So, you would like to be one of the cool security researchers that find vulnerabilities in the most used websites in the world, saving millions from the bad guys, and maybe make some cash along the way? Well, this is your lucky day! It's time to learn about bug bounties!
5 min read
By Hans Kristian Henriksen
December 3, 2019
As you hopefully know, you can't just go to a random website and start poking around for a security hole. That would be akin to going around the neighborhood, checking the windows and doors of all the houses. At some point, someone will call the police, and with good reason. But the best way to find security problems is to actually test the site, so to make sure we are not arrested, we have to join a bug bounty.
A Bug bounty program is a program set up by the owners of a website or application to make it possible for developers to test the security of a site in a safe and legal way. By joining the program, and sticking to the rules, you can be sure that you are not exposing yourself to any legal risk, and that you won't do anything that could potentially harm the website or application you are testing. While all programs are different, there are some common traits:
Bug bounties may seem odd at first. Why would anyone invite hackers to their site? The rationale is that when website owners are open to receiving reports of security issues, and compensating the work of security researchers like yourself, people are more likely to actually report issues to them, rather than trying to sell the vulnerabilities to the highest bidder on the dark web.
I won't pretend that finding security holes will be easy, but the prospects are not as grim as one might think. While many of the sites that have serious bug bounty programs are large organisations with professional security teams (read: Facebook, Uber etc.), there have been some spectacularly "simple" bugs found in their bug bounty programs. Facebook had forgotten to check if the person requesting do delete a photo was indeed the owner of said photo, making it possible to delete any photo. If you knew the ID of an image, you could simply call the API to delete it. Uber on the other hand got a report of a fairly easy workaround to their surge pricing. Place your location pin outside the surge area, then change the address for pickup to an address in the surge area.
Neither of these are difficult bugs to find. They only require some creative thinking and simple testing to validate your theories. It's important to note that actually exploiting these vulnerabilities would be outside the rules of the bug bounties. You may have to set up a second facebook account and delete one of its photos, or order a single ride with Uber, in order to verify your finding, but after that, your next step should be to file your report.
A good way to start is to select one or two types of vulnerabilities you would like to focus on. Then, you systematically start going through the application. If you want to look for missing authorization checks of an API, start by mapping out all possible API calls, then attempt them one by one. You should probably have a notetaking app handy, as you will need to keep track of a lot of attempts.
To get started, you can look for sites that have bug bounties by going to HackerOne or BugCrowd. These are two of the biggest sites gathering bug bounties from different companies. You will find clear descriptions of the rules for each program, and instructions for how to report any findings.