Bug Bounty Hunting is being paid to find vulnerabilities in a company’s software, sounds great, right? Bug Bounty Hunting can pay well and help develop your hacking skills so it’s a great all-around activity to get into if you’re a software developer or penetration tester. Some people are full-time Bug Bounty Hunters but for most in the industry, it’s a way to supplement your income whilst sharpening your hacking skills.
In the past hacking has been associated with nefarious intentions, something that belongs in the criminal world, but times have changed. Ethical hacking is on the rise and companies are looking to employ or reward ethical hackers who draw attention to vulnerabilities in a company’s software or systems.
Lauren Kozarek from HackerOne said:
“Bug bounty programs are taking off and with that comes enormous opportunities for hackers to earn competitive rewards for making the internet safer,”
Why Bug Bounty Programs Exist
When black hat hackers exploit vulnerabilities in a system it can cost a company a lot of money, sometimes millions of dollars. While almost all companies, and especially reputable and well-known ones will have a dedicated IT team tasked with information security and penetration testing, people aren’t perfect and vulnerabilities get missed. Sometimes the employees or contractors working with a particular software are too close to the product and can fail to spot something that will be more obvious to an outsider who is looking at the software with a fresh pair of eyes.
Good information security is about prevention, and that’s essentially what bug bounty hunting is all about. It’s cheaper for a company to offer financial rewards to bug bounty hunters and patch up their security vulnerabilities than to assume there are no flaws in their software and risk a highly expensive attack at the hands of cybercriminals.
But before you can start earning extra money from bug bounty hunting, you need to know how to get started. Below are our top tips on how to succeed as a bug bounty hunter.
Learn by Reading and Watching Videos
If you are just starting out, you need to absorb as much information as possible to truly understand the concepts behind bug bounty hunting and the methods used. The more you understand, the easier you will find ethical hacking and the bug bounty process, and the more money you will make.
When it comes to ethical hacking, our advice is to learn, learn, and then learn some more.
- The Web Application Hacker’s Handbook – This book is extremely popular and has a 4.3/5 star rating on Amazon. The book is practical in nature and discusses the latest step-by-step techniques for attacking and defending web applications. One of the authors of the book is the creator of Burp Suite, a popular bounty hunting tool.
- The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy – This book is an introduction to becoming a penetration tester or ethical hacker and required no previous hacking experience so it’s very accessible and great for beginners. You can purchase the book here.
- OWASP Testing Guide – OWASP Testing Project produced a book that is a framework for penetration testing. The book explains how to look for vulnerabilities and explains different vulnerabilities and how to identify them in depth. The book is a solid foundation for anyone wanting to understand the concepts and methods behind penetration testing and wants to be guided through different scenarios. You can purchase the book here.
- Web Hacking 101 – This book is authored by Peter Yaworski and will teach you how to get started in ethical hacking with a focus on how to be a bug bounty hunter.
- Breaking into Information Security: Learning the Ropes 101 – All of the basic topics to get you from zero to junior pentester level – covering off everything you need to know to start breaking into web application penetration testing industry or looking for flaws on bug bounties. You can purchase the book here.
- Crypto 101 – An online PDF introductory course into cryptography aimed at programmers of all ability levels. You can access the course here.
There are a lot of books out there, but reading these should give you a solid foundation to becoming an ethical hacker and starting on your bug bounty journey.
We understand that not everyone is a reader, and some people prefer to learn by watching videos. When it comes to learning ethical hacking, you should try and learn the ropes by choosing the medium best suited to your style of learning. If you find it difficult to immerse yourself in a book and get easily distracted and switch off, then watching videos may be a better option for you. For most people, we recommend a hybrid of the two since some topics are better, or more thoroughly covered by one medium.
Hak5 – The Hak5 YouTube Channel covers real-world examples of hacking, vulnerabilities and security news and is a good way to expand your knowledge of ethical hacking. The channel is aimed at news and discussion of security-related issues and is not a guide to becoming an ethical hacker.
The Complete Ethical Hacking Course 2019 by Joseph Delgadillo – Thus YouTube video is over 7 hours long so you’ll want to stock up on snacks! The tutorial will cover ethical hacking, penetration testing and cyber security and is aimed at absolute beginners.
SSTec Tutorials – YouTube channel by a self-taught white hat hacker. This channel got all about Video Tutorials of Computer, Android Mobile, Operating System, and Software, gadget review, unboxing, mobile review, apps review. Also, You will get tutorials on Kali Linux Penetration Testing, Ethical Hacking Video Tutorials, and Github Security Tools.
freeCodeCamp.org – This YouTube account covers tutorials and guides for a variety of ethical hacking topics. The videos are usually over 1 hour in length and sometimes up to 3 hours.
Complete White Hat Hacking Introductory course into white hat hacking skills.
Cybrary.it – This site offers a range of courses for IT professionals, some that are video-centric and other reading material-centric. Some courses are short and focus on one spefiic topic such as session hijacking, how to identify a hack, social engineering, and more. Visit the site here.
As you’re reading books and watching videos, you should be practicing what you learn as you go along. You can test your skills in simulated environments or by using the multitude of tools out there.
- Test your skills on intentionally vulnerable sites – You can legally practice your ethical hacking skills on sites intentionally designed to be vulnerable for this purpose. Below are some of these sites for you to pick from:
- Damn Vulnerable iOS Application (DVIA) – Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment.
- bWAPP – bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
- Google Gruyere – This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application.
- Play Hacking Games – Just because you’re learning doesn’t mean you can’t have fun. Hacking games are a great way to do both. For some ideas, read our “Top Hacking Simulator Games Every Aspiring Hacker Should Play.”
- Build your own lab – Build your own homelab, for example, a Kali Linux lab where you can use the hundreds of penetrating testing tools that come with the operating system. You can read our guide “How to Build Your Own Pentest Lab: Tips for Beginners”
- Capture the Flag (CTF) – CTFs are a type of cybersecurity competition aimed at hacking and defending systems. The competitions vary in difficulty so you can enter the one most suitable for your skill level. When an individual or groups solve the problem, they get a flag and earn points. The competitions are usually timed events which put more pressure on players to think creatively and push their abilities to the limit.
When you feel ready you can start entering bug bounty programs yourself. You can see the public bug bounty list here.