How to become a bug bounty hunter

Updated on 03-Oct-2023
HIGHLIGHTS

Finding bugs for a living is a legitimate career choice. Let us show you how to go about it.

“Become a hacker”, said no Indian parent ever to their kids. If your’s did, congratulations on having an awesome set of parents. The perception of hacking in the country was pretty much non-existent up until the availability of affordable internet connectivity, and even then the perception remains pretty misguided. Except for the tech-savvy, most individuals, parents or otherwise view the role of hacker as something purely malicious, going as far as labelling hacking skills as criminal tendencies.

However, the job market tends to think ahead and think differently, especially when it comes to technology roles. The National Association of Software and Services Companies (NASSCOM) recently estimated that India will need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy. Even without the accompanying statistics, the need for cybersecurity personnel is evident in the number of leaks happening every single day. While there are myriad roles within the cybersecurity domain that are required to fill this gap, we’re going to focus on one particular role – a bug bounty hunter.

What does a bug bounty hunter do?

To get a basic understanding of the role, the name itself is quite self-explanatory. A bug bounty hunter looks for bugs in applications and platforms, which they later reveal to the company responsible and are compensated for the same. Numerous companies run established bug bounty programs with predefined rewards. For instance, in India, Ola runs the Security Bug Bounty Program under which it has defined rewards up to Rs. 3 lakh for Injections, Server Side or client-side issues, Bypassing significant security controls and more. Other companies like PayTM, Mobikwik, Yatra and McDelivery, the delivery arm of McDonald’s, also have their own bug bounty programs.

Why be a bug bounty hunter?

HackerOne is a platform that connects businesses with its community of cybersecurity researchers who work on finding bugs and breaches on their platforms. The 2019 Hacker Report from HackerOne outlines a lot of interesting facts about the role of a bug bounty hunter.

The pay

According to HackerOne, India remains the top location for hackers the second year in a row, with 27% of the pool coming from the country this year, whereas, on BugCrowd, India comprises nearly 24% of the members. In terms of payment, the United States paid the most at $33,658,784 being paid out in bounties.

Interestingly, India is also one of the leaders on the board in terms of bounty earned. Indian hackers earned a total of $4,982,260 in the HackerOne community. Due to the global nature of this role, it isn’t entirely fair to limit payout sources to only those of Indian origin. In a May 2017 Hacker Powered Security report, it was shown that that white hat hackers in India netted $1.8M in bounties. Back in 2016, when Facebook released statistics pertaining to its own bug bounty program upon its five year anniversary, India topped the list of the number of payouts.

In India, the job preference in the general populace leans heavily towards salaried roles. However, the report goes on to show that the top bounty salary earned by Indian hackers in the HackerOne community is about 17.6 times the median annual pay of a software engineer in the country (derived from PayScale).

Low entry barrier

According to the same report, the 18-24 age group comprises nearly 48% of the entire community, while on Bugcrowd the number shoots up to 72% which shows that experience is not a requisite. In fact, on HackerOne nearly 73% of hackers have been hacking for less than 5 years, whereas on BugCrowd, nearly 34% have been into bug hunting for less than a year. Additionally, eight out of ten hackers on the HackerOne are self-taught, while the same number on BugCrowd is at 32%, which also shows the accessibility of skills required in this area. In fact, 81% of hackers point to online resources and blogs as their primary source for hacking education, while just 6% have completed a formal class or certification on hacking.

How to be a bug bounty hunter

If we haven’t made that clear yet, there’s no fixed way of becoming a bug bounty hunter. Looking at the reports mentioned earlier will make it clear that hackers can be self-taught, or skilled in a classroom, they can be experienced info-sec professionals doing this as a hobby, or students doing this for skill-development or just for fun on the side. However, there are a few skill areas that are in high-demand, year on year in terms of targets.

  • Web application
  • Network Pentesting
  • API Assessment
  • Social Engineering
  • Source Code Analysis

Since web remains the widest ground for potential bugs, it retains its top position as the most preferred target area, followed closely by network penetration testing. Social engineering is relatively new on the top five but has become increasingly relevant in recent years.
Just like the skills and target areas, the tools and methodologies required to become a bug bounty hunter are also quite diverse. Going by the preferred techniques, attack vectors and methods in the reports mentioned earlier as well as other sources, these are the top five areas to focus on:

  • XSS
  • SQL Injection
  • Fuzzing
  • Business Logic
  • Information Gathering

Even though this is a top five, XSS has a massive lead going by numbers, followed next by SQL Injection, while the rest are also moderately popular. 

None of this will be of any use if you cannot practice. Bug hunting is different from writing code and developing applications. You need to use the tools and methods above in unconventional ways until you’re successful. To that end, practicing on vulnerable systems in a simulated environment is a great way to learn the chops. Here are a few examples that will come in handy:

  • BWAPP: A deliberately buggy open source web application.
  • WebGoat: An insecure web application maintained by OWASP.
  • Rootme: A platform to try out your hacking skills in simulated challenges.
  • OWASPJuiceShop: A  sophisticated but insecure web application.
  • Hacker101: A free web class for security with a Capture The Flag challenge to practice in.

There are way more tools out there for you to practice on, we’d recommend you try as many as you can to hone your skills. Even the tools above keep updating their features so it would be a good idea to keep checking them out every now and then even if you’ve bested them already. Additionally, check out a full list of tools you can use for Bug bounty hunting here: https://dgit.in/BBTools. 

Filing a report

While you’ll be focussed on finding a bug using the techniques, tools and vectors mentioned above or the ones you’ve found on your one, once you’ve done that, there’s another aspect of being a bug bounty hunter that is crucial – filing a good bug report. Remember, a bug report is the establishment of a professional relationship between you and the security team at the company you’re reporting the bug for. While each company might have its own guidelines for bug reports, it helps if the report is precise, includes ample evidence of the bug without being misleading and also helps them resolve the issue as quickly as possible.  Broadly, any bug report should have these features:

  • Detailed descriptions of your discovery with clear, concise, reproducible steps or a working proof-of-concept (POC).
  • Screenshots and/or videos can sometimes assist security teams in reproducing your issue.
  • The impact of the vulnerability; if this bug were exploited, what could happen?

With everything we’ve learnt so far, you should be ready to go bug hunting. Email us to clear any doubts! 

Resources 

Connect On :