My Experience For 2 Years In Bug Bounty Hunting
Hello,
My name is Ahmad Halabi. I am writing this article as a summary about my experience that was gathered during my Bug Bounty Journey that I started 2 years ago.
Before proceeding, I previously wrote an article about How I started in bug bounties and how I achieved some goals. I recommend reading it before reading this article.
Brief Introduction ::
In February 2019 I heard about Bug Bounty Hunting, I was curious to enter this World and put my name in the Hall Of Fame of great companies like Facebook and Google, so I started looking for this topic on the internet.
My first valid bug was in Panda Security
which awarded me a Certificate of Appreciation in Feb 2019. Then I found multiple valid bugs in 360 Security
and found an RCE in Blackberry
and I kept checking such kind of responsible disclosure programs until I mistakenly clicked on a link that browsed me to HackerOne website and then to BugCrowd.
In June 2019, I signed up on HackerOne website and my Bug Bounty Journey started. I remember that I got good amount of N/A reports and my points decreased to 67 as well as the signal became badly negative. It took me 3 months to recover my reputation and push my signal back to positive.
My dream was to find a vulnerability and put my name in the U.S. Department Of Defense Hall Of Fame, so I worked to achieve this goal and in the same year I was ranked 1st in their Hall Of Fame.
Also I achieved my old goal in the same year by adding my name to the Hall Of Fames of Facebook and Google.
2019 year was a learning stage for me, Thus I earned just two bounties from Facebook and Telegram.
In 2020 year, I struggled a lot during my learning curve, it was not easy to find the good resources and learn by myself. But in the end I created my own path and methodology and it worked fine for me.
Two Years in Bug Bounty ::
- From June 2019 to June 2020 : It was purely learning and hacking mostly on VDP (Non Rewardable Programs) because they are easier to learn and find vulnerabilities, and because I like hacking real targets instead of Virtual CTFs.
- From June 2020 to June 2021 : It was bounties time so I focused on VRP (Rewardable Programs) and rarely hacked on VDP. I kept learning as well because you can’t stop learning and you will never reach a level where your information is satisfied.
My Achievements during These Two Years ::
I would like to mention some of my milestones that I achieved during these two years.
- I got acknowledged by 200+ Companies all over the world and got Bounties/Certificates Of Appreciation/Hall Of Fames/Swags/Badges.
- Ranked 1st Hacker at United States Department Of Defense in 2019.
- Ranked 1st Hacker at IBM in 2020.
- Ranked 3rd Hacker at United States Department Of Defense in 2020.
- Ranked 7th Hacker at HackerOne Leaderboard in 2020.
- Ranked 1st Hacker at U.S. Defense Industrial Base.
- Listed Among Top 50 Hackers WorldWide on HackerOne.
- Scored above 12,700 reputation on HackerOne (Still in Progress).
- Ranked 1st Hacker in Lebanon (My Country) by HackerOne.
Was Bug Bounty For Me Full Time or Part Time ?
When I started bug bounty in June 2019, I was working as a Developer in a company, so I did it as a Part Time.
In September 2020, I left my Work as a Cyber Security Specialist in a Company, And I started Bug Bounty as a Full Time for 6 months. Although I earned good amount of bounties but I got burnout so I took a break and then became doing it as a Part Time.
In February 2021, I founded a startup called Cybit Sec for Software Development and Cyber Security Services. And kept doing bug bounties as a Part Time.
In June 2021 (This Month), I joined a Senior Cyber Security Specialist Position. So bug bounty hunting for me now is not Full Time nor Part Time, it is a thing that I do when I have some free time.
<< Sharing Experience and Advices >>
Since I might not do bug bounty a lot from now on, I would like to share my experience that I learned as a Bug Bounty Hunter during these two years.
- Don’t do Bug Bounties as a Full Time Job if you are not experienced nor have enough knowledge for that, because trust me, you will burnout rapidly. You can do it as a part time job to add extra cash but not as a main source of income.
- Never Stop Learning. Every day new bugs are arising and new protections are being implemented, so you have to stay updated if you want to keep finding bugs.
- Reading writeups is very important. For every writeup you read, you will learn new information, you will also enlarge your knowledge and expand your methodology in approaching targets. I personally rely on reading writeups when I want to learn new techniques.
- Automation will not find vulnerabilities for you, they will help you to find bugs faster. Automating something without understanding the reason behind it is useless even if you used it and found a bug with it. For me, I use automation for my Recon phase and not for finding bugs. But sometimes I ended up finding High information leakage via my automation scripts which is not bad because I know how to use them.
- Don’t evaluate the finding based on the bounty. Because same bug found in Google may be paid more than the same one found in a small program with minimal payments.
- Writing a well explained and developed report is always highly appreciated. No need to write a long report, but at least clear explanation about the bug and clear reproduction steps. Don’t forget to mention the remediation steps because it shows the Triager that you understand the bug and how it can be fixed.
- Sometimes sticking with one target program is not good. Do what you think it fits your knowledge when targeting a program. If you found yourself finding good bugs on a target, stick with it for a while and keep checking it, I am sure that you will find more. This is how I do with some private programs that I reached 1st rank in them. On the other hand, if you kept checking a target for some days and couldn’t find any bug, I advice you to change the target and take a little break.
- Don’t depend on others to find bugs, example don’t apply the same steps that others do and do their techniques. You can check how they work but you should create your own methodology and way of thinking when approaching a target.
- Make a checklist for yourself when approaching a target, and take notes. It is really helpful. Sometimes I miss to check for some additional bugs but when I revise my checklist I remember what I have to do and I check the target again.
- You may get disappointed for not finding bugs, it’s okay because this field has already become hard and full of great amount of hackers. Lots of duplicates, it’s okay. Thus you have to think special and act different from others in order to find unique bugs.
- Bug Bounty Community have helped me reach this level. Every single writeup I read was useful, new information to learn or old information to remember. You will not waste your time reading a writeup on a finding that you already know.
- I am thankful to all members in the bug bounty community who share their writeups and experience. That’s why I am sharing too because this is how I learned.
I am planning to do an explicit article collecting the most important and valuable resources to learn bug bounty and master it. Knowing that I just learned from Google and Writeups but there are some really great resources like Pentesterlab and PortSwigger Web Academy to start learning the right way and avoid wasting time. I will try my best not to take long to publish the article.
I hope that you find this article useful and you benefit from the advices mentioned.
Thank you for your time reading this.
Ahmad Halabi.
Regards.