Confessions of a (for Now Not So Successful) Bug Bounty Hunter

by Vuk Ivanovic

Yes, folks, I did it, and I'm still doing it.

And here's my sort of a review of the whole thing and hopefully it will be useful for those of you who are interested in joining the fun, and for those who are already doing it, well, do some neck stretches because you'll be nodding throughout this text.

I hope to shed some light for newcomers, but I'm positive that the "veteran" bug bounty hunters will find it an interesting read as well.

So, the bug bounty.

That seems to be a new big thing, or rather not that new, but it's still big.  Some may say it's getting bigger.  New familiar names are starting their own bug bounty programs and it's been good for them, well, if they happen to agree with the bug report, unlike Yahoo!, and we all know what happened to them.

I started with it relatively late.  What got me into it was the recent report about how some folks got a nice chunk of change for their efforts.  And, being a freelancer, I always need more work/money.  What I learned from this undertaking is that:

1. You need to have a good machine, preferably a monster of a machine.
2. You need to have enough money to cover expenses for up to three or four months, if not more depending on a variety of factors.
3. Don't quit the day job, not yet.

On to the fun.

Regarding point No. 1, it's true that you can get a lot of money by using a low-end smartphone, as long as it has the latest Firefox/Chrome/etc. on it.  In some cases, the web page is pretty simple, not too many images to load or even content, but enough parameters in the address bar to throw in some XSS/SQL injection "attack" strings and see what happens.

The larger problem arises when you really want to get into it - when you start using various tools like Nmap, dirb for brute-forcing directories/files, and then burp proxy (the free version, or pro if you can afford it) for intercepting requests, using repeater, web crawler, etc.

Combining all that with Firefox and Chrome, and of course, many many many tabs open in both, with the fact that you may want to be using something like Kali in a virtual machine, well you see where I'm going with this.

And then there's just basically using your computer as you would any other time when you want to take a break from bug hunting, but you don't want to close all the programs.  All that will slow down everything.  Imagine, you're looking through some website, and suddenly you get an idea to try this and that, and you hurriedly go to open a VM with Kali, and you want to run a few tests on Firefox/Chrome with burp proxy intercepting the requests, but instead of flying through it, you end up with some turbulence (and sometimes even a crash or two) like waiting ten minutes for VM to load (not to start it, it's started, but you haven't used it for a couple of hours, maybe you went to have a lunch or to sleep, or simply to take a break from it).

You figure, O.K., while that's "waking up," I'll jump over to Firefox to try a few things, and instead, the Firefox window takes time to restore, and then the page takes extra time to load or another tab to open, and burp proxy takes some time to show the intercepted request.

All-in-all, it's a thing that makes you want to smash everything, and/or tear your hair out in frustration.  That's something that you won't find in the articles about bug hunting, especially in those where the emphasis is on how much money some folks are making on a monthly basis.

So, personal experience with an Intel Core i3 laptop with 8 GB of RAM is that it can be used to go bug hunting, but depending on the target and if I'm going for a low hanging fruit, it can be smooth or it can throw me back to the time when I tried playing video games meant for stronger machines on a weak one.  While I was able to get used to it back then, that's the past.

On to point No. 2, if you are still interested...

This one, well, this is another one that I haven't read in any articles (at least no one complained about it), but I have experienced it myself, and after looking around, I'm not the only one.

When it comes to the payouts, it's great if you were lucky enough to stumble upon something huge - think Remote Code Execution (RCE) or basically anything that's an immediate compromise of the websites' users/admins, or the server itself.

For those who are reading this and aren't sure which-is-which, the XSS is a nice thing to find, and a serious bug, especially if it's a stored XSS as opposed to a reflected one, but it requires an unsuspecting victim to either follow the link or to find themselves on the affected page (in the case of the stored XSS).

Clearly, the stored version is closer to immediate compromise, but it's not as immediate compared to, for example, uploading a reverse shell or using XXE to read /etc/passwd, etc.

Now, if you weren't that lucky, and therefore you "only" found a reflective XSS or similar, well, here's where you say to yourself (after not receiving a reply for a day or two), I'm sure glad I didn't quit my day job, and I'm sure glad I wasn't counting on paying my rent/ bills/etc. with the money from the bug bounty.

Here's a tough one.  You wait, and you wait, and, if you're lucky, you get a reply that the bug isn't a duplicate and that they haven't just yanked the target out of the scope (yes, that has happened to me, twice so far).  The in-scope/out-of-scope part is cleverly covered in the agreement by probably every reputable bug bounty program.  As far as I know, it's not an everyday thing, mostly because it would ruin their reputation if it were the case, but just giving all you prospective bug bounty hunters a heads up.

Here we go to the most wonderful portion, and that is everything worked out fine, and even after waiting for a week or more, they decided it's a valid bug, and then after a week or two they paid you.  All is great, right?

Gotcha!  Yes, all is all right, depending on whether or not you find yourself in point No. 3.

There are mental hang-ups that some of you may have to face, especially if you ended up with something like $3000 and you expected less than $1000.

In fact, you just wanted to give it a go, and to see how the process worked.  You wanted to find some small bugs for maybe even just $50, and to see how the payment processing would work, etc.  Some of you may find that after having found some duplicates here and there, you'll start hitting the wall and you'll wonder if that $3000 bug was all that you could find, and you'll wonder was it luck or was it brains, or was it a combination of the two.

At this point, you'll find yourself being affected by point No. 1 more than you thought possible, but sadly those $3000 dollars had to go for more urgent matters than for a better machine.

Point number 1 is point number 1 for a good reason.  Depending on your current machine, just go for something, literally anything.  In fact, go crazy, go randomly.  Just open a Firefox and Chrome browser, and think to yourself that you want to find a cure for cancer, and go Google medical books, and check YouTube for free lectures, and while you're doing that, switch to thinking about AI and neural networking, and start looking for that, but expect all the results, all the videos, all the articles and images to load immediately.  If any of it doesn't load fast enough to satisfy your immediate thirst compared to simply grabbing a drink from the fridge, you'll know exactly how one might feel when it comes to hunting bugs with a somewhat inferior machine.

In conclusion, this "confession" wasn't about chasing people away from bug bounty.  It was an additional perspective from someone who sometimes feels like a fraud.  If you're like me, you've probably read a bunch of bug bounty reports, and you've probably stumbled upon a few of those where the person in question started their blog post with something along these lines: "So, I needed some money because my vacation time was near, and decided to see what I can find on Pornhub because they have a bug bounty program that pays well" and similar.

And then they proceed to go into details and they finish with how much they got awarded.  Well, all that isn't impossible, it's just not something that anyone should count on compared to a weekly/monthly paycheck.  Many poker players, the pros, will say that they turned it into a full-time job many many many years later, after they've figured out how to always have money for rent/bills/food etc. while playing the game.  Keep that in mind.

But I'd hate to end this without pointing but some great things that you'll be forced to deal with if you choose this path.

On to the real fun:

• You'll have to stay on top of everything/anything security related on a daily basis instead of weekly/monthly.
• If you were uncomfortable with some security areas, you'll learn to get comfortable, really fast.
• If you were taking the time to hone your skills, you'll aim at using any/all free time to improve in all of it (I say aim, because you'll learn that you can't achieve success without taking some rest in unrelated activities, think TV, movies, video games, etc.).

Happy bug hunting!

P.S.  Don't lose sight of the fun that is hacking by only hunting for bugs where the rewards are high.