How to Earn money as a Bug Bounty hunter
Are you a coder or white-hat hacker looking to make some money on the side? Bug bounty hunting might be the perfect gig for you.
What Is Bug Bounty Hunting?
Bug bounty hunting is being paid to find vulnerabilities in software, websites, and web applications. The security teams at major companies don’t have enough time or manpower to squash all the bugs they have, so they reach out to private contractors for help. Basically, you use your tools to break things (or break into things), write up a vulnerability report to the company who’s issued the bounty, then get paid. Some hackers make tens of thousands of dollars a year on the side just hunting bugs.
To do it, however, you’ll need to at least know some basic coding and computer skills. Fortunately, Lifehacker has tons of great resources to help get you started, and coding is pretty easy to teach yourself. That said, if you have no idea what any of this stuff means as you read on, bug bounty hunting probably isn’t for you.
Do Some Research and Get Your Tools
Once you’ve got a grip on basic coding, you need to take a deep dive into web applications and how they work. Lucky for you, there’s tons of great resources out there that can point you in the right direction. Start by reading:
The Web Application Hacker’s Handbook ($30)
OWASP Testing Guide v4
Then get the right tools. You’ll need:
Kali Linux (free)
Burp Suite ($349 a year, but very popular)
OWASP Zap (free alternative to Burp Suite)
Then check out the OWASP WebGoat lab, where you can practice finding bugs and vulnerabilities in web applications, and take a look at the Google Bughunter University as well. They have lots of great information bug hunting and how to write solid vulnerability reports that will get you paid. Sites like Bugcrowd and HackerOne can help with that aspect as well.
Find Bug Bounty Listings and Go Hunting
Once you’re armed with knowledge and the right tools, you’re ready to look for some bugs to squash. Companies will often have a link somewhere on their website offering bug bounties, but they can be hard to find. You’re better off checking a bounty board where hackers are reading publicly disclosed vulnerability reports and updating an active list on the daily. Like these:
HackerOne
Bugcrowd
Vulnerability Lab
Fire Bounty
HackerOne also offers Disclosure Assistance, which is a place where a hacker can report any vulnerability to any organization. Even if the organization doesn’t have a vulnerability program, they can contact them and deliver the report. It also helps to join a bug bounty hunter community forum—like those sites listed above—so you can stay up to date on new bounties and tools of the trade. To hunt bugs you also have to be willing to continually learn as you go. Web applications and bug hunting tools are constantly updating, so you need to be on the ball if you want to do things right.
Update: A representative of HackerOne reached out to note their “disclosure assistance” program. The text above has been updated with this information
No comments:
Post a Comment