The transition from HTB CBBH to HTB CWES has officially started. Learn More

Bug Bounty Hunting Process

Bug bounty programs encourage security researchers to identify bugs and submit vulnerability reports. Getting into the world of bug bounty hunting without any prior experience can be a daunting task, though. This module covers the bug bounty hunting process to help you start bug bounty hunting in an organized and well-structured way. It's all about effectiveness and professionally communicating your findings.

4.67

Created by dbougioukas

Easy General

Summary

We usually consider a bug bounty program a crowdsourcing initiative through which individuals can receive recognition and compensation for discovering and reporting software bugs. Bug bounty programs are more than that, though. A bug bounty program (also called a vulnerability rewards program) is essentially continuous and proactive security testing that supplements internal code audits and penetration tests and completes an organization's vulnerability management strategy.

Regardless of the perspective (own profit vs. organizational security), the focus and the true power of bug bounty programs lie on the bug bounty hunters' skills and professionalism.

Bug bounty programs are pretty formal and process-based. For a bug bounty hunter to be successful, they should be not only skilled but also aware of:

  • How a bug bounty program is structured
  • Bug/report submission and communication processes

This module will cover the entire bug bounty hunting process and how to document your findings properly.


You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading."

The module is classified as "Easy" and assumes an understanding of information security fundamentals. The module also assumes basic knowledge of web applications and web requests, and it will build on this understanding to guide you through the entire bug bounty hunting process.

Bug Bounty Programs


As mentioned in this module's summary, we usually consider a bug bounty program as a crowdsourcing initiative through which individuals can receive recognition and compensation for discovering and reporting software bugs.

Bug bounty programs are more than that, though. A bug bounty program (also called a vulnerability rewards program - VRP) is continuous and proactive security testing that supplements internal code audits and penetration tests and completes an organization's vulnerability management strategy.

HackerOne aptly describes their bug bounty platform (that can host bug bounty programs) as "Continuous testing, constant protection" and as something that can be integrated seamlessly into an organization's existing development life cycle.


Bug Bounty Program Types

A bug bounty program can be private or public.

  • Private bug bounty programs are not publicly available. Bug bounty hunters can only participate in a private bug bounty program upon receiving specific invitations. The vast majority of bug bounty programs start as private ones and become public after getting the hang of receiving and triaging vulnerability reports.

    • Most of the time, bug bounty hunters receive invitations to private bug bounty programs based on their track record, valid finding consistency, and violation record. A representative example of this is how HackerOne deals with invitations based on specific criteria. Please note that certain bug bounty programs may even require a background check.
  • Public bug bounty programs are accessible by the entire hacking community.

  • Parent/Child Programs also exist where a bounty pool and a single cyber security team are shared between a parent company and its subsidiaries. If a subsidiary launches a bug bounty program (child program), this program will be linked to the parent one.

Something important to note is that the terms Bug Bounty Program (BBP) and Vulnerability Disclosure Program (VDP) should not be used interchangeably.

A vulnerability disclosure program only provides guidance on how an organization prefers receiving information on identified vulnerabilities by third parties. A bug bounty program incentivizes third parties to discover and report software bugs, and bug bounty hunters receive monetary rewards in return.

If you want to study the anatomy of a vulnerability disclosure program, refer to the following resource. VDP vs. BBP


Bug Bounty Program Code of Conduct

The violation record of a bug bounty hunter is always taken into consideration. For this reason, it is of paramount importance to adhere to the code of conduct/policy of each bug bounty program or bug bounty platform. Spend considerable time reading the code of conduct as it does not just establish expectations for behavior but also makes bug bounty hunters more effective and successful during their bug report submissions.

If you want to become an established bug bounty hunter, you will have to strike a balance between professionalism and technical capability.

We strongly suggest that you go over HackerOne's Code of Conduct to familiarize yourself with such documents.


