10 Months Later and My First Paid Bug — Motivational

This is a motivational, not a technical, post.

It took me 10 months to score a paid bounty, but the story is far more complex and much more interesting than that.

In 10 months I’ve found more than 50 bugs, some of them valid, some of them duplicates, and some of them N/A. Most of these bugs are on external (non-platform) programs that I look for myself. I love the concept of self-reliance because it adds a personal touch to my self-confidence.

For me personally, it is far more lucrative to work directly with the technical team to solve security issues than to work through third-parties and platforms which, despite having some benefits, have a lot of drawbacks.

One of the major drawbacks, in my view, is the incentivized system. For some hunters, this is a huge benefit. It is a huge benefit to see reputation going up and cash flowing in.

However, more often than not it puts a lot of pressure on the researcher, it can lead to burnout, and most importantly, it takes out the ‘fun-curious-laidback’ innate nature of the hacker. It turns one into a slave of the rat race. Who do you want to be(come)?

When you work under pressure curiosity is killed. I am guilty of that myself because for the first few weeks of my bug bounty adventure, I’ve been doing it through public platforms. I am also part of a private bug bounty platform, but I’m not active there.

When I realized that I want to be in full control of the pace at which I advance as a security researcher and that I’m in it for the process of discovery itself and for satisfying my innate curious nature and not for a goal or target itself, that’s when I began looking for external programs. Don’t get me wrong, I still like the financial aspect of it. However, money is not the priority, but a side-effect.

This perspective keeps me engaged and in love with the process. I do not have to take breaks from hacking to prevent the ever prevailing ‘burnout’ because the joy of what I do and the non-pressure aspect of it act as antidotes to burnout.

How do you find good external programs? This is a tricky question, but if you’re a hacker, I’m more than certain that you’ll find your way through. It’s not easy, but the number of good programs out there is ever-growing. I’d like to than @edoverflow for opening my eyes.

Throughout these 10 months, inspired by the hacker community, I’ve developed my personal recon methodology which is more than 20 pages long of tactics and techniques. A few of these methods and my mindset behind the methodology are going to be in an upcoming course about recon in security research.

I’ve also devoted liberal time to learning and doing mobile security testing and this has lead to me finding a lot of bugs.

I’ve learned that I don’t like web app pentesting even though I’ve been doing it a lot. More over, it feels like I’ve developed repulsion to it and I think it’s because the majority of security researchers are doing it. I hate XSS and I despise CSRF. Period.

As for the details of my first scored bounty…

I found the target via dorking. I sent a message to the security team to get a hold of their responsivity. They replied the next day. I decided I should then look into their assets.

I started with the mobile application. My mobile security testing methodology is ever increasing and it’s going to be far more complex, lengthier, and more extensive than my current recon tactics. However, it’s even more joyful because it has different components to it, such as: analyzing permissions and access controls, reverse engineering, static and dynamic analysis, recon, dynamic testing, storage analysis, etc. I work with a couple of very popular free tools that all security researchers have access to.

As I gain more experience and as I find security flaws faster and faster, I learn that what differentiates a good researcher from the majority, not the tools (most hackers use the same tools) but the intuition they develop with experience by using these tools, as well as how they masterfully combine automation, tool usage, and manual hacking.

Back to the story, while doing reverse engineering on the application, I found that it’s communicating with a few storage endpoints. I tested all of these storage points and I found one that was vulnerable. While the access to it was forbidden, I used a trick to bypass this access control checkpoint.

I submitted a very quick report and they replied the next day. This was an easy find. The program is a big cryptocurrency exchange and they rewarded me in cryptos. The reward was relatively small, the satisfaction incomparably bigger.

There’s a lot more work to do on this program and I’m quite excited about what I’m going to learn as I take sufficient time to enjoy the hacking process. I don’t want to be part of the overwhelming majority and I’m going to take as much time as I need to ever expand and refine my skills.

Throughout these 10 months, I frequently tweeted about my failures. You don’t get to see much of that on social media because everybody likes to brag about their 10k rewards on bounty platforms, which is another reason for the widespread burnout.

Be brave enough to design your own journey. Then make your best effort to enjoy the hell out of it!