Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

11/5/2020
04:00 PM
Seth Rosenblatt
Seth Rosenblatt
Edge Articles
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

From meditation to the right mindset, seasoned vulnerability researchers give their advice on how to maximize bug bounty profits and avoid burnout.

(continued from previous page) 

"Pick a program for a company that you use every day or relate to — one that you'll feel more invested in," Kinser says. "You'll have more drive to protect that data and that company."

Kinser works on both sides of the bug bounty coin. She's also the chief information security officer at health IT company LifeOmic, which runs a bug bounty program through HackerOne. Her experiences have reinforced how important communication and engagement is for both the vendor offering the bounty and hackers hunting for vulnerabilities," she says.

"Hackers need to show why the bug is important, and the company needs to give feedback to the hacker — if it's not important or valid, why that is. That feedback from the company helps get hackers to search for the critical finds," she says. "On our program that I run, I try to get creative with it. We have a public Slack channel for any hacker on our program. If they think they're close on a bug they can engage with us, ask questions."

In addition to communicating early with the vendor, Kinser advises bug hunters to clearly document their work so they can show the vendor why the bug is important. Without that effort to communicate clearly, the importance of critical vulnerabilities can be lessened or even lost on vendors. But hackers getting started should take heed of organizations that have reputations for not engaging with hackers or outright betraying them as voting-technology company Voatz did earlier this year, she points out.

Frustratingly, she says, "I've submitted reports that have sat for months and months. Now I spend my time on companies where the engagement is high."

Be Adaptable
It's also important for beginning bug hunters to not get discouraged by the rapidly changing bug-hunting landscape, according to an experienced bounty participant based in England who declined to be identified for the story. 

"For what used to be a simple cross-site scripting vulnerability now requires much more skill to get. We're seeing a lot more APIs, where everything is connected to the Internet of Things," she says. "It's not just important to follow what people did three years ago but to look at what works this year, such as far more frameworks with security controls built in."

However, she also says while it's important to stay abreast of the latest hacking trends, legacy code is still just as susceptible to vulnerabilities as new software. In the first year of Norwegian classified advertisements website FINN.no's private bounty program, run through HackerOne, the company received 221 bug reports. A total of 129 earned $55,000 for 31 hackers, but one of the most critical vulnerabilities was found in a one-line change in old code. 

"That flaw tells us that all changes, both big or small, are worth investigating," the company concluded in its report on the bounty program's results published Oct. 21.

This Is the Way
The actual process of getting started requires no more than picking a target that has at least a vulnerability disclosure program, if not a paying bug bounty. Without one, even well-intentioned hackers can run afoul of anti-computer hacking laws such as the Computer Fraud and Abuse Act in the U.S. A new guide from Harvard Law School and the Electronic Frontier Foundation lays out some of the legal risks of security research.

A mindset built on inquisitiveness and tenaciousness will take hackers further in finding bugs than staying on top of the latest automated tools for uncovering them — skills that must be learned but are hard to teach. 

Or as Mandalorian Din Djarin and others of the Mandalorian creed explain their philosophy, "This is the way." For real-world bug bounty hunters, the way starts however you can make it work, but the creed is the same: Nothing replaces hard work.

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
Previous
2 of 2
Next
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cartoon Caption Winner: Magic May
Flash Poll