Hacker's Arena
Knowledge base and discussions group for Security enthusiasts
120 Members
Join this group to post and comment.
Naveen Sunil
Naveen Sunil
Information Technology
05 Jan 2019

Bug Hunting introduction

Bug Bounty itself is very interesting. You get to test the systems and find bugs in real world. Most of them pay you highly for finding bugs. Yet others give recognition that you could brag them about. You start getting lot of swags, T-shirts and other goodies. All that is true.

Now for ones who is new to this, you might have lot of questions regarding Bug Bounty programs and where to start with.

To start with bug bounty is a program run by companies who reward or recognize people for finding and reporting security related issues in their products. All bugs aren't considered valid and the scope and rules are mentioned in their respective programs.

Bug bounty is beneficial to both customer and researcher. Customer gets to know the bugs and patch them early, while researcher get all those benefits as I mentioned above.

Getting into Bug Bounty means you need lot of time, dedication and patience. First of all you need to understand lot about the technologies and about the security issues. Read this PDF for application vulnerability issues.

Wait hold on this is just 10 common ones. There are many other bugs you need to find out for yourself which I mentioned in "Security Researchers and bug hunters in high demand | CrazyEngineers". 

You will need to practice them to get familiar. Host a vulnerable local server and practice on it. "Vulnerable Web Apps - Home" contains a good list to start with.

Next big step is to make the move. Sign up on hackerone, bugcrowd or other vulnerability rewards program and start your hunting. You can read "HackerOne" to understand the approaches and how reports are documented.

So prepare your gears and start your expedition and remember it takes patience and perseverance to achieve something worthy to boast about.

Many of the security guys would advice beginners to start their Cyber Security career in Bug Bounty, which I don't recommend to do so. Bug bounty should be done only after one attains certain level of knowledge and understanding, as the popular saying goes as, "Little knowledge is very dangerous".