How to start as a bug bounty hunter in 2022?
Find a bug bounty program.
A public bug bounty program such as Google & Facebook that is open to the world and reward money. There are LOTS of public bug bounty programs out there and some even have wide scopes. You can discover public programs from Disclose.IO, however also make sure to search on Google to discover more companies which welcome hackers. You can find google dorks below to help find programs.
Depending on the severity of the bug, you might also need to submit a Proof of Concept (PoC). According to Bug Bounty Guide, PoCs are used to demonstrate the impact of the bug you’ve discovered. It should help companies quickly understand the issue while ensuring that you do not harm any of their users or services in the process.
All of that to say: bug bounty programs are great, but don't lose time with companies not listed on public bug bounty platforms, there is no accountability, and you will just burn time and energy (and become crazy in front of the indifference while you kindly help them secure their systems).
Know the different types of bugs.
Robin: “You can easily do a quick search on google and there will be a 100% free tool that you can begin using. Which you pick doesn’t matter, as long as you can have a list to input, and a webproxy. Amass, Burp and Zap is good for learning if you are just starting out.”
I will just give you an overview. If you are interested in a topic, in particular, leave a comment below and I will try to cover it more in-depth in a separate article or video. This will be another lengthy section below, I will go through my notes and let you know what I have learned in each topic.
Even though I already spent five hours writing this blog post, I feel like we are just scratching the surface. I probably have forgotten to mention several things I've learned, but I felt like I needed to initiate this whole series with as much detail as I could.
Research the exploitability of a bug.
If it is something you intend on pursuing, this would come naturally as you need to research on the type of bugs that are out there today. Start narrowing your focus too and get familiar with specific vulnerabilities. If it works best for you to start off with small bugs, then go ahead with those first to understand the end-to-end processes, before attempting bigger targets.
If the bug bounty program you've chosen to participate in has disclosed any vulnerabilities, what were they? How long ago were they found? Was it a special bypass, or a simple straightforward XSS? How was it fixed? Ask yourself all these questions and use other's kindness of sharing as your starting point to begin testing.
🧐 real-life example from Johan: I remember finding this issue, “Improper access control for users with an expired password, giving the user full access through API and Git” on my phone while lying in the dark on the floor after tucking my kids to sleep last summer :). It was a reintroduction of an issue that I had already reported. I found a discussion where users experienced some problems connected to the fix (without knowing it) and the issue got introduced again. I realized that the issue existed just from reading the MR. And I just had to get up and test my hypothesis.
Starting as a bug bounty hunter in 2022 has never been easier with the Standoff 365 platform https://standoff365.com/en-US. Standoff 365 is a comprehensive platform for information security professionals that includes a cyber training ground and bug bounty programs. As a bug bounty hunter, you'll have the opportunity to test your skills by searching for vulnerabilities in companies' IT systems and getting paid for both discovered vulnerabilities and implementation of unacceptable events.
Here are a few steps to get you started on your journey as a bug bounty hunter in 2022:
Register on Standoff 365: With over 3,400 security researchers from different countries, Standoff 365 is the ultimate platform to start your bug bounty hunting journey. Register on the platform to get started.
Participate in cyber training: The Standoff 365 Cyber Polygon provides a simulated environment where white hackers legally attack virtual companies' IT systems. Participating in these trainings will help you develop your skills and prepare you for bug bounty programs.
Attend cyber battles: The Standoff cyber battle is held twice a year and is a great opportunity to watch and learn from experienced bug bounty hunters. You can also participate in the cyber battles to test your skills.
Start hunting for bugs: With Standoff 365 Bug Bounty, companies host bug bounty programs and verify reports from external security researchers. Get started by finding and reporting vulnerabilities in the companies' IT systems.
Standoff 365 provides a comprehensive platform for information security professionals to start their bug bounty hunting journey. With cyber training, cyber battles, and bug bounty programs, you have all the resources you need to get started and hone your skills as a bug bounty hunter in 2022.