5 Things Top Bug Bounty Hunters Do Differently
This week, we had the pleasure of hosting 50 Belgian technology students, who were on a tour of Silicon Valley technology companies. We had the opportunity to share our experience in Silicon Valley as entrepreneurs. But mostly we discussed hacking and security because after all, that is what we live and breathe at HackerOne. We shared a few well-known and public examples of hackers working with companies to demonstrate how far the industry has come. We covered Samy Kamkar's MySpace worm, Chris Putnam's very similar "Facespace" worm, the Jeep and Tesla car hacks and the United Airlines bug bounty, among other cool stories. After storytime, we jumped straight into tips and tricks for becoming a successful bug bounty hunter.
Here are 5 things top bug bounty hunters do differently:
They Know How to Build
Some of the best hackers say they learned to hack before they could code. Some hackers picked up hacking after learning to code. Truth is, it doesn't really matter. But the most effective hackers practice both the art of hacking and the science of engineering software.
When you've been - or better still, are - on the side of creating new product features, you get a better understanding of where to look for bugs. Humans make mistakes, and having direct experience with how these mistakes are made and turn into weaknesses is key to becoming a successful bug bounty hunter. Software developers almost always use frameworks that provide the building blocks for the application they are trying to architect. Experience working with various frameworks gives you insight in how they're used, but more importantly, it also tells you how they should not be used. The latter is what you need to take advantage of as a security researcher.
Having experience in writing software is the single most important thing that helped me as a hacker.
They Have An Eye For Anomalies
Start by identifying the design patterns used throughout your target application. Then match those against the instances you have found where the developers chose to adopt a different pattern. When you find an instance of a developer going out of their way to bypass a best practice, you should start to smell vulnerabilities. In my personal experience, this usually means there is at least one vulnerability near where you are sniffing around. It is guaranteed that you will find these exceptions in any application.
A deviation in the naming pattern used for HTTP endpoints, the way a user input form is structured, the representation of data being passed around in an API, or simply just the way it looks. These are all classic tells for anomalies.
They Submit Quality Reports
One must not forget that quality often goes above quantity when it comes to vulnerability reporting. For a team running a bug bounty program, it is far more interesting to learn about a remote code execution vulnerability, than a series of Self XSS opportunities.
As a hacker, if you enjoy the puzzle or intellectual challenge that is finding a super-severe vulnerability, you're good. If you also enjoy describing what you found as clearly as possible, you're even better! Don't forget that reporting a vulnerability is a professional interaction between you and a security team. Use professional language, be concise, include clear reproduction steps, and don't introduce unnecessary overhead for the person on the receiving end. While you are excited about finding a vulnerability, realize that the security team you are reporting to may not be equally as excited about having a vulnerability. You also have to understand that the security team you are reporting to may have competing priorities -- you don't know their business. Being patient and understanding in your exchange is always appreciated and sometimes even rewarded appropriately.
They Set Goals
How do you tell if you're a successful bug bounty hunter? For some, there is no better success indicator than $$$ in your bank account. Setting goals for yourself helps you stay motivated and engaged. You will be able to better choose where to spend your time -- it is a competitive game after all. You can set goals for yourself around the amount of money you want to make in a quarter, the types or severity of bugs you want to find, or the specific companies you want to find vulnerabilities in. My goals are a combination of all three.
For me personally, it is not all about the bounties. I enjoy the challenge and contributing to the security of the Internet. I worry about the security of the services I use, and I often spend time finding vulnerabilities in the service I rely on the most. For me knowing I am helping secure my personal data or my company's is extremely rewarding.
They Hack together
Together you find more. In 2015, my co-founder Jobert and I made over $100,000 in bug bounties. We almost always hunt for bugs together. We bounce ideas off each other. We disagree, and we call one another out when they are being stupid. We argue, we braindump, and usually it turns into a brilliantly working exploit.
Working together is very powerful. It allows you to parallelize. More importantly, it allows you to have someone to bounce ideas off to help prove your theoretical, almost crazy vulnerability. If you don't already have a hacking buddy, don't worry, it's not required to succeed. This is more of a bonus trick that can allow you to optimize your bug bounty work.
- Michiel Prins