Summary
Bug Bounty Hunting is a subset of Web Application penetration testing and is focused on results over attempts. PoC || GtFO.
Remember
- Bug Bounty Hunting is a game of luck but you control how many times you roll the dice.
- You are doing this to learn. Go down those rabbit holes now and start building that intuition.
- Take your time with a program. Spend at least 40 hours with a program before jumping ship.
- Understand the business need to understand the impact and severity
- Fuzz all the things
- Do it every day
- Dedicate time to learn new vulnerabilities.
Starting an Engagement
- Make sure to fuzz within scope
- Create Multiple accounts to test for IDOR
Top Mistakes According to Triagers
- Lack of Information
- Lack of Detailed information
- Not providing Clear Steps to Reproduce
- Incomplete PoC
- Ignoring Program Requirements
- Ignoring scope
- Ignoring program rules
- Exaggerating the Severity
- Not Considering User Impact
- Understand the business need to understand the severity
- Submitting the same vulnerability with slightly different variations.
- Submitting Low-Impact or no impact issues
- Being disrespectful
- Leaking information
- Unrealistic payout expectations
- Failing to verify and validate