My Experience For 2 Years In Bug Bounty Hunting

  • From June 2019 to June 2020 : It was purely learning and hacking mostly on VDP (Non Rewardable Programs) because they are easier to learn and find vulnerabilities, and because I like hacking real targets instead of Virtual CTFs.
  • From June 2020 to June 2021 : It was bounties time so I focused on VRP (Rewardable Programs) and rarely hacked on VDP. I kept learning as well because you can’t stop learning and you will never reach a level where your information is satisfied.
  1. I got acknowledged by 200+ Companies all over the world and got Bounties/Certificates Of Appreciation/Hall Of Fames/Swags/Badges.
  2. Ranked 1st Hacker at United States Department Of Defense in 2019.
  3. Ranked 1st Hacker at IBM in 2020.
  4. Ranked 3rd Hacker at United States Department Of Defense in 2020.
  5. Ranked 7th Hacker at HackerOne Leaderboard in 2020.
  6. Ranked 1st Hacker at U.S. Defense Industrial Base.
  7. Listed Among Top 50 Hackers WorldWide on HackerOne.
  8. Scored above 12,700 reputation on HackerOne (Still in Progress).
  9. Ranked 1st Hacker in Lebanon (My Country) by HackerOne.
  • Don’t do Bug Bounties as a Full Time Job if you are not experienced nor have enough knowledge for that, because trust me, you will burnout rapidly. You can do it as a part time job to add extra cash but not as a main source of income.
  • Never Stop Learning. Every day new bugs are arising and new protections are being implemented, so you have to stay updated if you want to keep finding bugs.
  • Reading writeups is very important. For every writeup you read, you will learn new information, you will also enlarge your knowledge and expand your methodology in approaching targets. I personally rely on reading writeups when I want to learn new techniques.
  • Automation will not find vulnerabilities for you, they will help you to find bugs faster. Automating something without understanding the reason behind it is useless even if you used it and found a bug with it. For me, I use automation for my Recon phase and not for finding bugs. But sometimes I ended up finding High information leakage via my automation scripts which is not bad because I know how to use them.
  • Don’t evaluate the finding based on the bounty. Because same bug found in Google may be paid more than the same one found in a small program with minimal payments.
  • Writing a well explained and developed report is always highly appreciated. No need to write a long report, but at least clear explanation about the bug and clear reproduction steps. Don’t forget to mention the remediation steps because it shows the Triager that you understand the bug and how it can be fixed.
  • Sometimes sticking with one target program is not good. Do what you think it fits your knowledge when targeting a program. If you found yourself finding good bugs on a target, stick with it for a while and keep checking it, I am sure that you will find more. This is how I do with some private programs that I reached 1st rank in them. On the other hand, if you kept checking a target for some days and couldn’t find any bug, I advice you to change the target and take a little break.
  • Don’t depend on others to find bugs, example don’t apply the same steps that others do and do their techniques. You can check how they work but you should create your own methodology and way of thinking when approaching a target.
  • Make a checklist for yourself when approaching a target, and take notes. It is really helpful. Sometimes I miss to check for some additional bugs but when I revise my checklist I remember what I have to do and I check the target again.
  • You may get disappointed for not finding bugs, it’s okay because this field has already become hard and full of great amount of hackers. Lots of duplicates, it’s okay. Thus you have to think special and act different from others in order to find unique bugs.
  • Bug Bounty Community have helped me reach this level. Every single writeup I read was useful, new information to learn or old information to remember. You will not waste your time reading a writeup on a finding that you already know.
  • I am thankful to all members in the bug bounty community who share their writeups and experience. That’s why I am sharing too because this is how I learned.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder at Cybit Sec | Managing Director at Resecurity®.