to climb up in the rankings. But neither your ranking nor your points relate to the money you can earn each month.

Now let’s talk about platforms, more specifically HackerOne, perhaps the most popular one on the planet (although the other platforms are very similar).

In all platforms, there is usually a directory where information is provided to the bounty hunter to make decisions about which program to choose or which not to audit. Also detailed are whether the program is public or private, how many reports have been sent, and the means of payment, as shown in the following screenshot:

Figure 1.6 – Directory of programs on the HackerOne platform

Platforms such as HackerOne have an individual dashboard that shows the history of reports made and validated, as well as the bounty hunter’s reputation or badges obtained, and vulnerabilities that have already been fixed pending retesting. Also, if a bounty hunter has a high reputation, they will likely be invited to private programs, as shown in the following screenshot:

Figure 1.7 – Eric’s (todayisnew) profile on HackerOne

You can find