This will be a blog post about my experience hunting bug bounties at Hackerone. This is my first time signing up for a bug bounty platform. I will say this, I’m not a expert. I might get some things wrong, but this is my story and my experience.
What is Hackerone?
Most people reading this might not know what Hackerone is.
“HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.” - Wikipedia
- The company set the scope of the assets that the security researcher should look into.
- The company states which bugs are in scope.
- The company states which bugs are out of scope.
- And general guidelines and more…
The goal for the security researcher is to :
- Find relevant bugs within the given scope.
- Write a good report on his/her findings.
- Communicate with the customer.
The company might then award the security researcher with a bug bounty. A thank you for finding the bug and making the web a safer place and protecting the companies assets from malicious actors.
How I got interested in Bug Bounties
Meet STÖK, a guy I stumbled upon at twitter.
I started following STÖK. A couple weeks went by. I then found out that he had a youtube channel which I found very interesting. I watched one video. I then watcher another…. And another…
I watch every single video he had in one go. I was so hooked on finding my first bug bounty!
What did I do after this. I went to bed!!
The next day I woke up, tired. I googled for “Bug bounty”. I found two websites that seemed like the real deal.
More youtube… Yes!!! I found Hackerone’s youtube channel. They had a lot of interviews with hackers and their experience hunting bug bounties at Hackerone. This was also very motivating and I felt like I could do this. If they can, why can’t I?
Bugcrowd also had a youtube channel with some real nice burp suite tutorials that came in handy!
Do you even burp? Yes and no. I’ve used burp before, I have but I’m a great fan of OWASP ZAP. A very similar tool to burp suite, and it’s open source.
After taking in all this material, it seemed like nobody used ZAP… I decided, it’s now or never. It’s time to uninstall ZAP and install burp suite.
1 week later
I’m a CTF player for IndianTuesday. I love CTF’s. Guess what. Hackerone has a CTF.
I was bored and tired of studying for my exam. I signed up. Said, whatever I’ll just complete the first easy challenge.
CTF > School
I found some flags and then I quit and went on with my day.
My first day hunting bug bounties at Hackerone
I woke up, today is the day. Today is the day I will find my first bug bounty. I was energized, had a lot of tricks up my sleeve.
I decided that Hackerone was the platform I was going to use. I went to pick a program.
What is a public program?
- It’s basically a company that is looking to have it’s assets pentested. A public program is accessible by anyone registered at Hackerone.
What is a private program?
- A private program is not accessible by the general public. You need to be invited to be able to participate in the private program. A quick note here. Private programs at Hackerone should not be discussed publicly!
Back to the story.. I picked a random public program. Spent two hours just clicking around the website, trying some random stuff. I found nothing. I was frustrated and I quit.
My first private invite at Hackerone
A week went by. I almost forgot about Hackerone. One day I was bored, I continued playing the Hackerone CTF. I managed to get 30 points. What did this mean?
You’ve earned 1 invitations. 4 / 26 points to your next private invitation.
Private invite. Huh…. Cool.
A few days later I got an email stating that I’ve got an invite to a private program on Hackerone. I had one week to accept the offer.
1 day went by. 2 days went by… 5 days went by. On the final day I opened the invite again. I read the scope. I decided, whatever. I’ll give it another go, the worst that could happen is that I find zero bugs. I accepted the invite.
Next blog post
My next blog post will be about how I found my first bug.