step 1: Getting started into bug bounty
Hey hey! Welcome to our new “Learn & Earn Roadmap” of Bug Bounty where you will get to know from “How to start bug bounty” to “How and where to hunt Bugs”. These bugs aren’t just technical bugs. They are golden bugs that can make you financially independent. So fire up the hunter inside you, it’s time to go Bug Bounties where we will hack websites for money and fun.
HackerOne has paid 100Million$ in bounties to hackers so far, and according to a report from 2018 13% of all bounties earned – were earned by Indian hackers, only the second to American hackers earning 17% of the total.
Personally, I earned a few hundred dollars when I was in 10th class, climbed to the top 1000 hackers on Bugcrowd, and made enough money to buy myself a good high spec laptop. A severe original bug can earn you anywhere from 50$ to 10,000$. So, it’s a good way to make money.
Today’s post is gonna be pretty basic and introductory to make a bug hunting environment where we’ll install Kali Linux, as we gotta take care of absolute beginners too.
What Is Bug Bounty and Bug hunting?
To give an analogy, imagine your neighbor went out of their house, you happened to pass by the house, you saw some problem with the lock, and using your skills you opened the lock in few minutes WITHOUT KEY. Now you can steal their stuff? Or maybe be a good boy/girl and call your neighbor telling about this weakness in the security system of their house. They might even buy you a burger for helping them secure their property and being an honest person 🙂
Similarly, you can find bugs/vulnerabilities in applications of organizations (for example – facebook.com) which could be used to steal passwords or steal cookies, make someone like your post, or accept your friend request without them knowing. These small or big bugs are big risks for companies, so they’re willing to pay us some money if we can help them secure their system.
Now imagine you find a bug, you shall next report it to the concerned company. You will wait for the company to recognize and fix the bug, and as soon as it’s done. They’ll pay you. And this process is called bug hunting, and getting bounty (money) for it.
Alright, enough theory. Action time…We have to do two things- 1. Find bugs. 2. Report them to the respective platforms. But for this we need to take permission from that respected organization, so we need to enroll ourselves on some platforms where all the processes go smoothly.
Join the bug hunting platforms
While there are many bug hunting platforms that coordinate bug bounty programs of companies, some companies run their bug bounty program on their own. But the two most famous platforms are- HackerOne and BugCrowd. Both platforms combined have hundreds of bug bounty programs and thousands of applications-websites for us to find bugs on. Cool na 🙂
Some other platforms are Intigriti (European companies), HackenProof, Bountyfactory, Synack, Zerocopter. Synack and Zerocopter are invite-only platforms, so our beginning has to be on HackerOne, Bugcrowd, Intigriti, HackenProof, and Bountyfactory. You shall create accounts on all these websites if you want to, although I’d suggest going with Hackerone and Bugcrowd for now.
Ready to go?
Alright, we’ve created accounts. Next, let’s prepare our arsenal to shoot wild bullets. We gotta learn few things before we actually start attacking websites and applications, which are-
- How web pages work? – Basic HTML, Javascript.
- How internet works? – Networking Protocols
- Tools to be used
learning resources:
Don’t worry about the resources, ham kis liye hai?. Just go through these tutorials and websites to learn the basics for free.
HTTP Crash Course & Exploration – Click Here
OSI Model – Click Here
Basics of Networking – Click Here
After all these basic tutorials and concepts, you will have to learn HTML and Javascript from https://w3schools.com. Make your own web pages if you want to, it will help you understand how web pages work.
The next part is — Tools. But but but…we will do that part in the next post because you already have a lot of tasks to be completed for the next post. Just be honest with yourself if you really want to become a bug bounty hunter.
We aren’t taking any charges to write these articles for you, instead, we are investing our time and money(domain and hosting) for people like you who want to become financially independent. So BE HONEST WITH YOUR DREAMS. NOw time for the tasks to be completed for the next post:
tasks to be completed:
- Join the HackerOne and BugCrowd with a cool hacker name, or your original name 🙂
- Learn HTTP and Javascript from https://w3schools.com
- Learn Basics of Networking, especially OSI Model
This was the first article of Bug Bounty roadmap by Anuj Yadav, a newly joined co-author of Technical Sapien, hope you liked the article. If you have any queries, ask HERE. See you in the next post, till then Phadai Wadai pe dhyaan do, IAS WAIAS bano 🙂