So I have been putting this off for a very long time, mainly because I hate to write and always think that I truely suck at it. However, I am finally motivated to get this online. And will hopefully keep it pretty updated with new posts as often as I can manage.
This first post isnt going to be anything spectacular. Its going to just be a Generic/Basic Intro to Bug Bounties, by answering many of th questions that I receive in my DM's on a daily basis. So hopefully this will be atleast of some benefit for whoever ends up reading this.
Where should I start?
This is probably one of the questions I am sent the most (next to how to find criticals lol). Generally my response to this question will always be the same. A very good starting point is going to be checking out things like the Bugcrowd Level Up talks (they do them atleast once a year for last couple years), The HackerOne backed site Hacker 101, reading all disclosed reports that are done on HackerOne, reading as many blog posts as you can find on anything Bug Bounty / Hacking related, and the biggest most important is to actually jump into it and start hacking. Hands on training in this field is very important, and should be able to help you understand pretty quickly if you are going to be able to do this. Nahamsec has also been doing alot of awsome work streaming on Twitch at https://twitch.tv/nahamsec that can be a gold mine of information whether your new to the bug ounty game or a veteran.
How to pick my first program?
When it comes to picking a program to start there are several things to consider. The first, and most important, is picking a program that employs the kind of stack / architecture you may be familiar with, or have a desire to learn and attack.
Next you are going to want to consider the scope. When I look at a program to decide if I want to spend any time on it, I look for programs with either large scopes (such as wild card domains, and the more domains the better) or with web apps that are very complex. I personally love huge scopes, since it kind of helps to spread out the researchers a bit. A program like Verizon Media, which has a huge scope, may have alot of people looking at it, but there is so much there that the odds of you finding something that others have over looked or flat out not even found yet can be pretty good. I also love the complex web applications with multiple user levels, org types etc. because these can be very hard to properly secure, and can be riddled with Priv Esc vulns and IDORs.
I generally suggest that people target something like the US DoD VDP program as their first program. While this program is unpaid, and I am generally a very big opponant to "free bugs", the DoD scope is massive, employs just about every technology that has ever been written for the web, and can generally be pretty responsive to reports. Even tho you wont be paid for these bugs it can help learn alot, earns you reputation to get invited to other private programs, and can end up getting you invited to some of the paid private programs that the DoD runs every so often. (The payments on these programs more than makes up for the none payment to the VDO program.)
Who can be a good bug bounty hunter? What kind of experience do I need?
Just about anyone can be a bug hunter. Tho not everyone (in fact a very small portion) will be super successful. But many people can do enough to easily suppliment their current income, and add extra bonus cash. If you have the ability to look at a web application and think of ways to break the application, then you can give it a shot. For some people it can be a very slow start to the process, and others will start finding bugs right after they begin. A very important thing to remember when doing bug bounties is to not get depressed / upset if it takes you longer to find valid bugs etc. Not everyone is going to find bugs every time they sit down to hack. And its very common to go days, weeks or even months with out finding bugs. Don't compare your own success or failures to others. Because as with anything else, there will always be someone better than you, and others worse than you. So setting your own goals and working to acheive them can be very important.
What programming languages do I need to know?
As mentioned before tho, none of this is a requirement, and knowing or not knowing any certain language will not automatically make you more or less successful in bug bounties. The best advice here is to basically find things you feel comfortable with and have interest in,and start learning them.
Will I mentor anyone?
This is a very common question, and as much as I would love to be able to commit to doing this, I just never have the motivation or the time to actually do it. This does not mean I will not answer questions for people still, but as always, I prefer when questions are asked publically on my Twitter, so that others can see the replys and potentially learn as well.
Who have I hacked with / learned the most from?
Hands down I have learned the most from Mark Litchfield (BugBountyHQ), Ben (Nahemsec), Ziot (Bbuerhaus), and Sam Curry (zlz). Together these guys have found some amazing bugs, and have always been extremely helpful when having problems getting a bug to work. I highly recommend following them.
This covers alot of the questions I receive on a daily basis. While this post isnt much, and doesnt offer any exciting new hack techniques, I promise more will be coming. I currently have a thread on Twitter asking what are some other topics that people would like me to blog about. And will pick one of the topics posted to the thread to do the next post on over the next couple days or week.
As always if you have a question, feel free to send me a Tweet, and I will do my best to reply to any Tweet sent and offer any assistance that I can on anything asked. (Just down ask for disclosures on Verizon Media, since I can not disclose any of my reports on their programs as of yet)