Hackers are having a moment. As high-profile breaches have become the norm over the last few years, more and more enterprise organizations have turned to bug bounty programs. As a result, the idea of hacking for good has finally begun to resonate with the general public. This rise in popularity has inspired many, from aspiring hackers to seasoned security professionals, to join the hunt and seek out bug bounty programs to “hack on”.
As an information security professional by trade and a hacker by heart, I’ve had years of experience hacking for good. From my days as a penetration tester and security leadership roles at HP Fortify, Redspin and Citrix to hacking on bug bounty programs of all sizes, I have spent my life hacking for good – much of this experience has been hacking on bug bounty programs.
The beauty of the bug bounty model is it brings together security researchers from all different walks of life, allowing organizations to leverage talent from around the globe – something that would be nearly impossible otherwise. Security researchers range in experience – from students just learning about security and hacking to some of the world’s top security talent.
Bug bounty programs are great not only for newbies to get familiar with security testing but also for industry pros to stay up-to-date on their skills or earn some cash on the side. But what does it take to be a successful bug hunter? We asked some leading bug hunters for their thoughts and here’s what they had to say:
Mongo, a researcher based in Portugal, says “For those who have not yet started on bug bounties: dive in, you will find bugs and it will be worth your time. I often talk to people that think public bug bounties are not worth their time because ‘all the bugs have already been found’. I assure you that is definitely not the case!”
Cdunham a researcher based in the United States says patience is key. “It can take time to really learn the application and the better you understand how the application works, and how a normal user is intended to use the application, you start to get a feel for where the more interesting things are.”
Practice, practice, practice
If you’re looking to practice, there are a number of free resources available to those looking to hone their skills and understanding of web application testing. These resources usually come as downloadable applications and virtual machine images, which contain intentionally vulnerable applications for testing against.
Researcher Vishnu_vardhan_reddy of India suggests that new researchers “test on kudos-only programs in their initial stages, so that they get experience with real websites and increase their ranks in the respective platforms leading to private invites.”
Do your research on the company
Darkarnium, a researcher in Canada, says it’s important to do a bit of due diligence on a company before hacking in a program. He says, “LinkedIn profiles, company ‘careers’ pages and public mailing lists are your friend! If you want to know what you’re likely to encounter in a given stack, see what sort of developers, q.a. and operations skill-sets a company is employing.”
Don’t be afraid to ask questions
Nijagaw, a researcher based in England, advises to simply “Ask questions.” The security community is filled with helpful, experienced researchers who can lend you a hand. Whether you get involved with online communities or local in-person meetups, Nijagaw says “there are cool people out there that could help you. Ask and you shall receive.” Continuous learning and meeting like-minded people is important to share ideas and knowledge.
Gain a lay of the vulnerabilities land
Researcher Mico, based in the United Kingdom, says “read vulnerability write-up’s from other researchers and try to learn from them.” These write-ups provide a lot of detailed information pertaining to what the researcher found, how the vulnerability was discovered and how it could have been exploited. Additionally, “use twitter to connect to other researchers and follow them. It’s usually a great resource to find out about vulnerabilities. And finally, share your knowledge when you come across fun bugs!”
Let your curiosity guide you
When it comes to security research, you have countless options for how to contribute. So let your curiosity guide the path forward. You may choose to spend your spare time participating in Capture The Flag (CTF) competitions, burning the midnight oil hacking away at bug bounty programs or even delving deeper into research in new areas outside of web applications.
When looking for new attack-vectors, try to see whether you can persuade an application into doing something it perhaps wasn’t designed to do; for better or for worse. Fuzzybear, a researcher based in the United States, says “never ignore that ‘wait this doesn’t look right’ feeling. Keep poking at it! When you find a vulnerability, spend some time playing with it and learn from what you find. There is always something unique about a specific vulnerability that could be useful to know in the future.”
Submit clear, comprehensive reports
Being a white hat hacker requires more than a good knowledge of vulnerabilities and engineering. You also have to communicate clearly with vendors. Justinsteven from Australia, says “once you’ve fleshed the bug out, write a great report – don’t let your awesome bug be let down by a two-minute ‘it’ll do’ submission. Make it shine. A good bug reported poorly is a poor submission. Punch out a report that’ll be shown to management as justification for the program’s expenditure.” Not only can a clear and comprehensive report can help the program owner investigate and fix the issue faster, but it can increase your chances of getting a higher reward.
Keep on hunting!
For those who like being creative and “thinking outside the box”, bug bounty programs provide the perfect opportunity to hone hacking skills and make some money (or maybe even a full time job). While hacking requires quite a bit of problem solving, it’s also about communication, patience and staying calm under pressure.
Throughout it all, aim to have a student mindset: Ask questions, network with other researchers, share knowledge, pursue training and certifications, and practice, practice, practice. Follow the advice of these industry experts and you may just find a long-term career in cybersecurity.
Jason Haddix, Head of Trust and Security at Bugcrowd
Image Credit: Andriano.cz / Shutterstock