Bug Bounty Program Structure

It is about time we see what a bug bounty program looks like. Navigate to HackerOne's bug bounty program list to go over some bug bounty programs. Take Alibaba BBP and Amazon Vulnerability Research Program as examples and go through their "Policy."

According to HackerOne: The policy section enables organizations to publish information about their program to communicate the specifics about their program to hackers. Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services. The policy also includes the program’s scope, which lists items hackers can test and send reports in for. It is often defined by the domain name for web applications or by the specific App Store / Play store mobile apps that a company builds.

A bug bounty program usually consists of the following elements:

Vendor Response SLAs Defines when and how the vendor will reply
Access Defines how to create or obtain accounts for research purposes
Eligibility Criteria For example, be the first reporter of a vulnerability to be eligible, etc.
Responsible Disclosure Policy Defines disclosure timelines, coordination actions to safely disclose a vulnerability, increase user safety, etc.
Rules of Engagement
Scope In-scope IP Ranges, domains, vulnerabilities, etc.
Out of Scope Out-of-scope IP Ranges, domains, vulnerabilities, etc.
Reporting Format
Rewards
Safe Harbor
Legal Terms and Conditions
Contact Information

In HackerOne's case, the above are usually included inside the Policy part of each program.

Please go over a bug bounty program's description/policy meticulously. The same goes for any "code of conduct" documents they may include. By doing so, you can meet expectations and avoid unnecessary back and forth that could cause significant time loss. In bug bounty hunting, time is of the essence!


Finding Bug Bounty Programs

One of the best online resources to identify bug bounty programs of your liking is HackerOne's Directory. HackerOne's directory can be used for identifying both organizations that have a bug bounty program and contact information to report vulnerabilities you have ethically found.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

Web Penetration Tester

The Web Penetration Tester Job Role Path is for individuals who want to enter the world of web penetration testing with little to no prior experience in it. This path covers core web security assessment and web penetration testing concepts, and provides a deep understanding of the attack tactics used during web penetration testing. Armed with the necessary theoretical background, multiple practical exercises, and a proven web penetration testing methodology, students will go through all web penetration testing stages, from reconnaissance and vulnerability identification to exploitation, documentation, and communication to vendors. Upon completing this job role path, you will have become proficient in the most common web penetration testing and attack techniques against web applications and APIs, and be in the position of professionally reporting vulnerabilities to a vendor.

