What is Bug Bounty Program ? Types, Tools and Skills

Bug Bounty Program Definition

A bug bounty or bug bounty program is IT jargon for a reward or bounty program given for finding and reporting a bug in a particular software product. Many IT companies offer bug bounties to drive product improvement and get more interaction from end users or clients. Companies that operate bug bounty programs may get hundreds of bug reports, including security bugs and security vulnerabilities, and many who report those bugs stand to receive awards.

Types of bug bounty program

Bug bounty programs come in two different types based on their participation perspectives. This division is based on the bug bounty hunter’s statistics and their level of indulgence overall on a platform. There are two kinds of bug bounty program: public programs and private programs.

Public programs

A public bug bounty program is one that is open to anyone who wants to participate. This program may prohibit some researchers from participating based on the researcher’s level and track record, but in general, anyone can participate in a public bounty program and this includes the scope, the rules of engagement, as well as the bounty guidelines. A public program is accessible by all researchers on the platform, and all bug bounty programs outside of the platforms are also considered bug bounty programs.

Private programs

A private bug bounty program is one that is an invite-only program for selected researchers. This is a program that allows only a few researchers to participate and the researchers are invited based on their skill level and statistics. Private programs only select those researchers who are skilled in testing the kinds of applications that they have. The programs tend to go public after a certain amount of time but some of them may never go public at all. These programs provide access only to those researchers that have a strong track record of reporting good vulnerabilities, so to be invited to good programs, it is required to have a strong and positive record.

Differences between a Public and Private Bug Bounty program

• Conventionally, programs tend to start as private and over time evolve into the public. This is not always true but, mostly, businesses start a private bug bounty program and invite a group of researchers that test their apps before the program goes public to the community.
• Companies usually consider a few factors before they start a public program. There has to be a defined testing timeline and it is advised that companies initially work with researchers who specialize in that particular area to identify the flaws and vulnerabilities.
• Most of the time, the companies do not open their programs to the public and limit the scope of testing as well so as to allow researchers to test these applications specifically in the sections that are critical.
• This reduces the number of low-severity vulnerabilities in out-of-scope applications. Many organizations use this technique to verify their security posture. Many researchers hunt for bugs in applications mainly for financial gain, so it is crucial that the organization outlines their payout structure within the program’s scope.
• There are a few questions before anyone would want to start to participate in a bug bounty program; the most important one is What is the end goal of the program going public versus keeping it private?

How to Get Started With Bug Bounty?

Bug Bounty programs are a great way for companies to add a layer of protection to their online assets.

A bug bounty program is a crowdsourced penetration testing program that rewards for finding security bugs and ways to exploit them. For researchers or cybersecurity professionals, it is a great way to test their skills on a variety of targets and get paid well in case they find some security vulnerabilities.

The number of companies that have a formal crowdsourced program is increasing and so are the people who want to become a freelance penetration tester. The aspiring bug bounty hunters are of much different knowledge, experience, and skill levels. 
 

Some are completely new to the idea of web development with little prior programming experience, some are experienced web developers with no experience in cybersecurity while some are highly skilled cybersecurity professionals. The steps that should be taken are the same for everyone, one can, however, skip one or more steps based on his/her skills and experience. 

Let’s get started with these steps:

1. Learn Computer Networking: 

A decent knowledge of Computer Networks is very much necessary for getting started with the bug bounty. Though you’re not required to have expertise in the computer networking domain to get started with bug bounty – but you should be proficient at least with the fundamentals of inter-networking, IP addresses, MAC addresses, OSI stack (and TCP/IP stack), etc.

2. Get Familiarized With the Web Technologies: This includes getting a basic understanding of web programming and web protocols. Web programming languages are JavaScript, HTML, and CSS. A beginner to intermediate level proficiency with these languages is more than enough in the beginning. The protocols you should learn about are HTTP, FTP, TLS, etc. These can be learned from the corresponding RFCs or from numerous offline or online resources available over the web. 

