What if bug bounty platforms had their own contest? Imagine a tournament where bug hunters would be promoted and sponsored by platforms like in every sports. Imagine an event where they could fight on a dedicated scope as it would be in a CTF event but with bounties or a Hackerone event but with a huge competition in the background. This is THE HUNTER GAMES.
One of the first thing I learned when I started security, is that the report is just as important as the pentest itself. Some bug bounty platforms give reputation points according the quality. While there is no official rules to write a good report, there are some good practices to know and some bad ones to avoid. Mines are probably not the best but I never had any problem with any company, it’s also pretty rare that the secteam asks for more informations since I try to detail as much as I can in the initial report. Let me give you some tips and the global pattern of my templates. If you like it, use it, if not, then create your own :)
Here is the story of a bug I found in a private bug bounty program on Hackerone. It took me exactly 12h30 -no break- to find it, exploit and report. I was able to dump the AWS credentials, this lead me to fully compromise the account of the company: 20 buckets and 80 EC2 instances (Amazon Elastic Compute Cloud) in my hands. Besides the fact that it’s one of my best bug in my hunter career, I also learnt alot during this sprint, so let’s share!
One month ago I started to chase on a new private program. Since we were in touch by mail and since their office is pretty close to my place, I proposed to meet. They immediatly accepted. We talked for an hour, about security, my job, their program. That was so interesting, question after question, we learned alot from each other. I though it would be nice to share this experience, some people probably have some of these questions in mind, so in this article I tried to resume our interview.
As a full time bug hunter, it’s important to use the tools you are confortable with, sometimes a small improvement can change your life. During the great 3 days course presented by Nicolas Grégoire, he showed us a browser called Autochrome. Combined with a tiny Burp Suite extension, it becomes very easy to visualize the things you really want to see and reduce the noise for your eyes. In this article I will show you my current configuration.