November 26, 2022

So, you want to get into bug bounties?

I've been doing bug bounties for over 10 years now and over time, I have grown fonder of the life changing effects it has had for me. From job prospects, to being able to financially support those around me and myself. I believe that if you're passionate about information security and you take pride in your work, you can also find success in bug bounties, and hopefully it causes a ripple of positivity in your career and life.

I'm writing this blog post because I genuinely believe that hard work and a dedication to learning will lead you to success in bug bounties. Additionally, I am eternally grateful for the number of free resources that I have relied on to teach myself the skills to be good at bug bounties. I hope that this blog post explains the many learnings I have had over the last ten years.


What is this guide, and why should I listen to you?

This guide is not necessarily going to give you a blueprint of exactly what you need to learn and when. I want this guide to be a realistic understanding of what it is like to be a bug bounty hunter and what it involves in order to be successful. The learning journey that will make you successful in bug bounties can be different for everyone.

There are a lot of things I've worked out regarding being a successful bug bounty hunter that I wanted to communicate to the broader community. Some of these things may seem obvious to seasoned bug bounty hunters, but this guide is really for those who love the idea of being a bug bounty hunter, but may not understand what it involves and how to find success.

For those looking for structured learning, I recommend checking out PentesterLab and Web Security Academy. Most importantly, I recommend you spend as much time actually hacking, because it is not time wasted even if you do not find any valid issues. Every failure is a learning experience. You will eventually find security vulnerabilities.

As for why you should listen to me, as I've mentioned earlier, I've been doing bug bounties for just over ten years now. My first bug I got paid for was an SSRF vulnerability in PayPal. Back then, bug bounty platforms did not really exist and no real community existed. At that time, I was working at a fast food restaurant for $6.50 an hour. The first bug bounty payout I received was more than I had made after working for eight months. It changed my life, and I think it has the power to change other peoples lives too.

I'm ranked #1 in Australia (for the last two years) on HackerOne, and ranked about #30 in the world on HackerOne (all time leaderboard). Over the years I have done bug bounties as a hobby in my free time, but also spent some time doing it full time.


Fundamentals

In my opinion, in order to be successful at bug bounties, you do not need to be an excellent programmer, or know how everything works down to the most granular level. This can of course be an advantage if you have this knowledge, but I do not believe that you need to spend years studying before you can get your feet wet in bug bounties.

The truth is, most bug bounty hunters are interacting with so many assets and technologies, that it is near impossible to understand the intricacies of each of them before you start hunting. The good news is, if you're curious and open to learning, you can build up your knowledge and skills as you are hunting for vulnerabilities.

I do encourage that you learn how to build, not just break things. This can be a major advantage in bug bounties as it allows you to potentially better understand how systems are built, so you can formulate attacks to break them. But, I am aware of many hackers that have never written a single line of code and are some of the best hackers in our industry and community. Hence, for some people this is not necessary.

Having experience in engineering can sometimes be a double-sided sword as you may make assumptions or have cognitive biases as to how something works, preventing you from testing certain things in some scenarios. If you are an engineer or have an engineering background and are reading this, I urge you to always challenge your assumptions when participating in bug bounties.


I'm xyz, can I do bug bounties?

The best thing about bug bounties is that they are accessible to everyone. Whether you're a budding engineer that is looking for a hobby, to a teenager that is interested in offensive security.

If you're reading this and you're a pentester who has worked on web application security, let me tell you that your application security skills that you have applied in your day to day job are extremely relevant in bug bounties. Bug bounties may seem daunting to you because there is often so much to look at, but the skill of recon is just like any other skill that you can hone. Doing bug bounties may not only bring in some extra cash, but it will most definitely also make you better at your job.

If you're reading this and you're an engineer who has made web applications before, the great news is that you understand a lot of the basic knowledge required to dive right in. It's likely that you will have to pick up some application security skills and concepts, but for most engineers, they find this quite fun and exciting to learn about. Doing bug bounties and learning more about application security will most definitely make you a better engineer (releasing code with less security issues) and you might have some fun looking for bugs as well.

And lastly, if you're reading this and you don't have much engineering or security experience but really love the idea of bug bounties, all I can say is that the most important skill you can have in bug bounties is your mindset, which if you work on, you will also be successful. This blog post later discusses what this mindset looks like. There can be a lot of pre-requisite knowledge you will need to find your first bug, but if you are persistent and willing to learn, it is not out of reach. The road to success is paved with failure.


