Today, I would like to share bug bounty useful blog and methodology.
Firstly,Let’s talk about what is bug bounty?
A reward to the particular person, Who has found and identified an error or vulnerability in computer, network or web application.
1.Targeting the Bug Bounty Program
Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s.
Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit. Just take a deep dive into the application.
2. How do you Approach the Target?
if Answer is Just by Signing up at Target, Checking For Vulnerabilities like CSRF, XSS, Subdomain’s etc, Then This Could be the problem where you end up getting many duplicates or not getting any bug . would suggest to first check their documentation. Recon the Target. Understand the functionalities & privileges of the user’s in the target. Recon, Check their doc’s, Information Gathering, for at least 1–2 days before start Attacking.
3. Don’t Expect Anything!
We Believe this is the most common thing bug hunter’s do After Reporting Bug’s that they expect the upcoming reward amount. Don’t Expect anything just close the report and start looking for other bug’s Because that could end up making you sad.
If you made the mindset that you are going to hunt bugs in the matter of hour’s or night. this may or may not work every time. Instead of it you could make a mindset which could be “I’m Going to Hunt Bug’s for Whole Week, Let’s just keep the target of 100$” . Believe me, you will end up making 10x times target amount at the end of week and result would be happy.
Some High severity bugs may get rewarded with low-average bounties, Don’t Shout at them,Just Ask them politely What could be the reason for bounty decision. More Importantly Be Happy and thankful to yourself of what you found.
Try to Accept this “ Sometime’s we may get unexpected rewards for small issues , We should also accept less amounts for High Severity Issue’s aswell“
4. Less Knowledge about Vulnerabilities and Testing Methodologies
5. Surround yourself with Bug Bounty Community to keep yourself Updated.
Source: Rules of bug bounty