Secure Dose

Sunday, 8 November 2015

Bug Bounty!!

The Bug Bounty Trends
These days in India there's lot of people into earning money via Bug Bounty..
What actually bug bounty is? An ATM Machine where people get dollars??
Actually no. Lets see what it is actually and why there is more craze about bug bounty especially here in India.

What is Bug Bounty?
Well, bug bounty is a program offered by many companies which are into developing a Web-based or Standalone products to find bugs in it and on submission they verify the bug and based on the seviourity, these companies provide rewards. It is similar to any kind of deal.  It is open to public and anybody can take this program by finding bugs(Generally, Security bugs!) and properly reporting.
You might be thinking that If anybody can take this deal then penetration testers are losing their job then? Actually No they are not.

How it works?
There are procedure, protocols and standards has to be followed by the person taking part in the program for the sake of the companies risk. Not following these protocols can be illegal and may land you into jail and official issues. We will be discussing about it soon.
First lest see what actually companies do to start such a program.

Their bug bounty program is initiated only and only after they test their own application first.
This includes all types of tests like Security testing, Unit testing, Functionality testing, Compliance testing, etc and only after they are fine with it they initiate these programs. The reason is, if they do not do so, their company procedure will increase, also their reputation and trust among their clients reduces. 
Reputation? how? 
If they do not have their own testing team, they are likely to have more critical bugs, easy to find and exploit. This directly strikes the reputation of the company and hence, penetration testers are not losing their job at all.

How they take bug bounty these days?
Most of the bug hunters today are taking their level of skill based on the bug they find in much reputed companies  web-applications. The more reputed the company, the much "pro" they are.
Another thing is, a source of money to again a big population.
There are many out there who actually take this as a learning process.

What is the advantage of bug bounty program?
I would like to highlight the things we learn. 

1)The professionals who have actually participated bug bounty usually have their own blog where they post how did they found bugs. Reading bout such bugs you learn more about how to discovers vulnerabilities. So when we actually participate into this we increase our skill set into Vulnerability Assessment. 
  1. Vulnerability assessment 

2)When we submit bug to them we actually learn how to write a report. A quick search and you can find many ways to write a bug report with a good POC(Proof of Concept) with video and screenshot.
Here you can find why writing good report is important.
  1. Vulnerability assessment
  2. Bug Reporting

3)Interacting in a formal way is another skill you can add to your list. Many of them have skills and are good into VA but their interacting power is not so good hence they lose the bounty program. I have come across few people who find good bugs into reputed companies but they eventually do not get their bug approved just because of the interaction issue.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills

4)Companies get to know about your skills and may also hire you. Similar thing happened with me when I was finding something to do in my vacations. I found a bug in a startup's web-application, reported them and I was doing internship withing few weeks. Cool right? 
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure 
5)You can include this into your CV that you participated in such bug bounty programs where you reported vulnerabilities in so and so companies. This makes your CV more attractive and gives a reason to hire you.
  1. Vulnerability assessment
  2. Bug Reporting
  3. Communication Skills
  4. Opportunity and Exposure
  5.  Attractive Portfolio

There are many websites which provide a platform for Hunters and Companies both.
To find some reputed companies program search about them. 
There are many more things which come up to you and you can learn. 
Hope this article helps to know more about bug bounties.  
pic source:

Secure Dose

Author & Editor

The Blog is completly related to websec and sometimes other branches of Information Security. It focus on theory and practical both with some resource section provided where I share my presentation pdf where I recently give my talk. Have a good read and suggestions are always welcome.


Post a Comment