Mindset

Vulnerabilities exist everywhere. That may be depressing to realise, but it is an important point. In society, companies advertise how excellent their security is all the time. This builds a perception to most people that these companies are actually secure, even if they may not be.

If someone came up to you and asked you if you could find a security vulnerability in Facebook or Google, your knee-jerk reaction may be to explain how hard that would be because of how much money these companies spend on security and how many staff they have securing their applications.

As a bug bounty hunter, you cannot have this mentality. It is extremely prohibitive, and as you find yourself finding security issues in the largest corporations in the world, you will soon realise that it is possible to find vulnerabilities in anything (given enough time and resources).

What you may find is that some companies are harder to find vulnerabilities in (how long it takes to find security issues), and you may give up before you find anything, but you need to understand that there are still vulnerabilities yet to be found for any attack surface.

The other quality I have found that leads to consistent results, is persistence. Being persistent in looking for and exploiting vulnerabilities will almost always lead to success. You may think of success as finding valid vulnerabilities, but rather it is important to realise that even if you do not find vulnerabilities, but you spend a lot of time learning about a target, technology or some code, that persistence will make you a better hacker in a long run with the knowledge you pick up. In bug bounties, you have to be comfortable with spending a lot of time not finding anything and genuinely enjoy the journey not just the destination.


Constant and Consistent Learning

One of the tricky things with bug bounties and application security more broadly is keeping up with all the new research that is published. When I first started learning about application security, I found myself religiously reading every /r/netsec post that was published. I had turned on push notifications for this subreddit, and I would read every post on this subreddit.

It's not just /r/netsec though. Over the last five years, I've found that Twitter has been an incredible source of information when it comes to application security and bug bounties. There is a sprawling community of passionate hackers who publish their research and work because they want to progress this industry further.

When approaching something like Twitter as a learning source, I highly recommend taking a curation approach and being mindful of the people you follow, so that your feed is always filled with relevant research, techniques or content. If you want to take a look at some of the people I follow on Twitter, you can see that here.

Beyond written content, these days there are also excellent content creators that work really hard to help you in this journey, such as Nahamsec, Stok, JHaddix, Codingo, Pwnfunction, Farah Hawa and BugBountyReportsExplained. Their videos are often inspiring and can get you excited to pick up the skills you will need to be successful in bug bounties.

Another great resource is HackerOne's activity feed, which contains a list of all publicly disclosed vulnerabilities. I highly suggest you take the time to monitor this (which is possible by this Twitter bot) and that you read these disclosures as often as possible as they come out. I have a lot of gratitude for the hackers that have published their reports over the years as I have often picked up cool new techniques or ideas that I could apply.

I cannot understate how important it is to be constantly learning as a bug bounty hunter and challenging yourself to learn concepts in other hackers write ups that you do not immediately understand. It's ok if you don't understand something at first, and I certainly have not understood everything I have read over the years and I do often find myself reading blog posts several times so that I can understand them as best as possible.


Specialties

After you've gotten the hang of finding application security issues in a diversity of attack surfaces, you might find that you tend to find specific types of issues, or focus on specific areas that have led you to bug bounties. If that's not the case, that's okay! There are many areas you can specialise in once you have built some confidence and hopefully made some money through bug bounties.

My advice to you is to specialise (i.e. become a master at) on what you enjoy the most in bug bounties, and have an open, always curious and learning mind so that you're always experiencing new things and understanding what security testing skills you enjoy working on.

In my bug bounty career, I have chosen to specialise in hacking IIS servers (with applications written in .NET/C#), source code auditing (almost any language) and recon. These specialties have taken a really long time to develop, but every time I found myself delving into these, it was because I was truly thrilled to learn more and become the best I could possibly be at them. Along the way, I have written many blog posts and made a few videos about some of these specialties.

You might be wondering what it takes to truly specialise in any given area of application security. My answer to that is that it requires a lot of study and time spent practicing what you have studied. With bug bounties, specialties can be practiced across a range of bug bounty programs. There are companies running bug bounties that cover the wide spectrum of technologies and platforms needed to be a perfect battle ground to progress your skills enough to mastery.

For example, my skills in hacking IIS web servers were mostly developed through hacking on bug bounty programs that use this technology heavily. Similarly, my source code auditing skills were developed by auditing vendor applications I would obtain the source code for when noticing them on attack surfaces.


Modesty, Fairness & Collaboration

If you think that the best bug hunters are hunting for bugs just because of the money, you're mistaken. Over the last ten years, every great hacker I have worked with in the bug bounty space are hacking because they love hacking. Don't get me wrong, they are in it for the money as well (obviously), but you can tell that they have a deep passion and desire to break things first and foremost.

