Launching HTB CWEE: Certified Web Exploitation Expert Learn More

Bug Bounty Hunting Process

Bug bounty programs encourage security researchers to identify bugs and submit vulnerability reports. Getting into the world of bug bounty hunting without any prior experience can be a daunting task, though. This module covers the bug bounty hunting process to help you start bug bounty hunting in an organized and well-structured way. It's all about effectiveness and professionally communicating your findings.

4.65

Created by dbougioukas

Easy General

Summary

We usually consider a bug bounty program a crowdsourcing initiative through which individuals can receive recognition and compensation for discovering and reporting software bugs. Bug bounty programs are more than that, though. A bug bounty program (also called a vulnerability rewards program) is essentially continuous and proactive security testing that supplements internal code audits and penetration tests and completes an organization's vulnerability management strategy.

Regardless of the perspective (own profit vs. organizational security), the focus and the true power of bug bounty programs lie on the bug bounty hunters' skills and professionalism.

Bug bounty programs are pretty formal and process-based. For a bug bounty hunter to be successful, they should be not only skilled but also aware of:

  • How a bug bounty program is structured
  • Bug/report submission and communication processes

This module will cover the entire bug bounty hunting process and how to document your findings properly.


You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading."

The module is classified as "Easy" and assumes an understanding of information security fundamentals. The module also assumes basic knowledge of web applications and web requests, and it will build on this understanding to guide you through the entire bug bounty hunting process.

Bug Bounty Programs


As mentioned in this module's summary, we usually consider a bug bounty program as a crowdsourcing initiative through which individuals can receive recognition and compensation for discovering and reporting software bugs.

Bug bounty programs are more than that, though. A bug bounty program (also called a vulnerability rewards program - VRP) is continuous and proactive security testing that supplements internal code audits and penetration tests and completes an organization's vulnerability management strategy.

HackerOne aptly describes their bug bounty platform (that can host bug bounty programs) as "Continuous testing, constant protection" and as something that can be integrated seamlessly into an organization's existing development life cycle.


Bug Bounty Program Types

A bug bounty program can be private or public.

  • Private bug bounty programs are not publicly available. Bug bounty hunters can only participate in a private bug bounty program upon receiving specific invitations. The vast majority of bug bounty programs start as private ones and become public after getting the hang of receiving and triaging vulnerability reports.

    • Most of the time, bug bounty hunters receive invitations to private bug bounty programs based on their track record, valid finding consistency, and violation record. A representative example of this is how HackerOne deals with invitations based on specific criteria. Please note that certain bug bounty programs may even require a background check.
  • Public bug bounty programs are accessible by the entire hacking community.

  • Parent/Child Programs also exist where a bounty pool and a single cyber security team are shared between a parent company and its subsidiaries. If a subsidiary launches a bug bounty program (child program), this program will be linked to the parent one.

Something important to note is that the terms Bug Bounty Program (BBP) and Vulnerability Disclosure Program (VDP) should not be used interchangeably.

A vulnerability disclosure program only provides guidance on how an organization prefers receiving information on identified vulnerabilities by third parties. A bug bounty program incentivizes third parties to discover and report software bugs, and bug bounty hunters receive monetary rewards in return.

If you want to study the anatomy of a vulnerability disclosure program, refer to the following resource. VDP vs. BBP


Bug Bounty Program Code of Conduct

The violation record of a bug bounty hunter is always taken into consideration. For this reason, it is of paramount importance to adhere to the code of conduct/policy of each bug bounty program or bug bounty platform. Spend considerable time reading the code of conduct as it does not just establish expectations for behavior but also makes bug bounty hunters more effective and successful during their bug report submissions.

If you want to become an established bug bounty hunter, you will have to strike a balance between professionalism and technical capability.

We strongly suggest that you go over HackerOne's Code of Conduct to familiarize yourself with such documents.


Bug Bounty Program Structure

It is about time we see what a bug bounty program looks like. Navigate to HackerOne's bug bounty program list to go over some bug bounty programs. Take Alibaba BBP and Amazon Vulnerability Research Program as examples and go through their "Policy."

According to HackerOne: The policy section enables organizations to publish information about their program to communicate the specifics about their program to hackers. Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services. The policy also includes the program’s scope, which lists items hackers can test and send reports in for. It is often defined by the domain name for web applications or by the specific App Store / Play store mobile apps that a company builds.

A bug bounty program usually consists of the following elements:

Vendor Response SLAs Defines when and how the vendor will reply
Access Defines how to create or obtain accounts for research purposes
Eligibility Criteria For example, be the first reporter of a vulnerability to be eligible, etc.
Responsible Disclosure Policy Defines disclosure timelines, coordination actions to safely disclose a vulnerability, increase user safety, etc.
Rules of Engagement
Scope In-scope IP Ranges, domains, vulnerabilities, etc.
Out of Scope Out-of-scope IP Ranges, domains, vulnerabilities, etc.
Reporting Format
Rewards
Safe Harbor
Legal Terms and Conditions
Contact Information

In HackerOne's case, the above are usually included inside the Policy part of each program.

Please go over a bug bounty program's description/policy meticulously. The same goes for any "code of conduct" documents they may include. By doing so, you can meet expectations and avoid unnecessary back and forth that could cause significant time loss. In bug bounty hunting, time is of the essence!


