This article is the following of the previous one (obviously…) about why I love bug bounty. However I realized that that one sounds like everything is perfect in this job, but since the world is not whole pinky full of rainbows, and butterflies, and unicorns, I have to say the truth. Long time resolution, loneliness, deception, companies, there are also bad points (or maybe I’m just frustrated to get so much duplicates these days xD).
Find vulnerabilities in Flash SWF
As a user I would say that I don’t care about all these Flash stuff that try to catch my eyes, most of the time I have a plugin to disable them. As a developper, it reminds me the (not so good) old time when the marketing peoples always wanted to add “movement” in the website, yeah it looks so kool! As a hacker, well… I didn’t know how nice it could be, but I recently learned how to find issue in there and it’s funny as hell. I was close to the success as I quickly found 3 XSS, but unfortunately all my reports were marked as duplicate :/
Subdomain enumeration
A friend recently asked me what methods I use to find subdomains. To be honest I was confused, like “oooohhh so much, brute force mmm… zone transfer and… brute for… wait Google and mmm… many other tools!” What a shame that I was so inaccurate after so much time spent to look for subdomains. Time to dig a little bit! After I wrote a list of the most popular methods, I tried to make a list of some tools and online resources to exploit them. Of course this list is far from exhaustive, there are many new stuff every day, but it’s still a good start :)
Why Bug Bounty
People are usually surprised by the answer when they ask me what I do for living, questions rain, here are some answers. My first report was a XSS on a Yahoo acquisition, it happened the 26th January 2016. Since this date, I (try to) perform Bug Bounty as a full time job on Hackerone. Did I say “job”? I don’t really consider bug bounty/hacking as a “job”, it’s more a hobby or a passion, because you have to be passionnate to perform in this domain. So let’s say that bug bounty is my main source of income. Below why I do this “job”, why it fits perfectly to me and why I love it.
The bug bounty program that changed my life
This is a real story or not, that occured in mid 2017 or not, about a private program or not, on Hackerone or not, believe me or not, but it changed my life. I would like to thanks all the people from this company I talked with. They were very nice with me, very fast to fix the bugs and I always got the rewards in less than 7 days, frequently the day of the report, even for the smallest bugs. Thanks to them, I wish we could find more program like this one.