Cybersecurity In-Depth

The Edge

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

From meditation to the right mindset, seasoned vulnerability researchers give their advice on how to maximize bug bounty profits and avoid burnout.

(continued from previous page) 

"Pick a program for a company that you use every day or relate to — one that you'll feel more invested in," Kinser says. "You'll have more drive to protect that data and that company."

Kinser works on both sides of the bug bounty coin. She's also the chief information security officer at health IT company LifeOmic, which runs a bug bounty program through HackerOne. Her experiences have reinforced how important communication and engagement is for both the vendor offering the bounty and hackers hunting for vulnerabilities," she says.

"Hackers need to show why the bug is important, and the company needs to give feedback to the hacker — if it's not important or valid, why that is. That feedback from the company helps get hackers to search for the critical finds," she says. "On our program that I run, I try to get creative with it. We have a public Slack channel for any hacker on our program. If they think they're close on a bug they can engage with us, ask questions."

In addition to communicating early with the vendor, Kinser advises bug hunters to clearly document their work so they can show the vendor why the bug is important. Without that effort to communicate clearly, the importance of critical vulnerabilities can be lessened or even lost on vendors. But hackers getting started should take heed of organizations that have reputations for not engaging with hackers or outright betraying them as voting-technology company Voatz did earlier this year, she points out.

Frustratingly, she says, "I've submitted reports that have sat for months and months. Now I spend my time on companies where the engagement is high."

Be Adaptable
It's also important for beginning bug hunters to not get discouraged by the rapidly changing bug-hunting landscape, according to an experienced bounty participant based in England who declined to be identified for the story. 

"For what used to be a simple cross-site scripting vulnerability now requires much more skill to get. We're seeing a lot more APIs, where everything is connected to the Internet of Things," she says. "It's not just important to follow what people did three years ago but to look at what works this year, such as far more frameworks with security controls built in."

However, she also says while it's important to stay abreast of the latest hacking trends, legacy code is still just as susceptible to vulnerabilities as new software. In the first year of Norwegian classified advertisements website's private bounty program, run through HackerOne, the company received 221 bug reports. A total of 129 earned $55,000 for 31 hackers, but one of the most critical vulnerabilities was found in a one-line change in old code. 

"That flaw tells us that all changes, both big or small, are worth investigating," the company concluded in its report on the bounty program's results published Oct. 21.

This Is the Way
The actual process of getting started requires no more than picking a target that has at least a vulnerability disclosure program, if not a paying bug bounty. Without one, even well-intentioned hackers can run afoul of anti-computer hacking laws such as the Computer Fraud and Abuse Act in the U.S. A new guide from Harvard Law School and the Electronic Frontier Foundation lays out some of the legal risks of security research.

A mindset built on inquisitiveness and tenaciousness will take hackers further in finding bugs than staying on top of the latest automated tools for uncovering them — skills that must be learned but are hard to teach. 

Or as Mandalorian Din Djarin and others of the Mandalorian creed explain their philosophy, "This is the way." For real-world bug bounty hunters, the way starts however you can make it work, but the creed is the same: Nothing replaces hard work.