Working hard, Problems with programs and Automation

Hey everyone ! There is a lot of stuff to cover this week, I've changed my schedule and the way I work, I'm also working on automating some stuff in Bug Bounty, and I will talk a bit about my side project ReWorker.

Some thought about how I work

I've never worked a lot in the past. For school, I made the minimum of work for the maximum impact, and it worked pretty well. But now, working for myself changed my way of thinking.

At first, I wanted to build a life only with the Pareto rule the 80/20, making only 20% effort for a maximum impact. And it's a really great idea, and in the end, you have plenty of time. So my goal, since September, was to only work in the morning. That's great I admit, and I was able to get some money for this lifestyle, around 2k per month with bug bounty. The problem with that is that you can't grow up a lot. I was always making the same stuff, finding the same bugs, etc...

With Bug Bounty, you have to take time to know your target, find the right one, and find impactful bugs, and you are not paid if you work more until you find bugs. One way to be paid with less time is to automate stuff, and I will talk about that later about what I will do.

Then, I had plenty of ideas of stuff to build to improve my lifestyle and develop some good stuff, but I was afraid of doing it because I didn't have the time and I wanted to only focus on one thing, being a really good bug hunter and be very technical. And it's a really great thing, but sometimes you want something new and do stuff not always related to hacking stuff.

So, I decided to change my way of doing it. I will not stop my goal of grinding in bug bounty and I will take the same time in my week. I will just work more and add other stuff. As you may know, I work on side projects that can help me like Hackyx, also ReWorker with a friend, and automating stuff. I know that it's pretty far away from working only in the morning, but I prefer that. I grind for some time building stuff that will help me in the future for working less.

Of course, now it's easier because I'm not traveling, but when I travel, I will do the minimum and enjoy my trip too.

Finding the right program

One problem in Bug Bounty is finding the right program. Sometimes, you find a very nice one, with good responses and a good payout and just stick with it. Last week I had a problem with a big public program on hackerone. We found some good stuff, with a high impact, we waited and the program lowered the bugs without any message, and paid the minimum.

Then, they never answered our questions. I found it very rough as I worked on this program for a full week and found pretty nice bugs with no debate on the business impact for them. And looking at the stats on hackerone was pretty promising, with quick responses, etc. So you never know until you push one bug. And every time, it's the better way to find a good program, it's just to find a bug, push it, and see if it can correspond to what you want.

I know that it's the game, and we just have to play with it, but it's hard working hard on something and then you have to debate, contact the support, etc ... But I still find this job as the best one, and it fits my lifestyle perfectly, but as Blaklis told us a lot, you just have to find a bunch of good programs and stick with them for years. And looking at all my payout, it's mainly from the same programs, so I will stay with them.

I found this tweet really true :

If you expect bug bounties to be a get rich quick scheme, think again.
— renniepak (@renniepak) June 25, 2024

We always see great payouts and good write-ups, but behind it, there are so many problems we face, so don't think it's an easy way to get rich. Of course, you can be rich with that, but it's not that easy, and you do not always find bugs.

Automating stuff

After reading this great article shared by Nicolas Grégoire ( agarri ), it's changed my mind about automating stuff.

I decided to make some automation, not to find bugs, but to help me find bugs easily. By that, I mean helping me with JavaScript, finding paths, and monitoring them. Also having the best setup, for me, to work, easily manageable, for working everywhere. Making some little automation, just to simplify my work and expand my targets.

And finally, using rengine was not the best idea. It's a great tool, but it's very buggy and I need to rework a lot of stuff to make it fit my workflow. So I will probably use other tools and build my own, using the tools I already know.

I will mainly use n8n I think, it will be easy to incorporate, and add new automation easily. With that, I will connect it to secator for some scanning system. I don't know exactly for now, and I will tell you more in the next few weeks.

I also found this great article about how to build an ios pentesting setup, using caido, and it's so great.

I decided to use that and also to put my caido into a VPS to be easily available. So now, I can connect my Android or my iPhone to it, using port forwarding ( using Termius), and always put 127.0.0.1:8080 instead of always looking for the local IP of my machine.

I also used Cloudflare Tunnel to easily access it without opening the ports of my VPS, so it's only accessible inside the VPS but I can reach it worldwide using Cloudflare and a strong authentication.

It's pretty easy, but it can leverage your tools and increase the productivity of finding stuff.

ReWorker.

Just some thought about it, this aituweek is already pretty long. I launched it last week and I did not expect to have so many people interested in the project. I got around 250 registered accounts, and a lot of feedback and comments, and a great way to start.

So I'm gonna work more on it, and with a friend, we will build something bigger to help people like me find coworkers everywhere, even if you work alone.

I also built the MVP without any optimization in the API calls to the Google API, I didn't think of so many people trying it, and look at it :