a bug hunter’s guide to bounty universe
TRANSCRIPT
![Page 1: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/1.jpg)
Tips, tricks and things you should know
A BUGHUNTER’S GUIDE TO BOUNTY UNIVERSE
![Page 2: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/2.jpg)
2
WHOAMI$ id -unFaraz Khan
$ groups farazkhanBugcrowd Application.Security.Engineer Hacker _Bountyhunter Penetration.tester
$ lastcomm farazkhan [Activity logs]Bugcrowd Tech-OPS team memberBounty HuntingWriting Articles at SecurityIdiots.comWorking as a penetration tester
![Page 3: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/3.jpg)
3
AGENDAHow we handle Generic ScenariosHow and when to escalateThings we consider when Inviting researchers for PrivatesUnderstanding the Program briefsVulnerabilities Taxonomy Standards
![Page 4: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/4.jpg)
SYSTEMIC BUGS
– How we handle such situations– Vulnerabilities that may fall under this criteria• CSRF• Missing Authentication/Authorization• SQLi• XSS• File Upload
– Why/how Systemic bugs may cause
4
![Page 5: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/5.jpg)
DUPLICATES BUT DIFFERENT PRIORITY/IMPACT
– Finding out the difference.– Minor Impact submission after higher risk– Higher Impact submission after lower risk – Prioritize as per the extra Impact found
5
![Page 6: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/6.jpg)
SAME BUG IN A URL BUT DIFFERENT PARAMETER
– Reflected XSS– Stored XSS– SQLi– Missing Auth– Open Redirect
6
![Page 7: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/7.jpg)
SUBMISSION WAS ONLY REPRODUCIBLE WHEN REPORTED.
– Proof of concept– Applicability of the vulnerability existence– Current behavior of the application
7
![Page 8: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/8.jpg)
SCOPE CONTAINS MULTIPLE DOMAINS, BUT ONLY THEIR LANGUAGE VARY
– Why would they Insert such domains.– Same bugs on different domains, will they be considered as single
8
![Page 9: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/9.jpg)
WHY XSS PRIORITIES MAY VARY
– Self Reflected/Stored XSS– Authenticated XSS– UnAuthenticated XSS– Higher level User to Lower level– Lower level User to higher level
9
![Page 10: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/10.jpg)
SUBMISSION CLOSED EVEN AFTER GETTING TRIAGED
– Closed as N/A– Closed as P5/Won’t fix– Closed as duplicate
10
![Page 11: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/11.jpg)
DIFFERENT URLS BUT STILL CLOSED AS DUPLICATE
– RESTFul URL– Universally Vulnerable Parameter– Systemic Bugs
11
![Page 12: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/12.jpg)
XSS - INSERTION POINT VS EXECUTION POINT
– Insertion Point– Execution Point– Different ways to patch
12
![Page 13: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/13.jpg)
HOW AND WHEN TO ESCALATE
– Standard response time– Unclear closure of submission– Lesser Priority– Lower Reward
13
![Page 14: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/14.jpg)
THINGS WE CONSIDER WHEN INVITING RESEARCHERS FOR PRIVATES
– Under 250 rank– Verified researcher – Higher impact vulnerabilities finder– Activity logs– Trusted Researchers– Researcher’s behavior
https://blog.bugcrowd.com/a-look-at-private-bounty-program-invitations/https://blog.bugcrowd.com/become-part-of-the-id-verified-crowd
14
![Page 15: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/15.jpg)
UNDERSTANDING THE PROGRAM BRIEFS
– Scope– Out of Scope– Exclusion list– Other Exceptions
15
![Page 16: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/16.jpg)
Vulnerabilities Taxonomy Standards
– Vulnerability standards and priority taxonomy– Bugs variants– Standard Taxonomies vs Program briefs
16
![Page 17: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/17.jpg)
Questions?
Learn more and get in touch:
BUGCROWD.COM
![Page 18: A bug hunter’s guide to bounty universe](https://reader036.vdocument.in/reader036/viewer/2022062412/58f2b1e41a28ab4e4f8b45c9/html5/thumbnails/18.jpg)
Code:
Bountycraft code for attending this talk: tuner lure diopside