Getting Started as a Bug-Bounty Hunter : Beginner, Intermediate and Advance Approach

The Getting started Guide to Bug-Bounty Hunting

Hi there fellas. This write-up is all about getting yourself started as a Bug-Bounty Hunter. This write-up covers most of the things that I personally know and can be included as a beginner’s Getting started as a Bug-Bounty Hunter write-up, and will make sure that it is easy, simple and gets digested easily in you brains.

(Disclaimer : If you are here to see how I might show you any specific exploitation of bugs, then this is not that write-up. This is a beginner friendly complete write-up to “Get yourself started as a Bug-Bounty Hunter” for the people who asked me for it.)

Also, If you are new to the place, then subscribe and get the write-up to you first then others. So let’s get started.

The write-up consists of :-

Who is a Bug Bounty Hunter, what he does and why this is a hype-up topic in the field of Cybersecurity?So “You” want to be a Bug-Bounty Hunter : Learn the “Bitter Truth” first that none will tell you “clearly”Beginners Approach : Things to learn and getting your first bugIntermediate Approach : Things to Focus On and getting your next types of bugsAdvance Approach (Beginner + Intermediate + Additionals) : Things to connect, conquer and get high rewarding bugs than other researchers.Conclusion

By Definition

A Bug-Bounty Hunter is a person who finds software issues “first” (known as threats) ethically exploits it and declares the software issue (then known as vulnerability) to be severe in nature in front of the software owner/company, and is then eligible for reward in different forms such as money, swags (t-shirts, stickers, mugs or any kind of rewardable gifts) and/or a name to be put at a Hall-Of-Fame wall. (Hall of Fame or HOF is a place where names are written of people who finds out vulnerabilities in the owner’s / company’s software. It is then displayed at a security researcher list webpage)

A Bug-Bounty Hunter doesn’t look like this for sure….😂😂

This sums up everything of who a Bug-Bounty Hunter is and what he does.

Why this topic is hype up ?

A Bug-Bounty Hunter can earn upto that extent where a normal 9–5 employee or any person might not imagine. In short, It’s unimaginable.

A Legit Bug-Bounty Hunter can earn from zero to millions of dollars for disclosing a single or multiple issues, earning from it, while being in their pyjamas/shorts at your home. This is the next job after sales, that pays as to how much one works over it. The rise of Bug-Bounty Hunters occured during this 4–5 years, where new companies such as Hackerone, Bugcrowd, Intigriti started to come up. (All links are here, so you can check them out)

Hackerone

Bugcrowd

Intigriti

OpenBugBounty

https://www.openbugbounty.org/

There are some bitter truth (formed up as lessons) that you should know in order to get yourself started in Bug-Bounty Hunting. This is because people will show you all the glamour and money, but no real truth behind the curtain. So be ready to get yourself some hard pills of the day, you might know or not know about it.

Lesson 1 : First Bug is quite tough to get, and might be disappointing

Every work requires efforts, and Bug-Bounty Hunting requires tireless efforts, and there are huge chances that you might not get bounties in your first bug. So stop thinking that within your first try you will get $$$ paid in your account. Learn the process, and move forward with it. Bounties will follow you

Lesson 2 : What people show about there earnings and what they earn are near-to-always different. Real one don’t showcase their bounties, as they become humble with time.

Top 1% of the Bug-Bounty Hunters earn huge bounties because they are always into Bug-Bounty Hunting. (Always = Everytime). They think and move with that aspect. They build there mindset in that way. And not all hunters earn huge, some earn decent, and some nothing. Many a times, a linkedin post or Instagram reel of getting paid in dollars might have made you come here to become as a Bug-Bounty Hunter, but many that earn huge have given weeks, months and even years to earn $$$$ bounties streak.

Respect all, learn from all, follow “NONE”

Lesson 3: Stop Procrastinating after your first failed attempt

I have seen many people procrastinating after their failed attempts as well as blaming others who hit pretty good bounties either in short, or long amount of time. As a Hunter, NEVER…..NEVER…EVER Procrastinate as well as compare your efforts vs there’s, and never abuse fellow hunters for there work. If they earning, it’s great, they earned it. Today is there day, One day will be yours.

