GETTING BEYOND BUG BOUNTY NOOB [email protected]/web-hacking-101www.youtube.com/yaworsk1
OVERVIEW
▪Who am I and why do you care?
▪What are bug bounties?
▪Lessons learned (with examples)
▪Getting started
WHO AM I?▪ @yaworsk on HackerOne, Twitter, etc.
▪ 11 – months since I started bug bounties▪ 24 – number of thanks received on HackerOne▪ 105 – bugs found on HackerOne▪ 67 – Rank on HackerOne (as of Nov 3, 2016)▪ 0 – total security experience in November 2015
▪ Formal education in Public Policy▪ Self taught “developer”▪ Web Hacking 101 Book / Hacking Pro Tips
WHAT ARE BUG BOUNTIES (CONT’D)▪ HackerOne (as of Nov 2, 2016)
▪ 32,470 bugs fixed▪ 3,970 hackers thanked▪ 155 public programs▪ ~600+ total programs▪ Hacktheplanet + Hacktivity
▪ Bugcrowd (as of Mar 31, 2016)▪ 6,803 paid submissions▪ 26,782 “researchers”▪ ~100 public programs
(62 shown online as of Nov 2, 2016)▪ ~180 private programs▪ Monthly / yearly bonuses + Forum
LESSONS LEARNED
Hacking is not easy money
POC || GTFO
Your reputation is gold
Skill, observation & relationships
Pay it forward
1. HACKING IS NOT EASY MONEY▪ @ITSecurityGuard
▪ thanks from Uber, Google, Yahoo, Snapchat, Apple CVE▪ first 7 bugs on Paypal, all dupes and unrewarded
▪ @filedescriptor▪ over $200k from Twitter alone▪ started with n/a’s and gave up for a short time
▪ @nahamsec▪ 18th on HackerOne, thanks from Yelp, Shopify, Apple, Uber, Yahoo▪ Felt burnt out at the beginning of this year, said he wanted to walk away.
Source: Google Bughunter University
3. YOUR REPUTATION IS GOLDHackerOne Private Invites:
Private Programs == Less Hackers == $$ (potentially)
GETTING STARTED - SCOPES (CONT’D)- This is 1 policy- Extremely detailed- Sets clear expectations- Indicative of a good program
GETTING STARTED - REPORTS
“Better bug reports = better relationships = better bounties”
https://hackerone.com/blog/how-bug-bounty-reports-work
THANK YOU!
@yaworskwww.leanpub.com/web-hacking-101
www.youtube.com/yaworsk1