How to Start in the Masochistic World of Bug Bounty — what nobody told you before.

13 hours ago 7

BOOK THIS SPACE FOR AD

ARTICLE AD

Hello, my name is Jonas Dias Rebelo, I am currently 20 years old, born in Portugal and now residing in the USA (United States of America).

With over 60 vulnerabilities found in Bug Bounty programs (counting only valid reports on HackerOne and Intigriti), I was a student in early 2023 at Solyd Offensive Security (a Brazilian company), where I studied the course PENTEST DO ZERO AO PROFISSIONAL v2023 and successfully passed the final exam, obtaining the SYCP (Solyd Certified Pentester) certification. The SYCP certification, as they say, is quite similar to the renowned OSCP certification, with one major difference: your price.

My SYCP certification.

The purpose of this post is to show you how Bug Bounty works and how to quickly boost your success as a bug hunter.

DON’T START YOUR JOURNEY FOCUSED ON MONEY

When I started on HackerOne, I made a big mistake: I aimed too high and tried to find vulnerabilities in large companies like Twitter, hoping for greater financial rewards.

What you need to understand is that you’re not the only one trying to find these vulnerabilities in big companies. On the contrary, you’re competing with over 5 million (exemplary number) hackers worldwide who, in addition to being more experienced and knowledgeable than you, have already tried to do what you’re attempting.

I must also inform you: just as there are unethical hackers, there are also unethical companies that may not pay you fairly — or even pay you at all.

Start with VDP (Vulnerability Disclosure Programs). While they may not offer financial returns, they have significant advantages, such as earning platform points that can lead to invitations to private programs (less competition) and gaining valuable experience in real-world environments.

The best VDP program is the U.S. Department of Defense. It has an almost infinite scope. All .mil sites are within scope (with small exceptions for non-.mil sites that are also included).

Jonas, how do I find these sites? You have two options:

Use a simple Google dork (site:*.mil).Visit this website: https://www.defense.gov/Resources/Military-Departments/DOD-Websites/

This site doesn’t show the full scope but includes various DoD sites, which can be very useful for you. So far, I’ve found 23 valid vulnerabilities in the DoD. Their scope is also different from other HackerOne programs, accepting simpler vulnerabilities like database errors, exposed WordPress Debug Mode, and Email Spoofing.

Here are some examples of vulnerabilities:

Some of the vulnerabilities I have found in the DoD.

YOU DON’T HUNT “VULNERABILITIES”; YOU HUNT “IMPACT”

This is something I didn’t understand at first: you’re not hunting for vulnerabilities; you’re hunting for impact.

“But it’s a vulnerability; it should be fixed.” — Beginner Hacker

It’s not quite like that. If you report something that doesn’t have a minimal impact on the company, I must inform you: it won’t be accepted.

Here’s something no one taught or warned me about: understand how CVSS 3.1 works. If you know how to use CVSS 3.1 to your advantage, your XSS can be critical. Don’t believe me? Let’s break it down.

I like to divide XSS into two types: Reflected/DOM XSS and Stored/Blind XSS.

Reflected/DOM XSS executing an alert().

Confidentiality is considered Low, and Integrity is also Low. However, if you’re able to steal session cookies, tokens, or perform any other action with greater impact, Integrity will be rated as High, making your XSS High as well:

Reflected/DOM XSS stealing cookies.

That being said, before we follow the CVSS logic, I must mention that the Scope is considered Changed because the scope “leaves the website” and moves to the victim’s browser.

Before we proceed, I will only be addressing HackerOne. Intigriti has its own rules and does not consider this interaction in the victim’s browser as Scope Changed:

Intigriti’s article about CVSS.

This means that even when performing a Stored XSS on HackerOne, the User Interaction will be set to None, which will make your XSS (without cookie capture) a 7.2 High. Consequently, with cookie capture, it will become 9.3 Critical. On Intigriti, for an XSS to be considered critical, it must be Blind.

Stored XSS with cookie capture.

IMPROVE AT LEAST THE BASICS OF YOUR SKILLS

If you don’t have basic knowledge of vulnerabilities, it will be very difficult for you to find anything with impact. Train in labs (for example, from Portswigger), take a good course that offers a certification exam (such as Solyd’s SYCP), study more, and with the guidance I’ve provided in this post, you’ll have an easier time starting in this masochistic world of Bug Bounty.