3. Learning Web Application Security Measures and Hacking Techniques: This will include learning about common security mechanisms, security practices, their bypasses, common vulnerabilities in web applications, ways to find these vulnerabilities, and ways to patch and prevent the applications from these vulnerabilities. Useful resources are: 

• Recommended Books:
  • Web Application Hacker’s Handbook
  • Mastering Modern Web Application Penetration Testing
  • Web Hacking 101

4. Practicing and Polishing Your Skills: Practicing helps in developing a framework for approaching a target. The more you practice on diverse targets of different difficulty levels the easier it will be for you to approach a web application in a way that increases your chances of finding a critical vulnerability (or even finding a vulnerability if the application is well secured and has been already tested by many hunters). Try making great use of these resources: 

• Vulnerable Web Applications: These are intentionally vulnerable virtual machines or web app packages. Vulnerable web applications are available as general variants that contain many types of vulnerabilities and as dedicated variants that focus on a single vulnerability and its subtleties. Some examples are: 
  • BWapp
  • DVWA
  • OWASP Webgoat
  • Cyclone Transfers
  • Bricks
  • Butterfly Security Project
  • Hacme
  • Juice Shop
  • Rails Goat
  • SQLol
• BWapp, DVWA(Damn Vulnerable Web Application), and Webgoat are the best for beginners.

5. Testing Real Targets: After you are thorough with your basics and have a decent level of skill, you can start doing the actual hunting on real websites. A lot of websites run bug bounty programs for their web assets. Some big names are: 

• Facebook
• Twitter
• Google
• Verizon
• Starbucks
• Shopify
• Spotify
• Apple

These companies reward generously but finding a security bug on any of their assets is highly difficult due to tough competition. You must remember that the top bug bounty hunters of the world are testing these websites along with you. However, that doesn’t mean you can’t find something at all. 

6. Staying Current on Latest Vulnerabilities: For this, you can follow elite researchers and learn from their work. You can also read disclosed reports on bug bounty platforms like HackerOne. Some recommended researchers to follow are: 

• Frans Rosén
• Jason Haddix
• Geekboy
• PortSwigger
• Jobert Abma

You need to know that if you really want to get started with bug bounty then it doesn’t matter what is your academic background or what is your current working domain – you simply can start learning the required skills and tools and start doing the actual hunting!!

What is a Bug Bounty Program and How does it Work ?

Bug bounties employ a competitive model that leverages the use of ethical hackers (or, security researchers) to detect and submit bugs or vulnerabilities within an organization’s digital assets with the potential for reward if found and validated within a predefined scope. These rewards can take the form of monetary payments, or other compensation such as recognition, free products or services from the organization.

Bug bounty programs can be implemented in two ways.

• The first is within an organization itself (self-managed internal).
• The second method is through crowdsourced security vendors who offer managed bug bounty programs that provide access to thousands of highly skilled and thoroughly vetted security researchers ready to help organizations find vulnerabilities other tools or in-house teams might miss.

Top 10 Most Impactful and Rewarded Vulnerability Types

Weakness Type	Bounties Total Financial Rewards Amount
XSS	$4,211,006
Improper Access Control – Generic	$4,013,316
Information Disclosure	$3,520,801
Server-Side Request Forgery (SSRF)	$2,995,755
Insecure Direct Object Reference (IDOR)	$2,264,833
Privilege Escalation	$2,017,592
SQL Injection	$1,437,341
Improper Authentication – Generic	$1,371,863
Code Injection	$982,247
Cross-Site Request Forgery (CSRF)	$662,751

Bug Bounty Popularity

Bug bounties have risen in popularity, with awards increasing by 83% in 2019 and another 26% in 2020. Large businesses with extensive security opportunities are trusting bug bounty programs and seeing great results.

Sites like Facebook, Google, Apple and even the Pentagon are employing managed bug bounty programs to secure their sites web applications from malicious attackers.

Regardless of how you decide to set up your program(s), it’s important to remember that our goal is to attract the right researchers to your use case, detect vulnerabilities at scale, and ultimately minimize the challenges of setting up and managing a bug bounty for you and your internal teams.

Frequently Asked Question Answer

---