Bug Bounty seen as a video game

public
4 min read
Bug Bounty seen as a video game
Photo by Sam Pak / Unsplash

Table of contents

Hey, it's been a pretty long time since I didn't post here. No excuses, just the classic laziness of doing it!

Some news

First, I just want to cover some news about me. I did some travels in Europe, especially in Scotland and Italy, which was pretty nice.

One of my main personal goals in 2024 is to run a marathon. I wasn't a big runner at first, but I started a big preparation in November and it's now a big part of my life, so that's why I was more focused on it than hacking these times. The marathon will be in Paris in April, so after that, I can go back to full hunting.

But you can ask, how can you still make money if you don't hunt? Of course, you don't ( if you don't have a pretty good automation ). In my opinion, Bug Bounty is a lot about a mental perspective. One year ago, I was unable to find any bugs, and now I know that can find a pretty amount of bugs in some programs. What changed? I learned some stuff but it's primarily about the fact that I know now that it's possible, so with confidence ( and some skills of course ), you can find bugs on any target.

I know that without working that much, I'm able to make around 1,5k to 3k a month by finding some mediums and high vulnerability on low rewarding programs. It's enough to live, but not enough to grow. And without a good amount of money stored, it's hard to grow. I love open-source targets and I want to take some time to focus on them. But you need for instance one month before finding some good stuff, and during this month, you're not making any money. That's why now, I'm trying to deal with making money to save it and going on some big public programs to build my knowledge on them for the future. That's why I will try to travel less at first to save more, and be able to grow.

In the other part, I'm still building my automation process. The aim of it is not to make a huge recon to find all the subdomains, I know that a lot of people will be better than me on that. I prefer to focus on manual stuff, so it's just a way to improve my workflow by logging all my requests and stuff, making a database of all the software versions I can have in my targets, and js monitoring for instance. But I will talk about that in a dedicated post later this year!

I want now to be more focused on finding High and Crits, it takes time, but I now have the confidence that I can find them, I just need to take the time to do it and not look as usual for vulnerabilities I know.

Bug Bounty as a video game

I see Bug Bounty as a video game. It's something fun and hard at the same time, you have a leaderboard, everyone has a nickname, and the community is incredible.

I think that it's better to see it like that instead of seeing it as a normal job. It's very hard because you don't have a revenue each month and there are a lot of issues that I can cover in another post about the stability of doing it.

But the freedom makes it worth it in my opinion. You can work when you want, where you want, and also on what you want. It can be hard to find stability with that and be focused on yourself.

I love the concept of Flow, it's when you can be fully focused on something and don't be distracted. And it can be achieved when you are working on something challenging and you need a good amount of skills :

The Flow concept

And Bug Bounty works perfectly well for that. It can be hard to find good bugs and very challenging. You will need a good amount of abilities to find them, that's why you will be in a state of flow if you are looking at hard vulnerabilities.

That's what I'm looking for now.

Another key concept I discovered recently, and I already talked about that, is the fact that you will need confidence to find vulnerabilities. For a long period, I was unable to hunt on public programs on Hackerone, because I thought that everything was already found and it would be impossible for me to find something.

But it was wrong, and in the end, I was able to find stuff on them, even if it was a well-known program with plenty of researcher. And knowing that it was possible helped me to find more and more stuff.

And I'm sure that's the same for categories of vulnerabilities. We are like it's hard and impossible to find RCE on programs, but that's primarily because we are not looking at them. It's not by looking in IDORs that you will find an RCE ( that's my case ). So If you want to find bug issues, you need to look at them first, they will not fall by themself.

The next steps

Now, for me, I will be more focused on high-paying programs and taking the time to find good vulnerabilities in them. I also need to improve my knowledge on some types of vulnerabilities, by looking at blog posts or reading more write-ups.

I will continue to improve my workflow by making my automation ( it's long to sit on and develop something when you prefer to hunt on something ).

In the next weeks, I will participate at the YesWeHack LHE at "le FIC" in Lille, and then at the Hack Me I'm Famous in Paris for the first time! I hope to see you there and find good bugs together.

I honestly don't know when will be the next post, but I hope soon so see you then ;)

Aituglo

Aituglo

Paris
The author of this blog, a bug bounty hunter and security researcher that shares his thoughts about the art of hacking.