Published on 30th November, 2024

On Choosing Bug Bounty Programs.

Choosing Bug bounty Programs

vulns = vulnerabilities

Scopes: Asset v Vuln scope

Payout Amounts

Response Times

Getting private invites

Submit vulns hacked in public programs

Learn to escalate them to high impact

Do CTF's on Hackerone

Don't spam

Respectful effective communication

There is competition. Be the Remora fish, what the big sharks, pass, you clean that up. Low Pay, low hanging fruit programs. Vulns disclosure Programs, first. Big guys, no! no! go yes! small guy. Go for fast response times for avoid frustration. Consider company reputation, will they help you learn? Will they pay you?

Make a bug bounty company program table to compare

Good Report Writing

1. Craft a descriptive title

2. Provide a clear summary

3. Include a severity assessment. see Hacherone's, Bugcrowd's, first.org

4. Give clear and concise steps to reproduce

5. Provide a proof of concept

6. Describe the impact and attack scenarios

7. Recommend possible mitigations

8. Validate the report

Understanding Why you are failing

Not finding bugs

1. You participate in the wrong programs

2. You don't stick to a program; You keep moving from one program to another without spending significant time on any.

3. You don't Recon

4. You focus on only low hanging fruits; be clever

You don't get into private programs; get more points

Why your reports don't get to triage

You don't read the program policy

You Don't Put Yourself in the Organization's Shoes; helps you know the kind of vulns they prioritize so you can hurt for those

You don't chain bugs: Learn to turn informative/low severity bugs into bigger vulns by chaining them

You write bad, Reports; this is just a terrible thing to do, don't do it.

Duplicates? it is what it is; you can help yourself though

What to Do When You're Stuck

1. Take a break; Hammock-Driven hacking

2. Build your hacking skills, while you rest/take a break

3. Gain a fresh perspective; taking breaks will help in that.