Become a bug bounty hunter

Who is a bug bounty hunter?

A hacker who is paid to find vulnerabilities in software and websites.

Anyone with computer skills and a high degree of curiosity can become a successful finder of vulnerabilities. You can be young or old when you start. The main requirement is that you need to keep learning continuously. Also, it's more fun to learn if you have a buddy to share ideas with.

Here is how I started security hacking.

Submit valuable and easy-to-understand bugs

Quality over quantity. A remote code execution on a production system is a lot more valuable than a self-XSS, even though they're both security issues. Enjoy the thrill of the hunt for a super severe bug. Also, successful hackers spend a lot of time describing the issue as clearly as possible. Get to the point and don't introduce unnecessary (reading) overhead for the company (extra verbiage also reduces responsiveness of the company you’re submitting the report to). Finally, successful hunters read the program policy before they start looking for vulnerabilities.

Earn and show respect

Gain respect by submitting valuable bugs. Respect the company’s decision on the bounty amount. If you disagree with the amount they decided to award, have a reasonable discussion about why you believe it deserves a higher reward. Avoid situations where you ask for another reward without elaborating why you believe you deserve more. In return, a company should respect your time and value. They do this by awarding bounties, being responsive and transparent, engaging you in the discussion for the fix, and asking you to test the deployed fix. Being communicative and reasonable pays off: Successful bug bounty hunters receive tons of job offers.

Do your homework

If you’re not comfortable with the basics, get more comfortable. I found it really helpful to have a good understanding of protocols like IP, TCP, and HTTP and to take a few (web) programming courses.

Most of the bug bounty programs are focussed on web applications. To become a successful bug bounty hunter on the web, I'd suggest you check out the following resources:

Take a look at the publicly disclosed bugs on HackerOne

Check out the Google Bughunter University.

Paired Practice

If you’re lucky enough to have a hacker buddy, try what worked amazingly well for me. My friend and I would write small, vulnerable programs and challenge each other to find the hidden vulnerabilities. Find someone who challenges you and use what you learned from their challenges to find awesome bugs on real targets in the wild.

Bug hunting is one of the most sought-after skills in all of software. It’s not easy, but it is incredibly rewarding when done right. Like writing code, keep in mind that it takes persistence, a lot of feedback, and determination to become a successful bug bounty hunter. 

Must check out

http://www.facebook.com/bugbounty

And

http://www.facebook.com/whitehat

HOW MUCH A BUG BOUNTY H#CKER  EARN?

1. BATTLEHACK 2015

Languages: C++, JavaScript (as Node.js)

Bounty: $100,000 USD (1 Prize), Xbox One (2 Prize), Adafruit ARDX (3 Prize)

This mega-event is being sponsored by IT giants, such as PayPal, Twitter, Braintree and more. The first prize is going to be a whopping $100,000 USD and the “ Ultimate Hacker ” title.

------------*****-------------*****-------------

2. FACEBOOK WHITEHAT PROGRAM

Languages: C++, PHP, D, Java, Python (Server-side); JavaScript (Client-side)

Bounty: $500 USD (Minimum), No Pre-Determined Maximum

The world’s largest social media platform has a welcoming approach to researchers and ethical hackers.

All the researcher has to do is report the bug and wait for the websites bounty team to respond to the finding. While the minimum reward is $500 USD, there is no pre-determined maximum sum.

------------*****-------------*****-------------

3. GOOGLE VULNERABILITY REWARD PROGRAM (VRP)

Languages: C/C++, Java, Python, Go (Server-side); JavaScript, Flash (Client-side)

Bounty: $100 USD (Minimum), $20,000 (Maximum)

Google is arguably the most dominant force on the web today.

Google gives extra importance to the widely exploited vulnerabilities such as SQLi, XSS, CSRF and Remote Code Execution. The researchers, successful in finding loopholes as per the requirements of the security team, get full recognition and are indicted into the company’s Hall of Fame.

The participants in Google’s bug-hunting program should ideally create an account on

bughunter.withgoogle.com , a dedicated dashboard to assist with better raking of the detected flaws. Researchers without a profile on bughunter.withgoogle.com cannot be featured on the 0x0A and honorable mentions list (Hall of Fame) of the program.

------------*****-------------*****-------------

4. YAHOO BUG BOUNTY PROGRAM

Languages: JavaScript, PHP (Server-side); JavaScript (Client-side)

Bounty: $100 USD (Minimum), $20,000 (Maximum)

Just like with Facebook, Yahoo has its own security team that accepts vulnerability reports from security researchers and ethical hackers. The findings need to be related to the Yahoo and Flickr applications to be eligible for the bounty. The minimum reward on offer is $50, while the maximum ceiling currently stands at $15,000 USD.

Yahoo’s security team responds to all legitimate security reports within 30 working days.

------------*****-------------*****-------------

5. MOZILLA BUG BOUNTY

Languages: C++, JavaScript, C, CSS, XUL, XBL

Bounty: $500 USD (Minimum), $3,000 (Maximum).

------------*****-------------*****-------------

6. WORDPRESS SECURITY BUG BOUNTY PROGRAM

Languages: PHP, MySQL

Bounty: $100 USD (Minimum), $1,000 (Maximum)

------------*****-------------*****-------------

7. THE CHROMIUM PROJECT

Languages: C++

Bounty: $500 USD (Minimum), $15,000 (Maximum)

The Chrome Reward Program was inaugurated in January 2010. This project offers a bounty according to the severity of the vulnerability and also public recognition for the efforts of the WhiteHat hackers.

 the monetary awards for recognized flaws range from $500 USD to $15,000 USD. 

------------*****-------------*****-------------

8. SAMSUNG SMART TV SECURITY BOUNTY PROGRAM

Languages: Tizen, Android

Bounty: $500 USD (Minimum), $3000 USD (Maximum)

------------*****-------------*****-------------

9. AVAST BUG BOUNTY PROGRAM

Language: C++

Bounty: $400 USD (Minimum) – $10,000 or More (Maximum)

Avast is a widely recognized anti-virus company providing security solutions for Windows, Mac, Android and Linux users. But even their application is not vulnerability-free. Avast has a designed a protocol to reward ethical hackers and security researchers. All bugs, preferably in encrypted mail form, can be submitted to bugs@avast.com .

Remote code execution vulnerabilities have been defined by Avast as the most critical bugs and can amount of a bounty of $10,000 USD or above. 

------------*****-------------*****-------------

10. MICROSOFT – ONLINE SERVICES BUG BOUNTY PROGRAM

Languages: ASP.NET

Bounty: $500 USD (Minimum), Maximum Not Pre-Determined

Microsoft’s latest bug bounty program was officially inaugurated on 23 September, 2014 and deals exclusively with Online Services.

 Microsoft has paid over $300,000 USD worth of bounties so far. It also gives ethical hackers the option to donate the bounty to approved charity organizations.

------------*****-------------*****-------------

11. GITHUB SECURITY BUG BOUNTY

Languages: Ruby

Bounty: $100 USD (Minimum), $5,000 USD (Maximum)

GitHub is the world’s largest web-based code hosting service, used by developers all over the world, mostly for their open-source projects. It currently has around 3.4 million users with over 16 million repositories. 

It’s safe to say that bug bounty programs are gaining steam. Google recently announced that it has shelled out over $4 million in prize money , while introducing its new bounty programs for Android and iOS applications. The highest bounty paid to a single person so far is $150,000 USD, with the researcher also accepting an internship in the company.