HackerOne/BugCrowd bug bounties

I've been doing (or trying) some bug bounties on my free time during the past few months. I found one on a Microsoft site last month on which they acknowledged me today for the month of March

https://technet.microsoft.com/en-us/security/cc308589.aspx and another one on which I can't mention yet to respect their NDA since it hasn't been patched.

So I was wondering if anybody here is in to that stuff and doing some bounties on HackerOne and/or BugCrowd. I was thinking we could help each other out with a few tips and tricks.

Find more posts tagged with

Comments

the_Grinch

First off congratulations!!! Job well done! I've been looking into doing this type of work as a side gig. Out of curiosity, what's your background? Did you feel the OSCP and EJPT were helpful in this arena?

JasminLandry

I've been working as a sysadmin for about 4 years until 2 months ago when I got my first job in security. I do feel like the OSCP has helped but not a lot. Finding bugs in real world web applications is way harder than finding vulnerabilities in the OSCP labs. The PWK course doesn't go deep enough in web application testing, you'll only learn the basics. I've read articles and seen videos where bug hunters make 100K-200K/year on bugs only. So there's a lot of money to be made doing this, but it also takes a lot of time. I started off on openbugbounty.org where you can report bugs on any website on Internet and OpenBugBounty takes care of notifying the company. I've found 47 bugs on there and only a handful came back to me, and it's not rewarding so I decided to look in HackerOne and BugCrowd.

NetworkNewb

I think those definitely look interesting. Something I may try next year. Next year might be time for OSCP. We'll see...

Pretty cool on getting acknowledged btw!

JasminLandry

Cool, good luck on the OSCP. As you probably have noticed it already, there are a ton of threads on it that you can read.

TheFORCE

How much have you made so far doing this?

Correct me if I wrong but in order to find a bug or a vulnerability, dont you have to really try to exploit a web app or a system? How does this work? You get permission by the company to let you do your bug hunting?

JasminLandry

I have made a big 0$ until now, but I just started and I consider myself a beginner with a lot to learn so hopefully I'll get my first bounty sooner rather than later.

Every program has their own set or rules so if for example I'm working on the Starbucks program https://hackerone.com/starbucks, you just need to follow their rules and make sure you don't break them or you won't be eligible for a bounty or you can even be suspended from HackerOne. So if I'd find a remote code execution, I'd have to make sure I show proof of that and that's it.