Hi, these are the notes I took while watching the “Bug Bounty 101 - How To Become A Bug Hunter” talk given by Pranav Hivarekar for Bug Bounty Talks.

Link #

• Video

About #

• This talk is about how Pranav went from a total beginner in bug bounty hunting to finding bugs and earning money in only 3 years.

What is bug bounty? #

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Source

Why you should do it? #

• Money
• Recognition
• Resume
• (Starting your own) Business
• Good cause - helping secure the Internet

Hacker Report 2018 by HackerOne (page 10 - Bug bounties vs. salary)

State of Bug Bounty Report 2017 by Bugcrowd (page 8 - Adoption by industry)

How to learn? #

Pranav had 50+ invalid bugs until he started focusing on 2 things:

• Change your mindset
  • Believe you can do it!

The man who thinks he can and the man who thinks he can’t are both right - Confucius

Which one are you?

• Develop your methodology
  • Develop a practice lab (optional)
  • Learn and practice the vulnerability
  • Replicate on bug bounty programs

Where to learn? #

Books #

If you’re starting, focus only on Web and mobile, and build from there (new areas like IoT, etc).

Web App Hacking #

• The Web Application Hacker’s Handbook
• Mastering Modern Web Penetration Testing: Learning the Ropes 101
• Web Hacking 101
• Breaking into information security

Mobile App Hacking #

• The Mobile Application Hacker’s Handbook
• Android Hacker’s Handbook

Conferences #

• Learn from other people
  • Why are they successful? What are they doing? What are you not doing that makes you unsuccessful?
• Steal their techniques
  • Replicate their steps, meet up at conferences, learn from them

Videos #

• Watch at least 1 video / week & learn new techniques
  • Defcon videos
  • Owasp videos

Blogs #

• Twitter
• Communities / Groups

Community #

If you mix with people who are at a higher level of success than you, then they will pull you up to their level - Steven Aitchison

One best book is equal to hundred good friens but one good friend is equal to a library - Abdul Kalam

• Get involved with successful bug hunters to take guidance from them, get new ideas and learn faster.
• Recommended communities focused on bug bounty:
  • Bug bounty forum
  • Bug bounty world

Where to Hack #

Only test sites who run bug bounty programs (unless you want to go to jail!) like: Facebook, Google, Bugcrowd, HackerOne, Synack…

Conclusion #

• Work hard
• Acquire the right skills
• Follow the methodology

See you next time!