First of all, I want to highlight the typical trinity one might see in a bug bounty scenario. It is very true that not every case of a bug bounty program might involve a middleman in the form of a bug bounty platform, a majority of hunters do start at one so I want to highlight that every party in this exchange has their own goals and priorities.
Often the company will have exhausted traditional means of cybersecurity investments such as pentesting and vulnerability scanning. This can either be because the total scope is becoming so large it is hard to manage and very expensive to pentest but it can also be because all scope is covered by traditional means with a decent periodic interval. Whatever the case may be, the company is looking for additional coverage and they are opening up their scope with an invitation to hack if done ethically and all issues are reported.
They can sometimes put up traditional budgets for this and syphon those into rewards for discovered issues but they may also choose to award points or swag. People might tell you to avoid these programs but if you are getting started, often these programs will offer you the best kind of return on your time investment. They might open the door to private invites which we will get back on later. They are sometimes even less secure because they do not have to spend as much money should issues still exist.
The first steps of most modern bug hunters seems to start at a bug bounty platform. This is usually hackerone but can also be one of the many other upcoming bug bounty platforms. Their role in this exchange is simple yet complex. In essence they are simply guiding bug bounty hunters to targets but it is well known that most platforms these days also handle the triaging of bugs which might save the requesting company some headache in trying to find the good reports. Triaging is simple, as a bug is reported, it is usually triaged before being submitted to the company but always remember that while a bug might get triaged, the company has the final say over whether or not a bug gets accepted. A triaged bug might still be denied by the company though it is quite rare.
The goal of the bug bounty platform is to amass as many hackers and programs as it can because the services that it offers to the company are not free of course. They win if more reports are accepted and triaged as well but the triage is there to protect the company from wasting time on bogus reports. They have a unique middleman position here where they need to represent their hacker community as well as their company assets. One of my favourite platforms in this regard is intigriti.com as they offer an excellent selection of programs with a wide variaty of types while somehow still keeping the best regards of the community in mind.
That would be us! We are out to find exploits of course but I think the pursuit of testing your skills against a real target should outweigh your wish for a quick buck. I know that you might be saying to yourself that you are not in this for the money, but are you really not? I know that it’s something a lot of the hunters struggle with in the beginning and don’t get me wrong, I like money as much as the next rat but that does not mean it has to be my main focus. I try to focus on securing the internet. That should also give you some insight into what I stand for and why my actions over the past few years seem to have aimed more at training others. If I can train 100’s, I can secure 100’s.
That being said, I want to highlight some of you might benefit from starting on VDP programs that might not reward money but slowly evolve towards the targets that can bring in some income. For me, I have learned that the amount of time spent is not worth it in proportion to what my normal income is, I still hunt on an alternate profile from time to time but mostly on what I want. I do like to hone my skills from time to time on a real target which is my perspective on this whole endeavour.
One thing you often see thrown around is that bug bounties might be exploitative to researchers since they do a lot of work on a target and sometimes don’t get rewarded for weeks on end. What we have to remember is that a company usually did get paid for performing a proper pentest before the program reached bug bounty stages. This is not the case in every instance but a good piece of advice in this case I always have is to start a company and try to find your own clients and seeing how difficult it is.
For such a low barrier of entry and amazing range of freedom, we can not be expected to be paid in the same way as a pentesting company with all its legal costs and insurances.
In conclusion I do not think all bug bounty programs are exploitative of researchers nor do I think most are. I think they offer us an incredible opportunity to enrich ourselves, knowledge and wealth-wise and we should make use of that opportunity if we have the spare time to do so.
In general, there are several different “types” of types aka categories that we make a distinction between, I have tried my best to summarise 5 of these charactaristics in a concise way but please just know that even this is a limited list of charactaristics, or types of types!
There are several types of assets programs that we can come across in our day-to-day hunting. One of the most common you will find are web applications, these types of bug bounty programs are very prevalent but will eventually become less so in the not-to-distant future, instead making way for mobile bug bounty programs or even be phased out in favour of API’s and/or cloud solutions. That being said, we can already start distuiginshing between even specialised bug bounty platforms, for example in the web 3.0 niche with hackenproof and others!
That being said, the previous paragraph only pertains to the technical side of things, when it comes to the functionality we can draw out at the very least as many categories! With one of my favourite examples leading the pack: The business-2-business AKA B2B applications. These favourites of the rat world often contain multiple access levels, or even granular controls. Perfect for inter-tenant IDOR testing and inner-tenant BAC issues to arise! Now if this all does not say very much to you, that is normal! Just make sure you know that there is a difference between B2B applications and B2C applications. It is usually the B2B applications that one should be aiming for! Especially if only just getting started, it is so important to make the right choice here because: