Bug Bounty Performance Pressure

Bug Bounty Performance Pressure.
In this blog post I’m going to cover on performance pressure during bug bounties.

This blog post has been made, because I’ve seen a lot of new people in the Bug Bounty community struggle with finding their first bug due performance pressure.

About me.
Hi, I’m Fouad Maakor a security researcher who mostly does bug bounties on the side and to expand my knowledge in the security field.
Started doing Responsible Disclosure’s and switched to Bug Bounties. Found many awesome bugs, for example on Harvard University and many other big companies over the past 2 years.

Bug Bounty
Maybe you saw in the news “Teenager awarded with $100.000 after reporting a bug” or, you heard a good friend talking about it how companies pay you for reporting bugs.

It’s a nice way to make good money if you are very experienced in it. But what most people see it as a “Get Rich Quick” method because it looks so simple. For example, companies pay you $10.000 for a Critical impact bug. But It can take ages to find one on a good bug bounty program.

Performance Pressure.
It seems a lot of new people in the bug bounty community ask you “how do you find your first bug”. Maybe you are one of them or have been. Let’s go over some topic in order to determine whether you lack skills or it’s the pressure

Why?
First of all, ask your self what does it attract you to do bug bounties? Is it the money or the journey helping companies you admire to help the bad guys out?

Bounties.
In the first couple weeks doing bug bounty I was founding nothing. I was watching nonstop video’s on how to do bug bounty, and I simple wasn’t happy with my results.

Then I discovered something called Responsible Disclosure’s, “VDP” vulnerability disclosure programs.
Basically, a bug bounty program but you don’t get rewards.
The best thing I’ve done, is begin searching for vulnerabilities you wanted to find.

For example, I was really in for finding XSS “Cross-Site Scripting” because it was the easiest thing for me to learn. It took me couple months to fully understand how XSS works and how to find them. Once I knew a bit more about XSS, I started hunt for them on vulnerability disclosure programs. It where simple basic sites at the beginning where I found XSS’s.

Now you think what has this to do with rewards. You have to start somewhere small in the beginning and learn step by step. Couple months in doing researching on how to find XSS’s, I found one on the largest Dutch tech news site. I wasn’t expecting anything from this report. Until I got an e-mail back with that this report was eligible for a reward.

– Don’t expect anything, from anyone.

Like this quote says, you should never expect anything for a bug report. That way you won’t get disappointed and fall back in a performance pressure mood

Skills
Most of the time is lack of skills that keeps you stuck in the beginning phase of being a good security researcher. What worked for me is to choose a specific vulnerability you want to be good at finding. In this case it was XSS “Cross-Site Scripting”. I started with a book called
The Web Application Hacker’s Handbook, a great way to get starting in Web Application hacking.

After I got a bit more known with XSS. I started looking for them on small companies sites who have Responsible Disclosure Policies. After some more months I got the hang of it and started looking on bigger sites who have some good WAF’S “Web Application Firewall”.

But then I got stuck because I wasn’t finding anything on those big sites. When I look back, it went a bit too fast for me because. I was finding on average 10 bugs in a month and suddenly, I can’t find anything on bigger sites who have paid rewards for bugs.

I went for a break because I was frustrated finding nothing. During that break I went in for reading Bug Bounty write ups a great way to see how other researcher found their bugs.

After that I got my first ever Bug Bounty. I wasn’t thinking about getting a reward for it but somehow that company had a Bug Bounty policy.

If you are stuck on finding nothing you are looking for, take a break. Go do something you enjoy like biking or walking outside, maybe you will get some great idea’s how to find it during a walk.

It’s not all about finding bugs very fast, even the most experienced bug bounty hunters are stuck sometimes. As long you learn step by step how vulnerabilities work you will find them much easier.

Did you know fully mastering a skill takes 10.000 hours, it takes 4 hours a day learning to get there.

– Vatsal Agarwal (but it’s going to be a long walk before you get there; and most simply give up)

Some tips.
What if nothing helps from getting too much pressure while searching for bugs.
With my experience I would completely stop for a week hunting, it can last longer or shorter depending your cooldown period. After some time, you will feel boredom and you want to hunt again.
During that boredom period try getter much information from where you are stuck on.
Look at end of the blog some useful links. Try read some write ups about SQL injections if you are stuck on that. Why don’t you go straight back to hunting after a cooldown period?
Simple because you will most of the times fall back to burn out phase sooner or later because you were stuck due lack of skill on that specific bug.

Don’t rush your searching, take your time for most comfort. Learning and more learning will be more effective then rushing everything. After some while hunting and learning you will find your self finding bugs easier and maybe you are lucky for a nice bounty

– Rome was not built in 1 day, so does your bug hunting skills.

Here are some useful links for practicing

https://www.amanhardikar.com/mindmaps/Practice.html
https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
https://blog.intigriti.com