If you do find a lot of success in bug bounties and ultimately make a lot of money, I recommend you really reflect upon who you want to be remembered as in the community and how you can give back to the community. Having modesty is more powerful in the long term, and will allow you to build meaningful relationships with other people in the community.

Your modesty will not only be appreciated by fellow hackers, but also by the people around you who may not be as fortunate to make as much money as you do in bug bounties. I mention this because of the personal journey I went through myself, understanding that the amount of money you make has no good place in defining your identity.

There was a point in time where I used to tell everyone about the bugs I found and the payouts I received due to my own sheer excitement. Eventually, I found that talking about this was not always appropriate depending on the group of people I would be talking to.

With fairness in bug bounties, I suggest that you are incredibly upfront with those you choose to collaborate with things like split percentages. Honestly, if you are someone that ends up crossing another person in the bug bounty space when it comes to collaboration, word spreads fast and people will refuse to work with you.

Unfortunately, throughout my 10 years of bug bounty hunting, while most collaborations end amicably and successfully, there have been a handful of scenario's where I have really regretted working with someone. These people are on my shit-list, and I never intend to work with them again regardless of how much money is on the table.

You can read a little bit about the ugly side to collaboration here. -- although I will say that 90+% of collaboration efforts have been successful for me. Once you build trust with collaborating with another person, you can trust them for future collaborations quite effortlessly.

When it comes to collaboration, it's critical to understand what collaboration looks like before you try and start finding people to collaborate with. Successful collaborations involve real substance (potential security issues, discoveries that require more work, problems that you have progressed through but are stuck on, initial access point with aims of further exploitation, a solid hunch about how vulnerable something may be), before you go to the other party and ask them for help.

The best bug bounty hunters are aware of the best hackers and their specialties and when to reach out to them for collaborations. You will eventually build relationships with people who you will find a lot of comfort in working with because of the elements of fairness and skill.

There are a few people in the bug bounty space that tend to ask for a lot of help for specific targets/applications they are auditing without actually wanting to collaborate with you or split any payouts, or are unfair when collaborating. You should be mindful of this, because if you choose to help, you're usually doing charity work, and the person asking for help will claim their successes as their own regardless of how much you helped them.


Harsh Realities

If you're new to bug bounties and you've submitted your first few bugs, you might be wondering why it's taking so god damn long for the bug bounty program to get back to you. This is where it is good to recognise the reality of bug bounties and accept these realities so that you can have better mental health in your bug bounty journey.

Bug bounty programs are swamped with submissions. Most of them invalid. Triage teams help with getting through this mess, but even then, a lot of security teams still take a lot of time to process your vulnerabilities. Getting a fix deployed for the vulnerabilities you report might take months. This means it might take months for your bug to be resolved and ultimately paid out.

Asking for constant updates simply does not speed up this process. When reporting bugs to bug bounty programs, I highly recommend you forget about the submission and start finding more bugs that you can report, immediately.

When the bug does get paid out (however long that takes), enjoy the endorphin rush and dopamine release. Instead of associating the reward centre in your brain to the payouts, associate it to the discovery of vulnerabilities. This is how you can truly enjoy the bug bounty lifecycle.

Some companies are better than others when it comes to rewarding bugs in a reasonable time frame. This can make it more enjoyable to hack on these programs. Personally, I love hacking on Uber's HackerOne program due to how quickly they remediate vulnerabilities and pay out for them.

Another harsh reality you should be prepared for is that programs may not see the risk the same way you do when you find and report a vulnerability. There is some room for discussion, but the decision on criticality and ultimately payout is up to the program owners. You need to accept this, and sometimes, it can be really fucked up, but there's usually not much you can do as a bug hunter.

My outlook on programs that treat hackers unfairly is to let others in the community know about your experience and refuse to work on them again. I maintain a shit list of programs that I refuse to work with.


Focusing on a Company

Something I suggest to those getting into bug bounties is to find a specific program that you want to focus on and become a master at understanding the assets on that programs attack surface, and the technologies and processes this program may employ.

Over the years, I have had many bug bounty programs where I have spent the time to become incredibly familiar with their way of developing and deploying things to the internet. This knowledge has been critical in discovering vulnerabilities on a continuous and consistent basis.

Becoming an expert at the development lifecycle and practices of a company from a blackbox perspective is a lot harder than it sounds, as it involves sometimes 40+ hours total of analysing assets owned by these companies, technologies and patterns, monitoring them continuously to build a picture of their attack surface in your mind.

