How to Become a Successful Bug Bounty Hunter
If you ever dreamed of becoming a bounty hunter, your dreams can come true -- without changing your name to “Dog” or facing Han Solo in a Mos Eisley cantina. Become a bug bounty hunter: A hacker who is paid to find vulnerabilities in software and websites.
Anyone with computer skills and a high degree of curiosity can become a successful finder of vulnerabilities. You can be young or old when you start. The main requirement is that you need to keep learning continuously. Also, it's more fun to learn if you have a buddy to share ideas with. Here is how I became a security hacker.
Submit valuable and easy-to-understand bugs
Quality over quantity. A remote code execution on a production system is a lot more valuable than a self-XSS, even though they're both security issues. Enjoy the thrill of the hunt for a super severe bug. Also, successful hackers spend a lot of time describing the issue as clearly as possible. Get to the point and don't introduce unnecessary (reading) overhead for the company (extra verbiage also reduces responsiveness of the company you’re submitting the report to). Finally, successful hunters read the program policy before they start looking for vulnerabilities.
Earn and show respect
Gain respect by submitting valuable bugs. Respect the company’s decision on the bounty amount. If you disagree with the amount they decided to award, have a reasonable discussion about why you believe it deserves a higher reward. Avoid situations where you ask for another reward without elaborating why you believe you deserve more. In return, a company should respect your time and value. They do this by awarding bounties, being responsive and transparent, engaging you in the discussion for the fix, and asking you to test the deployed fix. Being communicative and reasonable pays off: Successful bug bounty hunters receive tons of job offers.
Do your homework
If you’re not comfortable with the basics, get more comfortable. I found it really helpful to have a good understanding of protocols like IP, TCP, and HTTP and to take a few (web) programming courses.
Most of the bug bounty programs are focussed on web applications. To become a successful bug bounty hunter on the web, I'd suggest you check out the following resources:
- Read The Web Application Hacker's Handbook;
- Take a look at the publicly disclosed bugs on HackerOne;
- Check out the Google Bughunter University.
If you’re lucky enough to have a hacker buddy, try what worked amazingly well for me. My friend and I would write small, vulnerable programs and challenge each other to find the hidden vulnerabilities. Find someone who challenges you and use what you learned from their challenges to find awesome bugs on real targets in the wild.
Bug hunting is one of the most sought-after skills in all of software. It’s not easy, but it is incredibly rewarding when done right. Like writing code, keep in mind that it takes persistence, a lot of feedback, and determination to become a successful bug bounty hunter. Think outside the box and do your utter best.
Note: a version of this post first appeared on Quora. Follow Jobert there for more security advice!
Jobert Abma, co-founder
ps - You can contribute to making core internet infrastructure and free open source software more secure via The Internet Bug Bounty program as well!