How to Start Bug Bounties 101 & How to Make a Million in 4 Years
I got lots of questions and requests especially from new beginners to the area, so wanted to prepare a blog post regarding how to start at bug hunting and how to be successful.
Firstly, I want to say as there is no only true way exist to became successful in any area including this one. Every person has their own personality, characteristics, speciality and qualifications so this criteria could differ from one to another. I am only telling my story and mental methodology here, which directed me to earn $1 million through 4 years.
How (not) to start at first place?
If you are a person who is consistently asking other people about how to become successful in bug bounty sector or being mentor to them, I can surely tell you that as this is not the right way. Nobody has a simple formula to become successful in any area. So first thing to do in here could be stopping to ask people generic “how to” questions. Instead of it; you can do your homework, do some research about the area and find out your way yourself which will really help you later in terms of gaining bug hunting mindset.
When I was lecturing “Cyber Security 101” class at the Istanbul Bilgi University for 4 years, my first slide of the presentation for the first term was this one:
This concept could be expanded & adapted to any area. In terms of bug hunting:
- “Learning how to use Google” is super essential. I use nearly 50-100 times per day for the last 4 years of my time. If you know how to use if efficiently, you can find what you are looking for faster and smarter. If you want to know how to use it efficiently, you can start Googling about it.
- If your native language is not English, then learning it is super essential as using Google. The most international accepted language for 2021 is English and nearly all resources can be found within it.
- I mentioned Turkish (as native language) on my original slide because knowing your native language is an important thing to become successful in any area. If you cannot know your native language well at first place, then you cannot use/learn/know other languages well too. In addition to that, we are using our language as a gateway to the outer world. Applying it to bug hunting: To understand what you are reading/researching, to speak with other people on same interests, to write a good report, to make a discussion with the report reviewer/triager; you need to know your native language + English good. There is a concept exist as Sapir–Whorf hypothesis regarding to the subject as: “a principle suggesting that the structure of a language affects its speakers’ worldview or cognition, and thus people’s perceptions are relative to their spoken language.”. which I highly believe as it is really effecting our perspective of lives including our approaches to any subject. So knowing your language better + an extra language might bring a new different point of view to the human being. (If you are into the topic, I also can recommend the 2016 Sci-Fi movie Arrival which had a different unique approach to this hypothesis.)
- “Finding your own area/speciality” is actually important on the long run to become expertise and unique in the industry. As a real world example, Tommy tells it all the time as he made nearly all of his bug bounty payouts from a single vulnerability category, SSRF, which is a good proof to what some focused working can put into your wallet.
- “Technical knowledge & experience” is all you can put into this area. Comparing to the other working concepts/practices (such as winemaking, having nearly 1000 years of history and experience), bug hunting (as well as nearly all IT topics) is still a new topic which changes everyday. So adding some value to it is easy comparing to other disciplines.
- I am not going to talk in details about “Keeping up-to date” in here, because as it is obvious that information technologies are updated every day and without having that, your bugs could be out-of-date :)
- In terms of bug hunting, “Expanding your network/social skills” is not too important comparing to the prior items, however having those still can bring you new opportunities. Human beings are known as social living creatures from beginning and working as a community always brings positive developments.
How to become successful?
From both my experience and observations of other bug hunters’ career paths/resumes; I can say that if you have a penetration test/offensive security research experience on your back then it is easier to getting adapted on bug hunting discipline. But as I said, there is no point of generalizing and I do personally know lots of successful bug hunters even if they didn’t go into the university at all or yet. So this really depends on the person. You could become successful when you are at your 14 or could fail even after you have your PhD in Computer Sciences.
Firstly, definition of “being success” in here is really important and it also depends from person to person too. Most of the times, success is came down to the salary/payout/money; however I can say that there are more success items exist in bug bounty hunting comparing to the regular day job. From my point of view, I am choosing bug hunting over regular working due to those earnings of successes:
- Being own your boss: If you have a really good self-discipline and really do not like illogical duties coming from your superior, than this is definitely it for you. This is the uttermost thing that I love about bug hunting. You are your own boss.
- Performance basis payouts: If you are eager of earning more money, instead of changing your job, you can work for extra bucks over the night :)
- Flexible working: Most of the new IT jobs has this as a benefit but still taking a day or month off without asking to anyone for approval is still awesome.
