Edition: July 29th, 2021
Curated by the Knowledge Team of ICS Career GPS
- Excerpts from article published on Hackerone.com
If you ever dreamt of becoming a bounty hunter, your dreams can come true. You can become a bug bounty hunter: A hacker who is paid to find vulnerabilities in software and websites.
Anyone with computer skills and a high degree of curiosity can become a successful finder of such vulnerabilities.
You can be young or old when you start. The main requirement is that you need to keep learning. Also, it’s more fun to learn if you have a buddy to share ideas with.
Here are 4 tips on how you can become a successful bug bounty hunter:
1. Submit valuable and easy-to-understand bugs
- Quality over quantity: Even though they’re both security issues, finding a remote code execution (ability of an attacker to access someone else’s computing device and make changes) on a production system is a lot more valuable than a self-XSS (tricking users into copying and pasting malicious content into their browsers’ web developer console).
- Enjoy the thrill of the hunt for a super severe bug.
- Spend a lot of time describing the issue as clearly as possible.
- Get to the point and don’t introduce unnecessary reading overhead for the company. Extra verbiage also reduces responsiveness of the company you’re submitting the report to.
- Read the program policy before you start looking for vulnerabilities.
2. Respect the company’s decision on the bounty amount
- Gain respect by submitting valuable bugs.
- Respect the company’s decision on the bounty amount. If you disagree with the amount they decided to award, have a reasonable discussion about why you believe it deserves a higher reward. Avoid situations where you ask for another reward without elaborating why you believe you deserve more.
- In return, a company should respect your time and value. They do this by awarding bounties, being responsive and transparent, engaging you in the discussion for the fix, and asking you to test the deployed fix.
- Being communicative and reasonable pays off as successful bug bounty hunters receive tonnes of job offers.
3. Do your homework: Know the necessary protocols and resources
- If you’re not comfortable with the basics, get more comfortable.
- Have a good understanding of protocols like IP, TCP, and HTTP and take a few programming courses.
- Most of the bug bounty programs are focussed on web applications.
- To become a successful bug bounty hunter on the web, check out the following resources:
- Read The Web Application Hacker’s Handbook
- Take a look at the publicly disclosed bugs
- Check out the Google Bughunter University
4. Practise with a hacker buddy
- If you’re lucky enough to have a hacker buddy, write small, vulnerable programs and challenge each other to find the hidden vulnerabilities.
- Find someone who challenges you and use what you learned from their challenges to find bugs on real targets.
Bug hunting is one of the most sought-after skills in all of software. It’s not easy, but it is incredibly rewarding when done right.
Like writing codes, bug hunting also takes persistence, a lot of feedback, and determination to become a successful bug bounty hunter. Think outside the box and do your best.
(Disclaimer: The opinions expressed in the above mentioned article are those of the author(s). They do not purport to reflect the opinions or views of ICS Career GPS or its staff.)