Hey hackers, I hope you are all doing well. This write up will be about the do’s and don’ts in bug bounty hunting and the pros & cons.
I firstly want to explain the pros & cons and this big misconception on earning millions of dollars bug hunting and quitting your daytime job to work full-time as a bug bounty hunter.
Disclaimer! I’m not saying anything of this you should not do, it’s just based on my own opinion.
Why Becoming A Million Air Hacker Is Hard
A lot of people in the bug bounty community are hunting to earn money, yes! money is great, we all need money to survive, except some peoples expectations are way too high and they think that they can make millions of dollars bug bounty hunting. This is not a good mindset to have, the reason being is if you have this vision that you are going to be earning lot’s of money bug hunting then you will enter the competitive game of bug bounty hunting with the mindset that you will be earning lots of money. This mindset is very! unhealthy because when you realise how hard it is to earn consistent payouts you are most likely going to quit or feel very very unmotivated and your mind will think that you are not a good hacker, which can feel very bad.
The million air hackers that you hear about online and social media have been hacking since they were very young or they just have a unique mindset that no one will understand, they have been in this game since the beginning they have everything mapped out, they know there targets infrastructure, naming conventions, they have already collected recon and they are just brilliant minded people which we should all respect not be Jealous.
The correct mindset based on my opinion is to enter this extremely competitive hacking game with having a vision of gaining experience and reputation. There are so many good things about this mindset one being the potential opportunity for work which therefore leads to consistent earnings. I’m going to be completely honest, I don’t have any certifications and I don’t think I ever will just because I love the freedom of learning at my own pace, I get lot’s more done that way and I can retain more knowledge and information.
How Can I Become A Successful Hacker?
Before I go over this question, I would like to ask you two questions.
- Are you wanting to reach the destination fast?
- Are you hacking because you like it and it’s your passion?
If you selected number two then that’s great! I think you are awesome.
If you selected number one then you are not in it to become a successful hacker you are in it for the short term, which I don’t really like.
My way I became reasonably good at hacking, not a leet, no one is a leet because there is so much to learn and so many different fields of hacking that branch off to different directions people who claim that they are leets, are just kids in my opinion and it’s very immature, to be honest. The way I learnt hacking, was to pick an area that I liked and felt comfortable to learn, and research about it. Mine started off learning wireless security then to Bluetooth security and now Web security, I found that I enjoyed web hacking much more than the others and it felt better, it was never about the money for me.
I started off reading the web applications handbook
Then I researched each vulnerability class on google and started practising in the wild.
I decided to go further with this and did some micro-courses on Cybrary
They provide a very good comprehensive secure code course which I enjoyed.
I then discovered there were bug bounty programs out there so I signed up and started testing on sites they provided, and yes!! it was very very hard.
It took about 1 year before I got my first bounty and it was a crappy vulnerability that Nessus found. I kept learning, researching and reaching out to people for some help and one thing to note when reaching out to people.
Never spam people and ask them a million things at once, be very direct and to the point they are not going to tell you everything they are going to want you to learn yourself, if you cannot learn yourself then you will never be a successful hacker it’s all about research.
After being in the game for some time now, I can proudly say that there is ONE MASSIVE GAME CHANGER, do you want to hear? ok, here we go. Never impulsively report, always provide impact and never just report when you find something for an example Cross-Site Scripting I can understand how hard this would be and don’t worry I was in the same boat, I always reported XSS because my mindset was I’m going to get a payout but until you learn not to do this and stay away from the crowd, you will most likely get some N/A or informative. Some of the ways you can avoid N/A’s are:
- Stay away from vulnerabilities everyone else is reporting.
if it is a vulnerability that’s very common to report like XSS look for this vulnerability in places where no one has looked before or come up with a new method to look for it. e.g: Dispatcher Bypasses in Adobe Experience Manager -> XSS
- Stay away from tools that everyone else is using such as nuclei.
if you use tools like nuclei make sure you develop your own templates that are not listed on their repository, this will greater increase the chance of finding vulnerabilities no one else has found.
- Choose a vulnerability class and get good at it.
This was one of my biggest game-changers because I chose a class that not many people look for which helped me improve my P1 skills.
- Collaborate with other hackers and expand your connections.
Building up connections can help improve your hacking skills and it just feels good to meet other people who have the same interests.
What are the Pro’s and Con’s
I saved the best til last.
Pro’s
The great thing about bug bounty hunting is it puts your foot in the door, you pretty much have to do most things a professional pentester would do during a pentest except at a much smaller scale like you would not need to write a massive report with an executive summary, risk matrices, scope, methodology, documentation of findings with a detailed summary, mitigations and so on, it just needs to be written well and explained well enough so the triager understands the impact. Another pro is it can pay well and it most certainly allows you to build a reputation and become a better hacker, which may lead to a job opportunity.
Cons
Some of the bad things would most certainly be going down the rabbit hole of earning heaps of money. Another common one is people quitting their job to work full time as bug hunter which is a massive risk to take. It’s also very hard to find bugs because the targets you are given people have already tested before you and you are in the unknown if someone has found a particular vulnerability. Payouts can take weeks, it’s very competitive now and you need to have a different mindset than other hackers and lastly, you can get burnt out quickly and feel down for ages.
Summary
So, that is pretty much the end of my write up, so to summarise what I talked about in bullet form:
- Don’t compare yourself to others
- Don’t rely on money too much
- Avoid risks as much as you can
- Collaborate and respect people
- Hacking should be considered a passion
- Stay away from the crowd
And finally, be the best person you can be, we all make mistakes if we didn't we would not be human, mistakes are a way of learning.
I hope you enjoyed this write up and I hope you have all learnt something new and exciting to try, until next time happy hacking have a nice day.
Peace out! ✌️