And Your Day One starts from today…..Gear UP…😎😎

“A Bug-Hunter is paid according to the severity of issue he/she reports, and not how many he/she reports. Severity is important, mark my words”

Lesson 4: You have to learn Everyday

Bug-Bounty Hunting requires everyday learning. You have to get yourself started today. Everyday, new vulnerabilities or methods are coming, popping up. Note it, Learn it and Apply it.

Today is what you have. So start now, as early as possible.

Lesson 5: Patience

Patience is required for sure from beginning to advance exploitation in the field of Bug-Bounty Hunting. If you have less patience, then either increase it, or leave the journey from this particular point…..!!!! Babye and See ya!!!!

Ohh…You still up her…right…?? Proud of you. Let’s get you the next hard pill..!!!

Lesson 6: Whatever you get in the beginning of your Bug-Bounty career, accept it, even if it is Duplicates/NAs

Another thing that I have seen is people fighting with triagers (triager = a person who accepts submitted bugs and sends it to required software owner/company for further evaluation) for not getting paid for there bugs, and only provided HOF for there first bug. Debating is good, fighting is terrible. Fighting reduces your chance of winning in the game of Bug-Bounty, a game where you can easily escalate your bugs for bounties with patience.

Did you know that One can ask the company to change the triager by mailing them about the triager’s activity towards your report..!!!!

Make sure to use this only when your report is genuinely right, or else move on to next findings over target.

Tip : Report, Wait for Response, Read the response, either go for response or move for next target

And yes, whatever the rewards be, accept it as your first bounty, and move to other aspect of vulnerabilities over same target, or towards next target. The rewards are generally explained in the VDP/RDP webpage. Always READ IT CAREFULLY

Lesson 7 : Stop being in debates with other Hunters.

Try to avoid being in debates and unnecessary searches over what is the best tool (as every tool is good), who is the best hunter (as everyone is experience in some or the other bugs), what is the methodology (as everyone’s unique). Learn anything that comes new to you, with your brains and eyes open. Accept anything that comes to you with your brains and eyes open, and add it if it fits in your methodology. Start doing it. Just start it. Things will add up automatically if you move on the track.

Remember : Additional Updates (and not always Information) are good. So follow up different Bit Bytes updates from Intigriti, Bugcrowd and Hackerone for sure.

If you digested these hard pills of truth, and are ready to go forward, then let’s get you started with Bug-Bounty Hunting.

Let’s come straight to the point.

0. Learn BURPSUITE/ZAP PROXY before getting yourself started as a Bug Bounty Hunter. This will always give you a headstart then other hunters.

Focus on One Bug Everyday. Try to test that bug everyday over different labs such as Portswigger, OWASP DVWA and many more.Start with these bugs : Rate Limiting Issues > DMARC Record Issues > Cryptography Issues > Security Header Injection issues > HTML Injection Issues > Sensitive Information disclosure > Redirection Issues > File Upload Hazards> No Metadata strip Issues> CSRF > Misconfigured CORS.Learn these issues over Portswigger Labs, OWASP Juice Shop and DVWA, all being completely FREE in nature.Also, start to refer basic disclosed reports from fellow hunters, and try to write it in your way. Copying it is not a crime, but it ain’t a worth if you completely copy it.After learning this, start hunting on Open Bug Bounty platform. Here is the link. Remember, One Bug per DayAnother thing, select the target having wildcards (e.g, *.domain.com). This will give you to hunt over bigger areas, for a similar bugs.

https://www.openbugbounty.org/

Did you know that “Sometimes, triager mistakenly marks reports Duplicate as it is compared to older issues that was fixed, thinking that this is the same issue, although the new one has same issues, but at different place…!!! It does happen.”

Who knows your findings have been right, but as you copied, it didn’t went well, and was marked Duplicate. So, don’t copy completely, learn and write your own. Better to write it before

Also, here I mention OpenBugBounty.org for newbies, not Hackerone/Bugcrowd/Intigriti. This is because I know most of the people won’t be able to get their first right bounties from Hackerone/Bugcrowd/Intigriti and will blame them (and me, for sure) for not getting bounties and providing false information, targets, platforms etc.😎😎

After you have some hands-on over tools and labs, get yourself knowledgeable to intermediate level bugs.

