What exactly is a Bug Bounty program?
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.
Companies setup a bug bounty program and supply information as to what they want researchers to look at, and if the researchers find a valid vulnerability then you can report it to them and hope to receive a reward in return. Companies can choose to either reward you reputation points on bug bounty platforms, swag, or sometimes even money. If they don't reward anything, then it is a vulnerability disclosure program.
Different types of programs
Vulnerability Disclosure Program (VDP)
Typically these programs are public and only reward you with points and nothing more, however some VDP's are also private. Most people starting in bug bounties are told to start with VDP's to 'learn the ropes' and to build 'rep' (reputation) to receive privates invites which pay, but what most researchers don't realise is some of these VDP programs actually have paying programs as well, they are just private and invite only.
With that said, not all companies are able to run more than a VDP for a variety of reasons such as being a charity. Just because a company is using a VDP doesn't mean you should ignore them, it means just be mindful about who you are working with and their reasons for running a VDP, then decide if you should spend on their program. Practising on VDP's can be a great way to get first-hand experience for what it's like to participate in bug bounties and hack blindly on real world websites. It is also not unheard of to be invited to a company's paying program after "impressing" them in their VDP, however this depends on your risk vs. reward ratio. You're the shot caller.
Public Bug Bounty Program
A public bug bounty program such as Google & Facebook that is open to the world and reward money. There are LOTS of public bug bounty programs out there and some even have wide scopes. You can discover public programs from Disclose.IO, however also make sure to search on Google to discover more companies which welcome hackers. You can find google dorks below to help find programs.
Most people are under the illusion that just because a program is public that there will be nothing to find. False! New code and new features are pushed daily, especially if it's a large company spanning across the world!
You also have to consider that if most researchers are avoiding these programs because they think too many eyes are on there, surely there isn't as many eyes as they actually think? Get creative, there are bugs out there.
Private Bug Bounty Program
Typically most private invites you receive will be paying programs, however not all private programs do pay. You can usually customise your invite preference on bug bounty platforms if you want to filter paying private vs. non-paying. Researchers are usually invited to private programs after showing some activity on the platform such as a certain amount of valid bugs, certain rep/signal/impact value and activity in x amount of days.
You may hear some researchers refer to "VIP" and "secret" programs and these are programs setup by certain companies to work only with hackers they select. There is not usually a public criteria to join one of these and you are mostly selected based on your activity on their other program(s) & your skill.
Finding bug bounty/vulnerability disclosure programs
Google has everything you need indexed. There are lots of queries you could search for, however here are some popular search queries: (don't forget to try different languages!)
"report security vulnerability"
"powered by hackerone" "submit vulnerability report"
indesc:bug bounty|vulnerability disclosure
inurl: bug bounty
white hat program
"vulnerability reporting policy"
Security.txt is defined as, A proposed standard which allows websites to define security policies. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.
It really is as simple as: When looking for a companies security contact make sure to check for
Security.txt was created by EdOverFlow. Huge kudos to him.
With that said, below you can find what we believe to be the top platforms (in no particular order) in terms of available programs and usage from other bug hunters. We recommend you check these platforms out when starting in bug bounties.
Quick tips to help find your first bug
So you've learnt to hack via challenges, you know what a bug bounty program is and understand about different types available. You're ready to get stuck in, but sadly one thing we can't advise you on is which program to look at. One big hurdle people struggle to overcome is finding a program to spend their time on and sadly this is something out of most peoples control, especially if you are new and don't have access to as many programs as others.
But, there is something we can advise on: hacking, and using your hacking knowledge to finding your first bug.
Below are some tips and things you can try to help you in discovering your first bug.
- Don't try too much & set goals!
It is very easy to think of lots of different vulnerabilities to try and sometimes overlook the simple things. I've done it, we've all done it, and we'll all probably carrying on doing it! Set yourself a goal as to what type of vulnerability it is you wish to find and spend time learning the ins and outs of your chosen target. The more you learn the more you will begin to see it from a different view, a hacker's view.
The program has a wildcard scope with multiple domains in scope. Spend the day testing the login flow on each website that offers account functionality and test common login flow bugs such as oauth misconfigurations.
The program has a wildcard scope with multiple domains in scope. Don't just test their websites from your country! Change your location and test different regions as sometimes a different codebase is used (different teams etc).
A lot of websites use robots.txt. Go and scan their robots.txt files from the past 5+ years using WayBackMachine. WayBackMachine has indexed old versions of websites and contains lots of valuable data.
- Scan & find as much as possible
Old files exist on old servers, even on well-established public programs. Subdomains come up & down all the time. New files appear daily. Spend time to understand what's in scope and begin finding & mapping as much information as possible. Just because a subdomain shows you a 404 error, there may be an "admin.php" file on there, or it may appear online one day. Your recon can never be complete and you should always be hunting with your overall aim to automate the scanning process.
- What's been disclosed?
If the bug bounty program you've chosen to participate in has disclosed any vulnerabilities, what were they? How long ago were they found? Was it a special bypass, or a simple straight forward XSS? How was it fixed? Ask yourself all these questions and use others kindness of sharing as your starting point to begin testing.
All of the content on this site has been created and designed to help you not only have easy access to tutorials & write-ups but to then apply the knowledge shared straight away on recreated real-world bug bounty scenarios. From there use your skills on bug bounty programs and become what is known as a "bug bounty hunter". We believe a hacker creates their own story and everyone has their own way of discovering vulnerabilities. Not every case can be, "try this, do that", and we hope from real life challenges that you can begin writing your own hacker story.