Introduction And Getting Started into Bug Bounty


Most of you might be hearing the term Bug-Bounty the very first time!

What is bug bounties? What are the benefits of bug bounties? And how
to get successfully into bug bounties?

The answers to these questions are answered in this post in detail.

What is bug bounty?

It is a program run by websites and software developers who reward people for finding and reporting security related issues in their websites or products. All bugs can’t be considered valid in a bug bounty programs, but only those which can have impact on the security or integrity of the website or privacy of the customers data.

What are the benefits of bug bounty program?

Bug Bounty program benefits everyone directly or indirectly. It is a win-win situation,
where everybody gets some sort of benefit.

    • Companies and Organisation running the bug bounty program gets benefited by patching the security holes. Thus, making their websites and infrastructures more secure and also protecting their customers data.
    • The bug bounty hunter or the bug reporter gets paid generously for their work as well as appreciation for their contribution. Also, It generates a goodwill feeling that they are doing something which is helping the community. Moreover, you can opt application penetration testing as a career. There is a huge demand of security researchers in different fields and companies are investing billions to make internet a secure and safer place for everyone.
    • The customers or the end consumers gets better protection of their data and privacy. Thus, leveraging their trust towards the Company.
Getting Started Into Bug Bounty

For beginners, it is like finding a corner in circle. There are hundreds of tutorials and resources available online which makes it difficult to plan what method should be followed. But still there are some specific way which are easy to follow with better results and understanding. Initially Bug Bounties takes a lot of time and efforts to start.

The path to reach success
    • Stepping Stones:

      First get to know about the vulnerabilities in detail which you will be going to find in the upcoming days. The method is simple which mostly works, pick any one type of bug and dig deeper about that. Here is the OWASP Top 10 list for reference to all type of bugs which are found in wild in web application and have severe impact. So, pick any one type from the list and learn more about it. Use google as extensively as possible.

    • Practice:

      After learning enough about a bug type you need to practice it. So, that you can get better grasp of it. For practicing you can setup your own vulnerable web application on localhost. In the upcoming weeks new posts will be made on this topic only.

    • Time to get wild:

      Once you feel that you are ready to find bugs in live applications, signup at HackerOne or BugCrowd, which has a huge list of running bug bounty programs. Select any one of the programs and try to find the bugs using the knowledge you’ve gained. At first you might not get any bugs here as these sites have already been tented multiple times by many security researchers. So, you might have to keep trying, maybe for a week or few days.

      It is important to read the program terms and scope very carefully. You can check Hackerone’s Hacktivity to understand the approaches followed by bug hunters and how they found bugs as well as how to make a good report. It is a very important to note that the report you send to any program for a bug which you found, should be in the specified format with clear instructions to replicate the bug and working proof of concepts.

    • Switch to Linux:

      If you are still using windows, then switching to Linux is better. It is ideal to learn to use Linux, as most of the tools used in penetration testing can be found in Linux. Kali Linux by Offensive Security is one of the best penetration testing Operating System out there which includes thousands of tools pre-installed and ready to use.

    • Learn Burp Suite:

      Burp Suite is a proxy tool which includes advanced features which is a must have tool for any web application penetration tester. Get a free version of burp suite from here. You can learn setting up burp and basic tutorial here.

All the above mentioned methods are enough to start your bug hunting journey. In the upcoming weeks, we will be posting more in-depth techniques and methods to sharpen your skills as well as resources covering particular topics.

Till then wish you all the best. Remember, “it takes patience and perseverance to achieve something worthy to boast about.”

2 thoughts on “Introduction And Getting Started into Bug Bounty”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.