Start with 2 bugs now per day. Start with Domain Takeovers > Parameter Tampering Issues > Identity Management Issues > Authentication Issues> Broken Access Control Issues > Advance Cryptographic Failures > Error Based SQLI > Cross-Site Scripting (Reflected and Stored XSS, with and without using XSSHunter). Make sure to add the necessary “add-ons” in your arsenal to hunt on targetsChoose targets from Hackerone/Bugcrowd/Intigriti and start to hunt on them. Be on that target for more than 4 days, before switching to other targets. Also, make sure to hunt over both single as well as multiple domains of same target (such as domain.com as well as *.domain.com)Start to chain small issues/bugs with similar types of issues/bugs. Don’t jump over RCE staright forward. You might win some battles, but you will loose Big WARs or i would say, “Bug-Wars” in long run.Start to improve your report writing style. Make it as simple and crisp as possible, add CVEs, NVD-NIST and if possible, any older rewarded disclosed report link in your write-up to support your findings. This is the ultimate thing one should be doing it. Informative, and taking less time to read.Start to have a conversation with triager after your report is submitted. As your report is short, sharp, clear and on to the point, the triager takes less time to accept it and move forward with your bounties, if eligible.If the triager is taking more time, ask them politely to either let you know the blockers / hindrance, he/she might be getting to triage your report, or tell if it is Duplicate / NAs. If he/she is not responding for more than 10 days, report to the Bug-Bounty platform about this issue, and request them to change your triager.Make sure, never to make triager angry, because it’s then quite near to impossible to triage the bug of less severity.Move to next target once done with submitting and negotiating about your report with triager.As you are right with the knowledge of using tools and intermediate bugs, get yourself knowledgeable over technology such as WebSphere, BIG-IP, Teraform, BitBucket, Dockers, GraphQL, Containers, AWS and other Clouds, etc.Have your approach completely over bugs now. Now you decide the number of bugs you want to hunt, more than two or more than 20, all it’s in your hand.Start with XSS > SSRF > Source Code Disclosure Issues> CI (Command Injection) > SQLI > XXE > RCE > PII Leakage. Now, your aim should always be working over PII Leaks and Breaking the backend code ethically.Select the targets from Hackerone/Bugcrowd/Intigriti but now, mail them personally through there personal email IDs, and not to submit through the platform submission page. Submit your report via mail about the issue. You will thank me later, for sure.Connect the bugs and chain them, if their is possibility. Chaining is the key to advancement (although it’s tough to find, but it’s worth finding it). Your rewards gets doubled, with sometimes added bonus for finding right bugs.Writing a report now is going to be a swift deal. You can easily write the steps and things required, and what are the things need to be added as an “Additional Information”, such as the “elongated” severity, how this severity can lead to PII leaks, and how other Out-Of-Scope issues are also affected. You can come up with more additionals as explained in Intermediate Approach.Finally, After your report is triaged, move to next findings. Don’t touch the report till the time there is some activities now as you have consolidated everything. As you know what you have to say and how to say it to the triager, and have successfully reported it, just now d two things : Be Patient and Pray…😌😌Rotate over different platforms, to hunt multiple different bugs now. One target or multiple target, it’s on you now. You are the king to rule. Make sure to hunt everyday, and keep the mindset over similar, but different kind of bugs.

So here it is for you the write-up that you asked. A lot of people wanted a write-up as to how to get oneself started, who is completely new to this field, and want to grow as a Bug-Bounty Hunter, Types of hunting basic bugs and Approach (not detailed) and methods. This is How I personally do it, and how I move forward with basic and advance exploitation over multiple issues, so that triagers are not offended + Bounty is rewarded.

I deliberately didn’t add other exploitation methodology and things because I know newbies will jump over it, will learn partial and start to hunt, and slowly get dissapointed when their bugs get Dupicate/NA. Create a mindset first, then start to hunt over the bugs.

Thank You for the read, and If you found this interesting, make sure to share it with other people, and subscribe the write-up if you found this informative, and something different. Also, check out my other writeups here

Keep Smiling, Keep Learning, Keep Growing And Keep Rocking.

I know that only you can do it, and no one else can crack the code to success.

See ya, and……

!!__H@ppy__H@CK1NG__!!