So without having the same salary on a daily job, I would still prefer hunting as those advantages. Having those is a success for me rather than huge payouts :) To sum up; for becoming successful, a person needs to define their own success criteria at first.
Ok, my success criteria is 🤑. So how to make a million?
Now as a starting point, it differs within various experience levels:
- If you are starting without any IT experience, then this is the toughest one to achieve. For becoming successful in this area, one should really know the basics of the IT such as networks, hosts, software, protocols etc. basically everything. Without knowing them, finding vulnerabilities would be really hard. I could suggest to understand those technologies at first; e.g. installing a web service, creating a DNS server, learning a programming language etc. then afterwards focusing on security field.
- If you are starting with IT experience but without a pentest experience; then this is still hard for you but not the toughest. The main thing in here is actually learning about security principles. Why do we need security? What are we trying to protect? Who are protecting from? How can we protect that? What could be entry points? What are the attack types? If you can start answering those questions on all case by case, then the basics of the offensive security could be start shaping on you.
- If you are coming from pentest experience like me; I can say that bug hunting discipline is really different than pentest and a little bit hard to getting used to. Instead of the pentest projects (finding every vulnerability including all levels), you need to focus nearly to find exploitable vulnerabilities rather than theoretical ones. I remember as we were reporting SQLi’s on the pentest projects within having errors as
'characters or reporting
<>escapes on the responses of the HTML’s without trying to actually dump an information from DB or bypassing WAF for a successful XSS attack. So this is the time that you need to focus on finding actual vulnerabilities within real world scenarios & impacts.
I personally prefer and suggest to start into bug hunting after learning the security concepts + having online trainings. You can still find vulnerabilities without having extreme technical skills but most of the times they would happen within temporary lucky findings/reports which could make you struggle in the future.
After starting actively bug hunting, this is my mental applied methodology for both short/long term:
- Being consistent: Especially for the first years, consistency is really important. Some days while you are getting some valid reports, some days you will get nothing. So within consistency you will increase your chances to find valid reports per day/week.
- Goals & motivation: Demotivation is really common especially at the first days/months of hunting. I personally felt like thousands of times demotivated when cannot find any bugs during the day. What I found as a solution is focusing of the both short/long term realistic goals instead of daily wins. The important thing in here is actually what you achieve per average. Setting weekly/monthly/yearly achievable goals and actually achieving them is really good for intrinsic satisfaction.
- Variety in bugs: If you are focused only on XSS bugs, then you can only report XSS bugs. :) especially for the beginners, having different set of categories testing is really important. For my first year on hunting; I can say that I looked and reported for all kind of bugs. Within this, you will start to have more valid reports comparing to the lesser diversified testing which will reduce the stress both in terms of payouts & fear of not finding anything.
- Focusing on some categories: As the prior Tommy & SSRF example, especially after some time; focusing on some categories and increasing the technical knowledge about them & being expertise on them will really create difference in the industry. Especially after my 2nd year at the hunting, I started focusing on some of the categories that I love such as Authorization/Authentication. Read everything about them. Apply everything you learn about them in the real world. Manually analyze every request and response. In some step, you will catch those special ones unique to you!
- Learn platforms/mentality: Every bug bounty platform, target, program, triager etc. has a huge difference of approaches comparing to others. For last 4.5 years (All of my bug hunting journey), I mostly worked (80–85%) on a single platform which bringed me succeed. While I was testing mostly new systems/targets per week on my first years; especially for the last 2 years, I started testing my old targets again per 6 months which I earned most of my payouts. On this period, I found out that application owners creates lots of different vulnerabilities while patching the reported ones which are overlooked most of the times. Also testing/getting used to same technologies will collect more deep/technical information regarding those which makes it possible to report more complex and unhidden bugs. So while testing different applications/targets extends & diversifies your knowledge, testing the same ones from time to time provides new discoveries that goes unnoticed.
- Have your own mental methodology: Every successful bug hunter I met has a unique approach of testing, which is shaped after some time. So find the methodologies that suits best for you and improve them on your way.
As I said on the prolog section of the post: “There is no only true way exist to became successful in any area.”. Every human being has their own journey. We will always use others’ experiences for self-development as on the history, however will also determine our self-journeys within individual efforts and diligence.
Stay safe and be luck on your side :)