A go through of a bug bounty platform

step 3: let’s go through the bug bounty platform

Welcome to the third post of the 6M Challenge of Bug Bounty edition where you will go through the bug bounty platform. You will understand how the platform is designed and which sections are made for what.

First of all join us on the discord channel, where we have created different sub-channel for 6M participants to solve their doubts and have an interaction with the community. Go to #self-roles and tap on that animated heart to join the 6M sub-channel. Link: https://discord.gg/CZuS9Fh

Now I hope that you have finished the tasks given in the previous post, i.e.:

  • Installing Kali Linux on a virtual machine or as a principal OS(it’s your choice)
  • Learn about encoding from the link given above
  • Complete all the pending learnings.

If you have completed it, then cool, otherwise, complete the pending tasks because now we are going to be more practical with the tasks. Without having the knowledge of the topics we discussed before may lead you nowhere.

let’s start the go through of our bug bounty platform

  • Open a new tab in the browser and open either https://hackerone.com or https://bugcrowd.com, select anyone from these two. Now, you’ll see a list of programs which we can test on.
  • For example, if I log in on HackerOne and go to https://hackerone.com/directory, I can see many programs. Scroll down to see all the programs available. The security program of HackerOne itself is the last program on the list when sorted by date (newest to oldest).

what is a vulnerability program?

Let’s try to understand what a vulnerability program means, and what these terms in the programs mean. When we go to https://hackerone.com/security, this is the vulnerability disclosure policy page of HackerOne. On right, you’ll see a pink “Submit report” button, which we’ll use to report bugs when we will find one.

There are several tabs here – “Policy”, “Hacktivity”, “Thanks” and “Updates”. We’ll go to each of them soon, right now we’re on the Policy tab, let’s explore this tab first. The first section is “Rewards” with a color code scheme for different kinds of bugs.

  • Yellow for “Low”
  • Orange for “Medium”
  • Pink for “High”
  • Red for “Critical”.

what does this mean?

See, there are hundreds of different kinds of bugs to be found on websites, some of them are super dangerous for companies – like SQL Injection or Remote Code Execution, which can potentially give you control of the entire website, so such bugs will be categorized as “Critical” bugs, i.e. Severity of these bugs is critical.

Bugs like Stored XSS could be categorized as “High”, and other bugs like Reflected XSS or Content injection, or Open redirect could be categorized as “Low” or “Medium” depending on what impact those bugs can make. Don’t worry, we will be telling you about types of vulnerabilities and how to detect them also.

Alright, I hope you understood what the severity of a bug means, it is basically the categorization of bugs on basis of danger they can pose to a system.

what rewards will you get?

Next, we see, website names written with amounts written under them. These are the rewards that you could get for finding a particular kind of bug on a particular website. For example, the first row of the table has “https://hackerone.com” and they’ll pay you

  • $500 for bugs of Low severity
  • $2500 for medium severity bugs
  • $12500 for high and $23893 for Critical severity bugs

Just scroll below, and you’ll see different assets of the company, and the reward they pay for those assets. Rewards can be different for different websites owned by the same company because some assets are more precious than others.

what types of bugs can be reported?

When you scroll down more, there is a lot of obvious text, that’s the structure of bug bounty programs, read it. Now I’d like to explain the “Scope Exclusions” section. There are a few bugs listed down there, which WILL NOT BE ACCEPTED by HackerOne because they do not pose any significant security threat to the company or their customers. So, when we will start hunting bugs, we shall remember that WE WILL NOT HUNT FOR THOSE BUGS and waste our time.

Scroll down more and checkout the “Scopes” section, they’ve listed out domains, or applications that we’re supposed to test for bugs. Just below that option, there is an “Out of scope” section, which means we won’t look for bugs in that section either, because they won’t accept your report, or pay you a reward if you report any bugs found in those places.

Alright, end of the page.

learn from previous reports

Go to the top, and click on “Hacktivity“, you’ll see links enlisted. These are bug reports which were reported to Hackerone, and then were resolved by the company, and now they’ve made these reports public for hackers to see and learn from these reports. You shall open a few of those reports and read them, although there could be too much jargon and you might not understand what all that stuff means, just take a little experience.

you will be featured here

Tab next to “Hacktivity”, is “Thanks”. It’s a list of hackers who reported bugs and now they’re on the Thanks page of the company, it’s basically a token of recognition and thanks for hackers who reported those bugs. I believe that you will also be on this list soon and we, TSFAM will be proud of you.

Till here, you must have understood how to read and understand vulnerability disclosure program policies, aka bug bounty program policies. Bugcrowd has a similar structure. You can checkout their programs as well on https://bugcrowd.com/programs, and click on their programs too, take a look to understand, it has a pretty similar structure.

For today, it’s done from our side, now it’s time for you to explore…

Tasks to be completed:

  • Go through the HackerOne website and explore each and every option that we discussed in this post
  • Read the previous reports that are made public, so that you will get an idea.

See you in next post 🙂