After Two Months in Bug Bounty

First I wanna thank you all, I got more responses and appreciations than expected from the first write up.

So let’s begin; today is 63th day of being started learning. The journey is so awesome (if you have patience) yes good things take time. What I love is most is the community, I have never seen such an awesome community and me too want to be a part community, They are like they are welcoming us to the world of hacking. I am very much thankful to them. We can see many people who are teaching, are motivating and etc. without them for my case I wouldn’t be here. Everything is free in the community, if you are a beginner like me all you want to do is practice learn and practice yes reading and watching videos won’t make you a hacker, but practicing will so practice. Working on real web apps are very much different than on Labs. You can test the learned one’s on the apps you have permission to test ( yeah probably public programs) without causing any harm.

Throughout the journey many times I experienced burnout, me becoming very rude that time I don’t know what am I doing those times :). But that’s not uncommon so leave it, I remember the words someone said “ Hard work pays off ”, yeah that’s a true, one day will be ours. I learned too much in these time, following guys who post tips and write-ups are better than following the guys who only post yay I got $$. May be that demotivates you if you can’t find like him. But remember it’s all about experience.

In this lock down days while all my friends are enjoying their free time, I was in the home in-front of my lap, but now I am proud of myself that I can now help my family in this financial crisis times. I didn’t got too many bounties, but if I was still as I was before (playing with friends), I would not be able to help my family. It’s not about money it’s about happiness, sometimes money can bring you happiness.

Now I will tell about my reports, I have reported many bugs 1 in hackerone 2 in bugcrowd and too many in other responsible disclosure programs. Hackerone report is a clickjacking even thought, I don’t know what can an attacker do with that I reported and responded as NA and he said me that “ Clickjacking is only severe when sensitive state changes occur on a page. In this situation, there are no sensitive state changes that are occurring on this page” don’t laugh if you know the impact, then I tested them on portswigger WebAcademy and learned how can we exploit it and what’s the impact and when I look back to my report, I reported clickjacking on a blog website which has no impact hehe. Then I moved into responsible disclosure programs. Reported too low level things like SPF records misconfiguration, clickjacking, etc. And finally Got My first ever bounty for clickjacking here it can cause significant impact since it has many things an attacker can force a person to do on the framable page and it was €50, when I got the mail I was like wooooh, yeeeey and I said my parents and they appreciated me. For the first time in my life I made this much my own. and 2–3 days after received second bounty which is completely unexpected and it’s about 200$. I was really shocked oh god!. That days I can’t even sleep due to happiness haha. It’s for an information disclosure through github repository. I realized the value of github and now I got one more accepted info disclosure for the same program and waiting for the bounty.

While reporting on responsible disclosure program many websites won’t even replying, so I recommend that if you don’t sure about how they treat try to find simple vulns and report them so that we will get an idea about their response time and if they reply to your report or avoid, and if they are responding then try to find harder ones so that you can save your time by digging more and more into programs who didn’t even respond to the mail. Don’t wait for their response to hunt, you can hunt on other programs while waiting means always hunt. If you keeps trying you will definitely get it.

I know you are thinking about duplicates off course me too got a ton of duplicates and made me sad, when I was demotivated I watch STÖK’s videos and hakluke’s. It will make me motivated to hunt more. Report everything if you think that’s a vulnerability ( make sure that’s not in the not applicable lists ). Sometimes the things we report have more impact than we think and if you are lucky they will pay you good.

As they said every report I made are duplicate I even asked them are you lying. I was like too much demotivated and then I got accepted and then I became happy as usual haha. Yeah one day will be mine, ours yes so wait for the day to come and work hard for a better day. I am not posting how to find bugs, my methodology how I find those, because I don’t know much that’s the reason. If you want you can ping me on twitter. I will post more write-ups as days come. Yes we will hit harder. Thank you guys for reading this.

If you like this follow me on twitter iamj0ker, I am new to twitter too happy hacking and all the best