What is bug bounty? And how to start?

One of the most intriguing aspects of cybersecurity is the possibility for any freelancer to be involved in “bug bounties”. A Bug Bounty is a type of incentive program offered by organizations to identify and resolve security vulnerabilities in their software, websites, or applications. The program rewards individuals (known as “ethical hackers”) who identify and report security issues to the organization, in exchange for recognition and compensation, usually in the form of monetary rewards. Essentially it is an outsourced quality assurance (QA) program with an emphasis on security-relevant vulnerabilities.

With so much interest in hacking and many aspiring ethical hackers looking for opportunities to gain valuable experience and build a portfolio of different engagements to showcase to prospective employers, it’s no wonder such programs have flourished online. For anyone interested, here are some steps to get started:

Start learning! As most online programs tend to focus on web pages, it’s very important to be familiar with the basics of web application security. There are many online resources available, including books, courses, and websites. Some recommended books include “The Web Application Hacker’s Handbook” and the “Bug Bounty Bootcamp”. For introductory courses, there are plenty on Udemy, Coursera etc.Keep learning! Nobody knows everything and practice makes perfect. Start by testing websites and applications that you own or have permission to test.Get involved! Join online bug bounty communities and forums, to connect with other bug bounty hunters and learn from their experiences. There are many on Discord, Telegram, Reddit etc.Start your career as an independent ethical hacker! Look for suitable programs on dedicated websites such as bugcrowd.com, yeswehack.com, intigriti.com, hackerone.com etc. Usually, each site offers some public programs, accessible to all, as well as some higher profile “private” ones, to which hackers will be invited once they proved their skills.Be careful! Even if we will have permission to test specific domains or apps, we always have to read and fully understand the rules of engagement and scope of the bug bounty program before we start testing. If we ever do anything outside the contract, that will be treated like a real hacking attempt, with all the possible legal consequences.Start testing! Start by testing the low-hanging fruits and then progress to more complex vulnerabilities. Don’t forget many people are doing the same so the first tests are very unlikely to bring results. Nonetheless, they will little by little teach you how the site or application you are testing works and, as you dig deeper, you are more like to find real security bugs that the developers may have overlooked.Write it down! Report your findings in a clear, concise, and responsible manner, following the guidelines provided by the organization. This is a fundamental aspect that white hat hackers cannot overlook and need to dedicate time to. Most importantly, we must include a step-by-step process to recreate the bug so the responsible people in the company’s IT department can verify and triage the vulnerability. Only then we will be granted our well-deserved bounty!