![2
WHOAMI
$ id -un
Faraz Khan
$ groups farazkhan
Bugcrowd Application.Security.Engineer Hacker _Bountyhunter Penetration.tester
$ lastcomm farazkhan [Activity logs]
Bugcrowd Tech-OPS team member
Bounty Hunting
Writing Articles at SecurityIdiots.com
Working as a penetration tester](https://image.slidesharecdn.com/abughuntersguidetobountyuniverse-170313192941/85/A-bug-hunter-s-guide-to-bounty-universe-2-320.jpg)
A bug hunter’s guide to bounty universe
- 1. Tips, tricks and things you should know A BUGHUNTER’S GUIDE TO BOUNTY UNIVERSE
- 2. 2 WHOAMI $ id -un Faraz Khan $ groups farazkhan Bugcrowd Application.Security.Engineer Hacker _Bountyhunter Penetration.tester $ lastcomm farazkhan [Activity logs] Bugcrowd Tech-OPS team member Bounty Hunting Writing Articles at SecurityIdiots.com Working as a penetration tester
- 3. 3 AGENDA How we handle Generic Scenarios How and when to escalate Things we consider when Inviting researchers for Privates Understanding the Program briefs Vulnerabilities Taxonomy Standards
- 4. SYSTEMIC BUGS – How we handle such situations – Vulnerabilities that may fall under this criteria • CSRF • Missing Authentication/Authorization • SQLi • XSS • File Upload – Why/how Systemic bugs may cause 4
- 5. DUPLICATES BUT DIFFERENT PRIORITY/IMPACT – Finding out the difference. – Minor Impact submission after higher risk – Higher Impact submission after lower risk – Prioritize as per the extra Impact found 5
- 6. SAME BUG IN A URL BUT DIFFERENT PARAMETER – Reflected XSS – Stored XSS – SQLi – Missing Auth – Open Redirect 6
- 7. SUBMISSION WAS ONLY REPRODUCIBLE WHEN REPORTED. – Proof of concept – Applicability of the vulnerability existence – Current behavior of the application 7
- 8. SCOPE CONTAINS MULTIPLE DOMAINS, BUT ONLY THEIR LANGUAGE VARY – Why would they Insert such domains. – Same bugs on different domains, will they be considered as single 8
- 9. WHY XSS PRIORITIES MAY VARY – Self Reflected/Stored XSS – Authenticated XSS – UnAuthenticated XSS – Higher level User to Lower level – Lower level User to higher level 9
- 10. SUBMISSION CLOSED EVEN AFTER GETTING TRIAGED – Closed as N/A – Closed as P5/Won’t fix – Closed as duplicate 10
- 11. DIFFERENT URLS BUT STILL CLOSED AS DUPLICATE – RESTFul URL – Universally Vulnerable Parameter – Systemic Bugs 11
- 12. XSS - INSERTION POINT VS EXECUTION POINT – Insertion Point – Execution Point – Different ways to patch 12
- 13. HOW AND WHEN TO ESCALATE – Standard response time – Unclear closure of submission – Lesser Priority – Lower Reward 13
- 14. THINGS WE CONSIDER WHEN INVITING RESEARCHERS FOR PRIVATES – Under 250 rank – Verified researcher – Higher impact vulnerabilities finder – Activity logs – Trusted Researchers – Researcher’s behavior https://blog.bugcrowd.com/a-look-at-private-bounty-program-invitations/ https://blog.bugcrowd.com/become-part-of-the-id-verified-crowd 14
- 15. UNDERSTANDING THE PROGRAM BRIEFS – Scope – Out of Scope – Exclusion list – Other Exceptions 15
- 16. Vulnerabilities Taxonomy Standards – Vulnerability standards and priority taxonomy – Bugs variants – Standard Taxonomies vs Program briefs 16
- 17. Questions? Learn more and get in touch: BUGCROWD.COM
- 18. Code: Bountycraft code for attending this talk: tuner lure diopside