Medium Path Sections 279 Sections
Required: 1410
Reward: +330
Path Modules
Fundamental
Path Sections 8 Sections
Reward: +10
This module introduces the topic of HTTP web requests and how different web applications utilize them to communicate with their backends.
Fundamental
Path Sections 17 Sections
Reward: +10
In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.
Easy
Path Sections 15 Sections
Reward: +20
Web application penetration testing frameworks are an essential part of any web penetration test. This module will teach you two of the best frameworks: Burp Suite and OWASP ZAP.
Easy
Path Sections 19 Sections
Reward: +20
This module equips learners with essential web reconnaissance skills, crucial for ethical hacking and penetration testing. It explores both active and passive techniques, including DNS enumeration, web crawling, analysis of web archives and HTTP headers, and fingerprinting web technologies.
Easy
Path Sections 12 Sections
Reward: +10
In this module, we explore the essential techniques and tools for fuzzing web applications, an essential practice in cybersecurity for identifying hidden vulnerabilities and strengthening web application security.
Easy
Path Sections 11 Sections
Reward: +10
This module will take you step-by-step through the fundamentals of JavaScript Deobfuscation until you can deobfuscate basic JavaScript code and understand its purpose.
Easy
Path Sections 10 Sections
Reward: +20
Cross-Site Scripting (XSS) vulnerabilities are among the most common web application vulnerabilities. An XSS vulnerability may allow an attacker to execute arbitrary JavaScript code within the target's browser and result in complete web application compromise if chained together with other vulnerabilities. This module will teach you how to identify XSS vulnerabilities and exploit them.
Medium
Path Sections 17 Sections
Reward: +10
Databases are an important part of web application infrastructure and SQL (Structured Query Language) to store, retrieve, and manipulate information stored in them. SQL injection is a code injection technique used to take advantage of coding vulnerabilities and inject SQL queries via an application to bypass authentication, retrieve data from the back-end database, or achieve code execution on the underlying server.
Easy
Path Sections 11 Sections
Reward: +20
The SQLMap Essentials module will teach you the basics of using SQLMap to discover various types of SQL Injection vulnerabilities, all the way to the advanced enumeration of databases to retrieve all data of interest.
Medium
Path Sections 12 Sections
Reward: +20
Command injection vulnerabilities can be leveraged to compromise a hosting server and its entire network. This module will teach you how to identify and exploit command injection vulnerabilities and how to use various filter bypassing techniques to avoid security mitigations.
Medium
Path Sections 11 Sections
Reward: +20
Arbitrary file uploads are among the most critical web vulnerabilities. These flaws enable attackers to upload malicious files, execute arbitrary commands on the back-end server, and even take control over the entire server and all web applications hosted on it and potentially gain access to sensitive data or cause a service disruption.
Medium
Path Sections 19 Sections
Reward: +20
A backend that handles user-supplied input insecurely can lead to devastating security vulnerabilities such as sensitive information disclosure and remote code execution. This module covers how to identify and exploit server-side bugs, including Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Includes (SSI) injection attacks.
Easy
Path Sections 13 Sections
Reward: +20
The module contains an exploration of brute-forcing techniques, including the use of tools like Hydra and Medusa, and the importance of strong password practices. It covers various attack scenarios, such as targeting SSH, FTP, and web login forms.
Medium
Path Sections 14 Sections
Reward: +20
Authentication is probably the most straightforward and prevalent measure used to secure access to resources, and it's the first line of defense against unauthorized access. Broken authentication is listed as #7 on the 2021 OWASP Top 10 Web Application Security Risks, falling under the broader category of Identification and Authentication failures. A vulnerability or misconfiguration at the authentication stage can impact an application's overall security.
Medium
Path Sections 18 Sections
Reward: +20
This module covers three common web vulnerabilities, HTTP Verb Tampering, IDOR, and XXE, each of which can have a significant impact on a company's systems. We will cover how to identify, exploit, and prevent each of them through various methods.
Medium
Path Sections 11 Sections
Reward: +10
File Inclusion is a common web application vulnerability, which can be easily overlooked as part of a web application's functionality.
Attacking GraphQL
mini module tag Mini-Module
Medium
Path Sections 9 Sections
Reward: +20
GraphQL is a query language for APIs as an alternative to REST APIs. Clients are able to request data through GraphQL queries. If improperly configured or implemented, common web security vulnerabilities such as Information Disclosure, SQL Injection, and Insecure Direct Object Reference (IDOR) may arise.
Medium
Path Sections 13 Sections
Reward: +20
Web APIs serve as crucial connectors across diverse entities in the modern digital landscape. However, their extensive functionality also exposes them to a range of potential attacks. This module introduces API Attacks, with a specific focus on the OWASP API Security Top 10 - 2023.
Medium
Path Sections 33 Sections
Reward: +20
Penetration Testers can come across various applications, such as Content Management Systems, custom web applications, internal portals used by developers and sysadmins, and more. It's common to find the same applications across many different environments. While an application may not be vulnerable in one environment, it may be misconfigured or unpatched in the next. It is important as an assessor to have a firm grasp of enumerating and attacking the common applications discussed in this module. This knowledge will help when encountering other types of applications during assessments.
Easy
Path Sections 6 Sections
Reward: +10
Bug bounty programs encourage security researchers to identify bugs and submit vulnerability reports. Getting into the world of bug bounty hunting without any prior experience can be a daunting task, though. This module covers the bug bounty hunting process to help you start bug bounty hunting in an organized and well-structured way. It's all about effectiveness and professionally communicating your findings.