Finding Bug Bounty Programs

One of the best online resources to identify bug bounty programs of your liking is HackerOne's Directory. HackerOne's directory can be used for identifying both organizations that have a bug bounty program and contact information to report vulnerabilities you have ethically found.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

Bug Bounty Hunter

The Bug Bounty Hunter Job Role Path is for individuals who want to enter the world of Bug Bounty Hunting with little to no prior experience. This path covers core web application security assessment and bug bounty hunting concepts and provides a deep understanding of the attack tactics used during bug bounty hunting. Armed with the necessary theoretical background, multiple practical exercises, and a proven bug bounty hunting methodology, students will go through all bug bounty hunting stages, from reconnaissance and bug identification to exploitation, documentation, and communication to vendors/programs. Upon completing this job role path, you will have become proficient in the most common bug bounty hunting and attack techniques against web applications and be in the position of professionally reporting bugs to a vendor.

Medium Path Sections 266 Sections
Required: 1410
Reward: +330
Path Modules
Fundamental
Path Sections 8 Sections
Reward: +10
This module introduces the topic of HTTP web requests and how different web applications utilize them to communicate with their backends.
Fundamental
Path Sections 17 Sections
Reward: +10
In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.
Easy
Path Sections 15 Sections
Reward: +20
Web application penetration testing frameworks are an essential part of any web penetration test. This module will teach you two of the best frameworks: Burp Suite and OWASP ZAP.
Easy
Path Sections 19 Sections
Reward: +20 NEW
This module equips learners with essential web reconnaissance skills, crucial for ethical hacking and penetration testing. It explores both active and passive techniques, including DNS enumeration, web crawling, analysis of web archives and HTTP headers, and fingerprinting web technologies.
Easy
Path Sections 13 Sections
Reward: +10
This module covers the fundamental enumeration skills of web fuzzing and directory brute forcing using the Ffuf tool. The techniques learned in this module will help us in locating hidden pages, directories, and parameters when targeting web applications.
Easy
Path Sections 11 Sections
Reward: +10
This module will take you step-by-step through the fundamentals of JavaScript Deobfuscation until you can deobfuscate basic JavaScript code and understand its purpose.
Easy
Path Sections 10 Sections
Reward: +20
Cross-Site Scripting (XSS) vulnerabilities are among the most common web application vulnerabilities. An XSS vulnerability may allow an attacker to execute arbitrary JavaScript code within the target's browser and result in complete web application compromise if chained together with other vulnerabilities. This module will teach you how to identify XSS vulnerabilities and exploit them.
Medium
Path Sections 17 Sections
Reward: +10
Databases are an important part of web application infrastructure and SQL (Structured Query Language) to store, retrieve, and manipulate information stored in them. SQL injection is a code injection technique used to take advantage of coding vulnerabilities and inject SQL queries via an application to bypass authentication, retrieve data from the back-end database, or achieve code execution on the underlying server.
Easy
Path Sections 11 Sections
Reward: +20
The SQLMap Essentials module will teach you the basics of using SQLMap to discover various types of SQL Injection vulnerabilities, all the way to the advanced enumeration of databases to retrieve all data of interest.
Medium
Path Sections 12 Sections
Reward: +20
Command injection vulnerabilities can be leveraged to compromise a hosting server and its entire network. This module will teach you how to identify and exploit command injection vulnerabilities and how to use various filter bypassing techniques to avoid security mitigations.
Medium
Path Sections 11 Sections
Reward: +20
Arbitrary file uploads are among the most critical web vulnerabilities. These flaws enable attackers to upload malicious files, execute arbitrary commands on the back-end server, and even take control over the entire server and all web applications hosted on it and potentially gain access to sensitive data or cause a service disruption.
Medium
Path Sections 19 Sections
Reward: +20
A backend that handles user-supplied input insecurely can lead to sensitive information disclosure and remote code execution. This module covers how to identify and exploit server-side bugs. This module introduces Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Includes (SSI) injection attacks, alongside other server-side vulnerabilities.
Easy
Path Sections 11 Sections
Reward: +20
Learn how to brute force logins for various types of services and create custom wordlists based on your target.
Medium
Path Sections 14 Sections
Reward: +20 NEW
Authentication is probably the most straightforward and prevalent measure used to secure access to resources, and it's the first line of defense against unauthorized access. Broken authentication is listed as #7 on the 2021 OWASP Top 10 Web Application Security Risks, falling under the broader category of Identification and Authentication failures. A vulnerability or misconfiguration at the authentication stage can impact an application's overall security.
Medium
Path Sections 18 Sections
Reward: +20
This module covers three common web vulnerabilities, HTTP Verb Tampering, IDOR, and XXE, each of which can have a significant impact on a company's systems. We will cover how to identify, exploit, and prevent each of them through various methods.
Medium
Path Sections 11 Sections
Reward: +10
File Inclusion is a common web application vulnerability, which can be easily overlooked as part of a web application's functionality.
Medium
Path Sections 14 Sections
Reward: +20
Maintaining and keeping track of a user's session is an integral part of web applications. It is an area that requires extensive testing to ensure it is set up robustly and securely. This module covers the most common attacks and vulnerabilities that can affect web application sessions, such as Session Hijacking, Session Fixation, Cross-Site Request Forgery, Cross-Site Scripting, and Open Redirects.
Medium
Path Sections 13 Sections
Reward: +20
Web services and APIs are frequently exposed to provide certain functionalities in a programmatic way between heterogeneous devices and software components. Both web services and APIs can assist in integrating different applications or facilitate separation within a given application. This module covers how to identify the functionality a web service or API offers and exploit any security-related inefficiencies.
Easy
Path Sections 16 Sections
Reward: +20
WordPress is an open-source Content Management System (CMS) that can be used for multiple purposes.
Easy
Path Sections 6 Sections
Reward: +10
Bug bounty programs encourage security researchers to identify bugs and submit vulnerability reports. Getting into the world of bug bounty hunting without any prior experience can be a daunting task, though. This module covers the bug bounty hunting process to help you start bug bounty hunting in an organized and well-structured way. It's all about effectiveness and professionally communicating your findings.