How to Get Started into Bug Bounty | Complete Beginner Guide

How to Get Started into Bug Bounty | Complete Beginner Guide

Bug Bounty | Ananya Chatterjee

Ananya Chatterjee's photo
Ananya Chatterjee
·

3 min read

What is Bug Bounty?

If you go to Google Baba & Search What is Bug Bounty you will get : A reward offered to a person who identifies an error or vulnerability in a computer program or system Identification and reporting of bugs and vulnerability in a responsible way.

What to study?

  • Internet, HTTP, TCP/IP
  • Networking
  • Command-line
  • Linux
  • Web technologies, java-script, PHP, java
  • At least 1 programming language (Python/C/JAVA/Ruby..)
  • Owasp top 10

Choose your path:

  • Web Pentesting
  • Android Application Pentesting
  • IOS Application Pentesting Books:

For Web:

  • Web app hackers handbook
  • Web hacking 101
  • Mastering modern web pen testing
  • Bug Bounty Playbook
  • Real-World Bug Hunting
  • OWASP Testing Guide.

For Mobile:

  • Mobile application hacker’s handbook

Types of Bug Bounty program:

  • Only Hall of Fame
  • Hall of Fame With Certificate of Appreciation
  • HoF with Swags / only Swags
  • Hall of Fame with Bounty
  • Only Bounty

Bug Bounty Program:

  • Open For Signup
  • Hackerone
  • Bugcrowd
  • hackenproof
  • Bugbountyjp
  • Intigriti
  • Open Bug Bounty

Points To Remember

  • Choose wisely (Initially, don’t think about bounties)
  • Select a bug for the hunt
  • Exhaustive search
  • Not straight forward always

Report Writing/Bug Submission:

  • Create a descriptive report.
  • Follow responsible disclosure policy.
  • Create POC and steps to reproduce

Sample format of the report:

  • Vulnerability Name
  • Vulnerability Description
  • Vulnerable URL
  • Payload
  • Steps to Reproduce
  • Impact
  • Mitigation

Vulnerabilities Priorities:

  • P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
  • P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports.
  • P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
  • P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger.
  • P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.

Looking for more programs using Google Dorks

  • inurl:”bug bounty” and intext:”€” and inurl:/security
  • intext:bounty inurl:/security
  • intext:”BugBounty” and intext:”BTC” and intext:”reward“
  • intext:”BugBounty” and inurl:”/bounty” and intext:”reward

Words of wisdom:

  • PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
  • Do not expect someone will spoon feed you everything.
  • Confidence
  • Not always for bounty
  • Learn a lot.
  • Won’t find at the beginning, don’t lose hope
  • Stay focused
  • Depend on yourself
  • Stay updated with InfoSec world
hackingBugs and Errors#cybersecurityHashnodeTutorial