Posted in Conference notes on November 7, 2018
Conference notes: How To Become A Bug Hunter (Bug Bounty Talks)
Posted in Conference notes on July 1, 2018
- This talk is about how Pranav went from a total beginner in bug bounty hunting to finding bugs and earning money in only 3 years.
What is bug bounty?
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Source
Why you should do it?
- (Starting your own) Business
- Good cause - helping secure the Internet
Hacker Report 2018 by HackerOne (page 10 - Bug bounties vs. salary)
State of Bug Bounty Report 2017 by Bugcrowd (page 8 - Adoption by industry)
How to learn?
Pranav had 50+ invalid bugs until he started focusing on 2 things:
- Change your mindset
- Believe you can do it!
The man who thinks he can and the man who thinks he can’t are both right - Confucius
Which one are you?
- Develop your methodology
- Develop a practice lab (optional)
- Learn and practice the vulnerability
- Replicate on bug bounty programs
Where to learn?
If you’re starting, focus only on Web and mobile, and build from there (new areas like IoT, etc).
Web App Hacking
- The Web Application Hacker’s Handbook
- Mastering Modern Web Penetration Testing: Learning the Ropes 101
- Web Hacking 101
- Breaking into information security
Mobile App Hacking
- The Mobile Application Hacker’s Handbook
- Android Hacker’s Handbook
- Learn from other people
- Why are they successful? What are they doing? What are you not doing that makes you unsuccessful?
- Steal their techniques
- Replicate their steps, meet up at conferences, learn from them
- Communities / Groups
If you mix with people who are at a higher level of success than you, then they will pull you up to their level - Steven Aitchison
One best book is equal to hundred good friens but one good friend is equal to a library - Abdul Kalam
- Get involved with successful bug hunters to take guidance from them, get new ideas and learn faster.
- Recommended communities focused on bug bounty:
Where to Hack
Only test sites who run bug bounty programs (unless you want to go to jail!) like: Facebook, Google, Bugcrowd, HackerOne, Synack…
- Work hard
- Acquire the right skills
- Follow the methodology
See you next time!