My 1st year of Bug Bounty experience

Mehedi Hasan Remon
8 min readSep 9, 2020

بسم الله الرحمن الرحيم
In the name of Allah, the Compassionate, the Merciful

Assalamu Alaikum
peace be upon you

As i promised here is the writeup for my first 1 year of Bug Bounty Hunting experience. So whom this write-up for ! Specially it’s for the beginners like me or someone who just want to get started with bug bounty hunting. I will try my best to add as much reference as i can and will be pointing out all the stuff that gonna happen to you in Bug Bounty Hunting.

Index

  • Background
  • Story
  • Lesson
  • What not to do
  • References
  • Reward

Background

Just letting you know some general info about me, so you can understand what’s going on actually. I just touched 21 in this September. I am a CSE student but if I be honest i am a horrible student. Just passed exams somehow Before doing Bug Bounty i was doing some script kiddies stuff like Defacing random websites with SQLi, shell upload etc etc. But those are not that much bad at all. Those activity now helping me a lot, How! well will discuss soon

Story

I was scrolling on FaceBook peacefully suddenly I saw a guy named Md Saikat posted on FaceBook about his $25 of Payoneer Bounty. He also was doing BlackHat stuff like me. Then something hit my mind, Well what’s that. He is getting paid for doing what ! Then i asked him and he told me that he found a bug on Payoneer and they paid him $25 for that. Then i asked for how the bug look like. Then he sended a mail of that report on my email address.

I picked that bug and reported it on some companies i already knew. One of them replied me with $70 bounty. For me as a college guy that time its enough earning. Cool dude. I want more.

So i reported that bug in all BugCrowd public program and all companies i may know. But sadly this time i only got dup and N/A not a single bounty. I got -35 reps from HackerOne. I passed whole month with doing that and ended up by getting nothing. Now just about to give-up

While scrolling my Facebook news feed I saw a guy named Prial Islam Khan. That guy was smashing with bounties. His profile is just full with swag and $ . That’s so cool

I knocked him immediately and asked the most common question that everyone try to avoid.

How I can Become a Bug Bounty Hunter

He replied me with just a Blog Post called Getting Started 001. From that day on it just changed my Life

From there i started learning about Linux basics, Networking basics, How my computer work, Programming basics, How they communicate etc etc. As i already knew some of them so it was fun for me to discover those old stuff in a detailed way.

I study like i never before. Everyday i was passing 12+ hours with only learning those stuff. But here a thing i like to mention. I didn’t passed a good time with labs. what i have done i passed most of my times with real targets. I followed WebSecAcademy to get the general idea first. It not take more then 5–6 hours. then i immediately choose target and start looking for those issues.

But i realized that still it not working coz most of the time you will not get that little xss on their main application search bar. It just an example there a lot you can try, but hey i was not getting bugs at all.

As i mentioned before i was doing some BlackHat stuff. So during that time what i actually learned is How to solve problems. No matter what, you have to solve it. Riding the whole internet one place to another for a crack games is not easy at all. You face a lot of stuff and get a clean mindset about how things are happening around you. I used that experience to solve now a days most of the problems. It help me to keep digging till i get the ans

The problem with me was that time i didn’t know what recon is. I even didn’t checking for their subdomains. After passing some time with google i saw some methodologies. There they collect subdomains, do asset discovery and so and so on then start their actual manual testing. But i was not doing them and not getting any bugs

I started leaning more about recon how it work and what inside. I will attach the references later on. I know recon is not for getting vulnerabilities its for getting as much info as you can. As i saw i am not good with injection type attacks so now this is the only way for me to go ahead.

I checked every single stuff available on internet i can. Then i saw most of the time everyone is doing the same. Everyone is using the same tool same approach to perform recon. So if i can do something different then i can win the game. I passed good amount of time to build up a workflow. Every time i was picking some topic to look deep into. Like Subdomain Enumeration, Fuzzing, etc etc. I started getting good bounties after trying in different ways. I don’t do same thing again and again. I pick topic to study then perform them on real target then going for next topic.

The only reason to show you those screenshot is, I am using them as reference of my words. Don’t believe random people on info-sec with their words, Believe them with their works. This is only to confirm you that you are not wasting your time on fake stuff at all.

Let’s get back to the technical point again! I have the standard view from the community how everyone doing it. Then i have done some experiment see is it still work or not. Most of the time i was ended up having something unique and working. Most of the time my goal was reaching the unseen part of the target or getting stuff that may other missed. I am doing all the stuff Alone. For me its solo vs squad situation. So i also have to train myself like that

Believe me this game is 20% of Technical Stuff and 80% of Mindset
There is no simple word to explain you, how to do the research or how to get things done. Just keep those things on your mind that You should think creative and different and read a lot. Give back to the community. Try Harder and Never give up. You will be in a better position
InshAllah

Lesson

  • Dont Do it For Money. As you can see i get started by seeing a guy posted his bounty on facebook. But also you saw how things goes wrong with me. Its not possible stay motivated on this field if your only exception is money. Coz you also have to pass good amount of time doing study. And learning new stuff. If you can’t be the Best then be the Beast
  • Take Step Back And Learn new stuff. So all the time your current workflow or what you already know will not work. You may have to do research or uncover the hidden part. Track your activity that you are learning new stuff or not. I am not smart enough to beat you so working hard that you may not beat me
  • Find where you good at. This is the most important part. I was trying all the stuff and tracking where i am doing good. So i can choose it as my primary weapon. Injection attacks worked worse for me but Recon stuff worked well. As same you also should know where you are doing good and where you are failing most. Now i may learn injection attacks with more attention as i know i am weak at it. End of the day i just know i have to do it, How! I don’t know

What Not To Do

  • Don’t ask google stuff to people. How to do that, How to do this, don’t ask those type of questions. Just google it read from first page to last page you will get the idea. If you staked with any tool then create a issue on their GitHub repo or read the docs properly. If still you stacked ask them on public places like Tweet about it or Ask on Discord groups.
  • Dont ask random people for their POC video. Well this is important don’t take it as fun. Most of the time POC contain sensitive action or may something that reporter don’t feel comfortable to share. Just ask the theoretical idea or step to reproduce stuff instead of asking the raw POC on your email address.
  • Don’t expect much from people. As you can see it’s really a hard place to work on. Most of the time people are busy with their own pain. So don’t expect someone will feed you with spoon. You have the same internet that other have. If they can then you also
  • Don’t follow random guy on internet. Believe me it will waste a lot of your time. People around you will confuse you in different ways. So make sure you are following less people but the original one. Specially don’t follow random YouTube Hacking channels. wasted a lot of my time there. Personally speaking.

References

Here the resources I followed most on my 1st year of Bug Bounty Journey

Reward

Well, now its not a important part of this write-up. Still let’s talk little bit.
I like to manage my Bug Bounty records on Notion like this

I will not be sharing the whole record as it make no sense. But will give you some idea so you may know what to generally expect. I hacked 19 Company and get paid in cash for 30 Unique bugs. Hacked 4 Company that gives me Swag include Dutch Gov. Hacked 27 Companies that put my name on their HOF. Hacked 5 Company that provided me Certificate as appreciation

You can do more or may less that dosen’t matter. The matter is Just Do It

--

--