How to get started with Bug Bounty?

What is Bug Bounty?

Bug Bounty is a program arranged by companies to add an extra layer of web security to their websites and online software. It is a crowd-sourced penetration testing program which rewards the participants for finding the bugs in the system and providing the solution to resolve the bugs. For the students, researchers or web security experts, it is an excellent opportunity to test their web security and domain-specific skills, and they will get paid as well if they find any security bugs.

The number of companies which are organizing these crowd-sourced programs is increasing day by day, so the number of opportunities for bug finders is also increasing.

Apart from the old knowledge of programming, bug bounty hunters should have additional skills to perform well in this program. There are different types of bug finders. Some are good at web development, while some are experts in cybersecurity.

So, we will discuss the steps and skills required to become a bug bounty hunter: :

1. Learn Computer Networking

Computer Networking is the primary and necessary skill that bug bounty developers should have. Although, so much of expertise is not required in the computer networking but all the basics should be clear. The developer should have a clear idea about the fundamentals of networking, OSI model (Open System Interconnection), IP (Internet Protocol) address, MAC (Media Access Control) address, TCP/IP model etc. To clear the basics of computer networking, you can learn from many good websites like javatpoint.com

2. Get Familiar with Web Technology

Bug Bounty hunters should have a clear idea about the basics of web development. He should have a clear conceptual idea about HTML, CSS and JavaScript, which is more than enough to start a career as a developer. We can also learn different protocols used in web development like HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol), TLS etc.

There are various resources available online and many books to learn web technologies.

3. Learning Web Application Security Measures and Hacking Techniques

This skill includes the basic security mechanisms, general bugs and vulnerabilities in the system software and different ways to resolve those bugs.

There are some books to learn these skills:

Web Hacking 101
Web Application Hacker's Handbook
Mastering Modern Web Application Penetration Testing

4. Practicing and polishing the basic skills

If we work on our existing skills more and more, it will be better every time. So, in web security, if we try different targets with different difficulty levels, then it will be easier to find out the bugs even if the website is too secure or already tested by the testers.

We can use the following resources to enhance our skills:

Vulnerable web applications

These are the web applications which are intentionally designed with vulnerabilities and bugs. There are a lot of variants of these applications based on the different kinds of vulnerability so that the developer can practice their skills through these apps.

Some of the examples of these apps are:

OWASP Webgoat
Cyclone Transfer
BWapp
DVWA (Damn Vulnerable Web Application)
Juice Shop
SQLol
Rails Goat
Bricks
Hacme
Butterfly Security Project

In the above applications, DVWA, BWapp and Webgoat are the best if you are a beginner.

5. Real Testing Targets

If you follow the above four steps, then you have a sufficient skill set as well as practice for the bug bounty hunter. Now you can do the real testing by implementing your skills on real websites. There are many websites which organize their bug bounty program. Some of them are as follows:

Apple
Spotify
Starbucks
Shopify
Google
Verizon
Twitter
Facebook

These are the top websites that pay a high amount of reward to find the bugs in their websites. However, it is very difficult to find out the bugs because competition is tough, and the world's top developers or bug bounty hunters are also working on the same.

6. Staying Current on the Latest Vulnerabilities

With this skill, you can follow famous researchers and analyze their works in the same field. We can also read the reports which are disclosed from the various platforms like HackerOne etc.

Some of the researchers you should follow are: