Cyber Security
A beginners guide to bug bounty programmes
B by Jason Magic Cyber Risk Advisor, Deloitte Australia
ug bounty programmes are a way of encouraging the security community to work together to identify and responsibly disclose security vulnerabilities located within a predefined scope. In return for the researcher’s hard work, organisations offer recognition and rewards, including monetary compensation that can sometimes run to thousands of dollars. Some people make their living as bug hunters, so I wrote this article to help anyone interested get started as a bug bounty hunter. Firstly, you should understand that, unlike a regular security audit for an industry client, there is massive competition surrounding public bug bounty programmes. As a bug bounty hunter, you are not only competing against the security of the target system, but you are also competing against hundreds or even thousands of other bounty hunters – a number that is continually growing. To be successful, you need to accommodate lateral thinking to minimise the probability of your report being marked as a duplicate. Don’t think the likes of XSS and SQLi will suffice; you need to be testing for all manner of vulnerabilities, even the highly unlikely and uncommon ones.
Selecting a Platform I have found that any bug bounty platform that has an intermediary communication medium is best, mainly
28 | Australian Cyber Security Magazine
because it’s easier to contact and communicate with the target vendor. HackerOne (https://www.hackerone.com) and BugCrowd (https://www.bugcrowd.com) are two well-known platforms that have this feature, both of which are great starting points for setting up as a bounty hunter. There are also a few private programmes, such as Synack (https:// www.synack.com), however, this platform should only explored once you have gaining considerable experience.
Selecting the Right Programme Ideally, when you start out as a bounty hunter, choose a programme that contains a good selection of applicable vulnerabilities and a wide scope. It’s best to select a programme that has a large scope, such as *.example.com as opposed to subdomain.example.com. The bigger the in-scope vulnerabilities and attack surface, the easier it is to find vulnerabilities and get a decent payout. It’s vital that your testing complies with the target of evaluation. The company that is paying for your services has specified the scope that they need you to test. Furthermore, they are not looking for you to exploit the vulnerability, just prove that it’s there so that they can fix it. If you go too far and start to exploit the target, they will disqualify you from the payout and could potentially even start legal proceedings against you. For example, to verify an RCE