Doing this will pay out massive dividends though. Whether those dividends are immediate or over time, either way, you will find that studying a specific company and their ways is almost always a brilliant plan when it comes to finding vulnerabilities within them.


Avoiding Burnout

If you do decide to get into bug bounties and want to understand the realistic workloads required to achieve success, I recommend you read my previous blog posts High frequency security bug hunting: 120 days, 120 bugs and Hacking on Bug Bounties for Four Years.

Over the years, I have participated in bug bounties in my free time, and also full time for about a year. There were different strategies that needed to be deployed in both scenarios in order to avoid burn out.

I have not always been successful in avoiding burnout, but over time I have started to understand what leads to burn out and how to avoid it in the first place. I have also come to respect what my brain and body want to do at any given time. If the answer is not hacking/bug bounties, you better believe I won't be pushing myself to do something I do not truly want to do.

These days, I follow a pattern where I hack for a few weeks at a moderate intensity (6-10 hours / day, 5-7 days a week) and then take a break for a month, until I feel like I want to do bug bounties again, or if something interests me.

If you start sensing that you are burning out, the worst thing to do is try and push yourself to work harder and longer. When experiencing burn out, stop doing what you're doing and spend some time decompressing. For me this typically involves lying down and listening to my favourite music, or watching some TV shows. It's important to give your brain a real opportunity to rest and reset. Respecting your brain and body will lead to long term success.


Live Hacking Events

Almost all the bug bounty platforms these days run Live Hacking Events. They have a selection criteria that they go by to decide which hackers get invited. You can read about HackerOne's selection criteria here: https://www.hackerone.com/community-blog/live-hacking-event-invitations-2022-guide.

These live hacking events are absolutely fantastic. They give you an opportunity to connect with the most skilled hackers in the world and at the same time you can make a decent amount of money from payouts at these events.

My advice to any bug bounty hunters that get invited to live hacking events is to spend a lot of time preparing as soon as the targets are announced, and being persistent and diligent with your testing. Brainstorming exploitation vectors that may affect your target and pursuing these ideas to the very end before moving onto new ideas.

Live hacking events often involve an intense amount of competition and pressure, but remember that at the end of the day, the goal is to secure the company you are collectively attacking, one security vulnerability at a time.

Collaboration is rife at live hacking events (in a good way), and you should not be afraid to share everything you have been working on with other people at live hacking events (given you are open to receiving help in the form of collaboration). This will often lead to scenarios where other hackers at these events help you complete exploit chains.

Bugcrowd, Intigriti, Yogosha and YesWeHack also run live hacking events. Being a good bug bounty hunter on any of these platforms can greatly increase your odds of being invited to these live hacking events.


Giving Back

If you do end up being successful at bug bounties, my biggest wish and desire is that you choose to give back to the community. Whether that comes in the form of blog posts, tweet threads, videos or podcasts, what makes everyone collectively better hackers is the progression of our industry and art through contributed content.

Over the years, I have made a conscious effort at writing blog posts and making videos to give back to the bug bounty community. It always makes me happy to see new people entering our space and giving back to the community.

I hope that the competitiveness of this industry does not discourage you from sharing information. While it is true that we are in a competitive space with bug bounties, sharing information is much more powerful than money and you will realise this once you see the opportunities it creates for you from a career perspective and also a collaboration perspective.

A lot of the opportunities I have been afforded in my life have only been possible due to the open-minded nature in which I produce and distribute knowledge to people. I am grateful for this and I believe this will apply to others if they employ the same level of transparency and braveness in sharing knowledge.

I am pretty sure that most successful people in the bug bounty space have a story about how they read a writeup or blog post that made them a better hacker / security tester. We need this culture to continue in our industry, even though bug bounties are inherently competitive.


Conclusion

I hope this blog post gives you insight into what it involves to be a bug bounty hunter and what it may entail or require. As I mentioned in the beginning of this blog post, this blog is less about the technical elements of being a successful bug bounty hunter but rather targets the soft skills and mentality you will need to be successful.

This blog post discusses some of the challenges I have had along the way and how I have dealt with them. Most bug bounty hunters I know will probably read this blog post and agree with most of the learnings as they would have found themselves in a similar position.

The whole point of this blog post was to give people a heads up about what being a bug bounty hunter entails and provide this advice without having you to make the same mistakes as we all did along the way.

If this blog post helped you, please tweet @ me on Twitter, hearing about this will keep me motivated to writing more.