Bug Bounties - what are your experiences?

Has anyone here participated in a bug bounty? What’s it like?

I ran across this, which seems interesting if it’s legit. Maybe I should just try it!

1 Like

Have not participated in a bug bounty, but done test fests where we have tested someone else’s product. Did not get paid tho. :frowning: But that was very fun and educational.

This looks like crowd testing and it is kinda interesting that they clearly define how much it is worth to them to find a bug, or in this case a vulnerability specific. Will be interesting to hear if you join and what your experiences were.

1 Like

I have and still am.
(I also work as a consultant for a bug bounty platform - intigriti at the moment :slight_smile:)

Example of well known platforms:

Long story short: it takes time & effort.

The 20.000 payment is ‘nothing’ compared to other companies. If you like hardware hacking (@conrad.braam ) you could try intigrit’s new Intel program and scoop up bounties up to 300.000$

Don’t expect to find bugs in the first week. Don’t expect to get money on your first bugs.
My first security bugs came about 3 weeks after I was on a program. Which were Duplicates (= no money) There are people doing this full-time and spend about 60-80 hours a week into this, so most of the findings at the beginning will be duplicates. Don’t get me wrong but finding a duplicate means you can actually do it! I’m not trying to scare you or anything, just letting you know my experience and telling you it’s going to be a rough start :smiley: )

How it works behind the scenes: A company opens up a Program (private) and invites 10-20 top hackers of the platform, they scoop up all of the easy & decent bugs and get paid. After a long while the program becomes public (not always) and you can try to find some other bugs. It requires a lot of effort, especially in the beginning.

Functional bugs often don’t get rewarded only if it has a serious impact; IMPACT is super important. If you can prove it has impact, you get a reward. (Impact as in , loss of data/money/bypass/takeover/leakage/… different in every case)

I’m going to give you a tip and pick about 3 programs tops and STAY on the program. The longer you stay on a program, the better you get to know the program, the easier it is to find bugs.
#StayInScope, make sure to read the scope carefully because once you go out of scope, you get nothing + you are not within the “safe harbor agreement” and can get sewed.

The more experience and feeling you get for bug bounty the more programs you can pick.
In the long run it’s a nice bit of extra money if you are able to find some nice bugs :wink:

If you have any further questions about bug bounty hunting, let me know! :slight_smile:

How to get into bug bounty:

1 Like

@kristof you really know your bug bounty stuff - thanks for all the details! :nerd_face:

1 Like

Well been doing it for a few years now :smiley:
I may hope so!