top of page
Writer's pictureMatthew Twells

A (Very Short) Introduction to Bug Bounty Hunting


People looking to get into the more practical arms of the information security industry often get caught in a loop of "They won't hire me because I have no experience, but if I can't get hired, how do I get experience?"

It's understandably immensely frustrating, but in recent years bug bounty hunting has come to the fore as not just a way of generating a track record of work experience, but potentially even making a living (depending on how good you are, of course).

This article is a very short explainer on what bug bounty hunting is, what you need to get started and places to go next if it interests you.

 

What is Bug Bounty Hunting?




Many companies require a web presence in today's economy, regardless of what it is that they do or sell. And this requires them to have either their website, or potentially their actual software (if you're an Internet-based business) exposed to the public Internet - and all its inhabitants.

Unless you've been living under several rocks the last few years, it has become abundantly clear that not everyone on the Internet has your best interests at heart.

Plenty of nefarious individuals make their entire (and extremely healthy) living from exploiting weaknesses and security holes in these sites and programs, to steal the data or ransom the underlying infrastructure.


So what are companies (and their oft-overworked developers) to do?


Well, in the past, there was and still is the responsible disclosure process. The idea was that through working as a penetration tester on a job, or by tinkering around with a piece of software - you'd find some sort of security flaw that could potentially be leveraged for monetary gain or further access. You would then document your findings in a way that could not be easily refuted, and then let the company know.


If you were very lucky, the company would breathe a sigh of relief and give you a reward of some description (sometimes monetary) - then you could go nuts disclosing it to the community at large, as the company has had a chance to get ahead of the curve developing a patch for it.

If you weren't so lucky, the company tried to sue you, and you hoped to God you hadn't used your real name to disclose the vulnerability.


In recent years, however, this responsible disclosure process got industrialised and opened up to the general public - because companies and devleopers realised, that instead of paying a QA professional thousands of dollars a year to comb through thousands of lines of code looking for tiny flaws - there are plenty of bored and highly skilled professionals around the world who will do it for $500!


Companies can set up on sites like HackerOne, BugCrowd, SynAck and many more and open up their doors to the world's security professionals, and outsource their code review and security testing (some of it, at least) to the public. Testers make money on the side, companies get cheap technical reviews - win/win for everyone!

These programs are called bug bounty programs, and the people looking to make money doing this are bug bounty hunters.

 

Sounds awesome! How do I get started?


So, you've decided you want to give this bug bounty hunting thing a try, huh?

Where should you start?

Honestly, that depends entirely on where you're starting out with regards to your information security knowledge.


Already a web-focused penetration tester?

Bug bounty programs primarily consist of web application penetration testing and code review - if this is something you already do as a job, and specialise in this area - this could be an excellent way to make a bit of extra spending cash and keep the proverbial sword sharp in your spare time. Your adaptation phase is going to consist mostly of finding a favoured platform (HackerOne, BugCrowd etc.), getting your head around their rewards systems and then getting cracking.

Potentially a brush over the relevant section (s) of the Web App Hacker's Handbook, and you should be well on your way.


Technically pretty okay, but just not in this area?

Bug Bounty programs provide an excellent incentive for you to sharpen an area of your skillset that might otherwise either be lacking, or unavailable due to the commercial dynamics of the company you work for. After all, it's great practice, and you get paid for it (if you find anything, of course!).


Assuming you have basic knowledge of how websites function, your first stop should honestly be buying a copy of this- The Web Application Hacker's Handbook. We already wrote a proper review of this book, but it really cannot be overstated how handy this book comes in. I won't go into its contents too deeply, we already did, but it very thoroughly covers almost every topic you're likely to come across in your early days as a bug bounty hunter.


Another book that is well worth grabbing a coy of is Web Hacking 101, which can be found here. I've been a big fan of No Starch Press' work for a long time since getting into Information Security - and for good reason.

Coupled with the Web App Hacker's Handbook, this book provides the bug bounty hunting-specific introduction into web hacking that will give you the "curriculum" required to start making some money! Peter Yaworski puts the pieces together in a uniquely digestible way that really helps you hit the ground running.


Rounding out the recommended starting resources section here is the introduction to bug bounty hunting released by BugCrowd on Youtube - which you can find here. BugCrowd is one of the more popular bug bounty platforms, and regardless of which you go for, the concepts brushed over will help you get started that little bit quicker.


No technical experience whatsoever?

To be fair, this will present the largest learning curve if you're looking to make this your first foray into InfoSec work - there's a lot of base technical knowledge that pentesters and bug bounty hunters will leverage to go looking for bugs and vulnerabilities. You'll need to build that first before you can make much headway here.


Heath Adams ( The "Cyber Mentor" ) has an excellent course that serves as a brilliant starting point if you really haven't seen this stuff before, but want to make a real go at it. His Practical Ethical Hacking course, which can be found here, takes you from beginner level information security to practical hands-on hacking - and for less than £50, you can't complain at that.

After you've done that, I would suggest working your way up this article, and reading one of the books that I just recommended for slightly more experienced individuals, before making the jump in for real.

 

Knowledge is one thing, but where can I get some real practice?



The resources above will give you a solid grounding in information security, web application functions and how to go about attacking them - but soon you'll need to give it a try for real, before diving into doing it for real on a bug bounty platform.


Here are three great places to start, that should be more than enough to get started with:


Google Gruyere: Found here, this is a codelab designed by Google to be an intentionally vulnerable web application for people to practice their skils on, without worrying about getting sued. Great beginner's resource.


Hackthissite: Found here, this is a free and legal live site where there are different challenges that will steadily 4rise in difficulty and add to your skillset later on. Another excellent beginner resource.


Mutillidae/WebGOAT: Installation instructions for Mutillidae (free, by OWASP) can be found here. WebGOAT can be found here. These two are another free-to--play set of web applications that allow you to practice web application attacks without worrying about the consequences, whilst guiding you through some challenges that rise steadily in difficulty.

 

Cool, now what? Time to actually start hunting some bounties!

Once you've learnt what you need, and had a bit of practice doing it for real, you could probably start setting up a profile on one of the major bug bounty platforms and following their "Getting Started" section.

Once you've done that, get stuck in! This is a great mix of getting practice, but it also being real experience. These aren't test applications, they're real code and real companies that you're testing.

Follow the rules, hand in your reports, and if it's not a duplicate - you'll get paid!

Here are the main players in the bug bounty hunting space:



Have fun, and let us know how you get on!

 

Some recommended reading too, if you're interested in reading further:


How To Get Started as a Bug Bounty Hunter - Hack Ware News (credit to this one, for inspiring this article!)

115 views0 comments

Recent Posts

See All

Comments


bottom of page