Hackerone, Momentum, and people

Aituglo public
5 min read
Hackerone, Momentum, and people

Table of contents

This past week, I finally switched to Hackerone and hunted there. I found a program I like with a lot of different features that can interest me.

Also worked more than before, finally back with the momentum.

I need to try putting more resources at the end of my articles with what I discovered over the past weeks, which can help.

Hackerone

Thanks to the Hackerhouse, I was able to find the right program to dig deep. Mizu and I hunted on it during the house, and then I continued on that.

That's a public program, so pretty nice to be able to find bugs there, and there are a lot for sure.

I found a couple of nice bugs there. The only issue is that their policy specifies that having an account will set the Privilege Required to Low, even if you only need an email to register, and that anyone can register.

The problem with that is that it's way harder to get a High or a Crit on this program. When you can leak everything, it will set the Confidentiality to High, but with Privilege Required, the CVSS will fall to medium.

We tried negotiating with them, without success. So most of my bugs fell into Medium even if the business impact behind the same is huge, that's the sadness of CVSS.

It's still good as the medium there is around $1000, which is huge compared to the medium I get used to on YesWeHack, so it's still good hunting there, but annoying. We have to figure out a way to leverage our bugs and try to play with different metrics on the CIA part.

I will continue hunting on that program as it can help me get more points on Hackerone and get a better profile there.

I really want to find some programs where I feel I can spend a lot of time on them. I also started looking more into Bugcrowd, and there are some interesting programs I have to start playing with.

Also, another goal for me is to get invited to the Salesforce program. I know that this is the kind of program that I like, with a lot of different roles and users, and rights. Taking the time to test all of them, playing with edge cases, which I enjoy. But to get it, I need to first find some bugs on their VDP. It's annoying to work for free, and that's the only entry point I have. So I started playing a bit with their apps and trying to first understand how they work.

Playing with the momentum

Something I really enjoy is the momentum. When you're on something and you don't want to quit, and continue it forever. I'm currently on a good momentum on hunting. It doesn't happen all the time, but when it comes, you have to play with it until it's done.

A few weeks back, I didn't want to hunt at all, and it was hard for me to spend a lot of time on the computer trying to find bugs. And now, I can spend 12 hours a day looking for bugs without any problem. That's crazy how to mind works. But it's also great as I don't have to force myself, and I can do what I want.

This way, I can spend weeks hunting and be happy with that, and after doing nothing, or coding, or anything else.

I also have to keep that momentum now, because a part of my mind just wants to buy the Switch 2 and play Mario Kart World all day.

Meeting new people

I found the past weeks that meeting new people or just doing side quests has enjoyed me a lot.

Thanks to NYC, I switched my mind on a lot of things, especially the fact that you can speak and discuss with anyone, even on the street and the subway. It's way easier there is NYC, as this is a common thing, but it's still possible here in France.

And I started doing it more and more. I call them doing a side quest. It's just talking and helping people all around, and it's great. I think Human is made to be with other people and not just alone.

Doing that brings me a lot of joy. Now I try not to use my AirPods on the subway or when I walk, and looking more into opportunities. It gave me a lot of great discussions with random people.

I'm also doing a lot of running club, meeting people there, hanging around, running, and then having food. That's great, and this way, I can also meet runners, as most of my friends are not, which is nice.

Resources

Thanks to Mizu, I discovered Code Search to help grep on GitHub

Code Search | Grep by Vercel
Effortlessly search for code, files, and paths across a million GitHub repositories.
Grep by Vercel

The Nahamcon came with a lot of great talks, I loved the one of xssdoctor, and the work he did with AI, I need to play more with that

GitHub - xssdoctor/jscollab: Your AI javascript collaborator
Your AI javascript collaborator. Contribute to xssdoctor/jscollab development by creating an account on GitHub.
GitHubxssdoctor
GitHub - xssdoctor/pseudocode: caido workflow to generate pseudocode based on request/response
caido workflow to generate pseudocode based on request/response - xssdoctor/pseudocode
GitHubxssdoctor

Another great idea is to find more and more API documentation. Not only on the official documentation of the program, but also on the Swagger, on Postman online, etc

Linkedin A solid styled icon from Orion Icon Library.
Aituglo

Aituglo

Paris
The author of this blog, a bug bounty hunter and security researcher that shares his thoughts about the art of hacking.

Recommendations