What exactly is a Bug Bounty program?
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.
Companies setup a bug bounty program and supply information as to what they want researchers to look at, and if the researchers find a valid vulnerability then you can report it to them and hope to receive a reward in return. Companies can choose to either reward you reputation points on bug bounty platforms, swag, or sometimes even money. If they don't reward anything, then it is a vulnerability disclosure program.
Different types of programs
Vulnerability Disclosure Program (VDP)
Typically these programs are public and only reward you with points and nothing more, however some VDP's are also private. Most people starting in bug bounties are told to start with VDP's to 'learn the ropes' and to build 'rep' (reputation) to receive privates invites which pay, but what most researchers don't realise is some of these VDP programs actually have paying programs as well, they are just private and invite only.
With that said, not all companies are able to run more than a VDP for a variety of reasons such as being a charity. Just because a company is using a VDP doesn't mean you should ignore them, it means just be mindful about who you are working with and their reasons for running a VDP, then decide if you should spend on their program. Practising on VDP's can be a great way to get first-hand experience for what it's like to participate in bug bounties and hack blindly on real world websites. It is also not unheard of to be invited to a company's paying program after "impressing" them in their VDP, however this depends on your risk vs. reward ratio. You're the shot caller.
-
Public Bug Bounty Program
A public bug bounty program such as Google & Facebook that is open to the world and reward money. There are LOTS of public bug bounty programs out there and some even have wide scopes. You can discover public programs from Disclose.IO, however also make sure to search on Google to discover more companies which welcome hackers. You can find google dorks below to help find programs.
Most people are under the illusion that just because a program is public that there will be nothing to find. False! New code and new features are pushed daily, especially if it's a large company spanning across the world!
You also have to consider that if most researchers are avoiding these programs because they think too many eyes are on there, surely there isn't as many eyes as they actually think? Get creative, there are bugs out there.
-
Private Bug Bounty Program
Typically most private invites you receive will be paying programs, however not all private programs do pay. You can usually customise your invite preference on bug bounty platforms if you want to filter paying private vs. non-paying. Researchers are usually invited to private programs after showing some activity on the platform such as a certain amount of valid bugs, certain rep/signal/impact value and activity in x amount of days.
You may hear some researchers refer to "VIP" and "secret" programs and these are programs setup by certain companies to work only with hackers they select. There is not usually a public criteria to join one of these and you are mostly selected based on your activity on their other program(s) & your skill.
Finding bug bounty/vulnerability disclosure programs
inurl:responsible disclosure
"report security vulnerability"
"vulnerability disclosure"
"responsible vulnerability disclosure"
diclose vulnerability "company"
"powered by hackerone" "submit vulnerability report"
indesc:bug bounty|vulnerability disclosure
inurl: bug bounty
"vulnerability reward"
white hat program
"vulnerability reporting policy"
inurl:responsible-disclosure-policy
A proposed standard which allows websites to define security policies. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.
It really is as simple as: When looking for a companies security contact make sure to check for https://www.example.com/.well-known/security.txt
.
You can even automate scanning for this file to discover programs.
Examples:
- Public registration | PayPal, Coinbase, Bank Transfer
HackerOne.com
— The most well known bug bounty platform with the largest directory of programs. HackerOne also offer regular CTF competitions and live events for their hackers and there really is something for everyone. There has been public discussion around the poor experience with HackerOne mediation as of late 2021 - Public registration | PayPal, Bank Transfer
Bugcrowd.com
— The second most well known bug bounty platform with some interesting programs. Bugcrowd is well established with the bug bounty community and as of late 2021 has made considerable improvments to the platform with new features to help improve the researcher experience. Bugcrowd should be on your watch list for 2022! - Public registration | Bank Transfer
YesWeHack.com
— A bug bounty platform based in France. This platform mainly caters to those reciding in Europe and does not offer as many programs as other platforms however many users have expressed having a good time on their platform and being looked after. - Public registration | Bank Transfer
Intigriti.com
— An upcoming bug bounty platform based in Belgium which offers a variety of programs. Intigriti is also very engaging with the hacker community and it shows they care about their members. - Private registration | PayPal
Synack.com
— To join Synack you must have an interivew and pass a technical assessment. Synack also require the use of their VPN when testing which could be instrusive to your testing. It has also been mentioned a lot that their VPN goes down frequently. However Synack does have a large amount of interesting programs that many have had great success on.
Quick tips to help find your first bug
So you've learnt to hack via challenges, you know what a bug bounty program is and understand about different types available. You're ready to get stuck in, but sadly one thing we can't advise you on is which program to look at. One big hurdle people struggle to overcome is finding a program to spend their time on and sadly this is something out of most peoples control, especially if you are new and don't have access to as many programs as others.
But, there is something we can advise on: hacking, and using your hacking knowledge to finding your first bug. Below are some tips and things you can try to help you in discovering your first bug.
- Don't try too much & set goals!
It is very easy to think of lots of different vulnerabilities to try and sometimes overlook the simple things. I've done it, we've all done it, and we'll all probably carrying on doing it! Set yourself a goal as to what type of vulnerability it is you wish to find and spend time learning the ins and outs of your chosen target. The more you learn the more you will begin to see it from a different view, a hacker's view.
Some examples:
The program has a wildcard scope with multiple domains in scope. Spend the day testing the login flow on each website that offers account functionality and test common login flow bugs such as oauth misconfigurations.
The program has a wildcard scope with multiple domains in scope. Don't just test their websites from your country! Change your location and test different regions as sometimes a different codebase is used (different teams etc).
A lot of websites use robots.txt. Go and scan their robots.txt files from the past 5+ years using WayBackMachine. WayBackMachine has indexed old versions of websites and contains lots of valuable data.
- Scan & find as much as possible
Old files exist on old servers, even on well-established public programs. Subdomains come up & down all the time. New files appear daily. Spend time to understand what's in scope and begin finding & mapping as much information as possible. Just because a subdomain shows you a 404 error, there may be an "admin.php" file on there, or it may appear online one day. Your recon can never be complete and you should always be hunting with your overall aim to automate the scanning process.
- What's been disclosed?
If the bug bounty program you've chosen to participate in has disclosed any vulnerabilities, what were they? How long ago were they found? Was it a special bypass, or a simple straight forward XSS? How was it fixed? Ask yourself all these questions and use others kindness of sharing as your starting point to begin testing.