Tips, tricks and things you should know

A BUGHUNTER’S GUIDE TO BOUNTY UNIVERSE

2

WHOAMI$ id -unFaraz Khan

$ groups farazkhanBugcrowd Application.Security.Engineer Hacker _Bountyhunter Penetration.tester

$ lastcomm farazkhan [Activity logs]Bugcrowd Tech-OPS team memberBounty HuntingWriting Articles at SecurityIdiots.comWorking as a penetration tester

3

AGENDAHow we handle Generic ScenariosHow and when to escalateThings we consider when Inviting researchers for PrivatesUnderstanding the Program briefsVulnerabilities Taxonomy Standards

SYSTEMIC BUGS

– How we handle such situations– Vulnerabilities that may fall under this criteria• CSRF• Missing Authentication/Authorization• SQLi• XSS• File Upload

– Why/how Systemic bugs may cause

4

DUPLICATES BUT DIFFERENT PRIORITY/IMPACT

– Finding out the difference.– Minor Impact submission after higher risk– Higher Impact submission after lower risk – Prioritize as per the extra Impact found

5

SAME BUG IN A URL BUT DIFFERENT PARAMETER

– Reflected XSS– Stored XSS– SQLi– Missing Auth– Open Redirect

6

SUBMISSION WAS ONLY REPRODUCIBLE WHEN REPORTED.

– Proof of concept– Applicability of the vulnerability existence– Current behavior of the application

7

SCOPE CONTAINS MULTIPLE DOMAINS, BUT ONLY THEIR LANGUAGE VARY

– Why would they Insert such domains.– Same bugs on different domains, will they be considered as single

8

WHY XSS PRIORITIES MAY VARY

– Self Reflected/Stored XSS– Authenticated XSS– UnAuthenticated XSS– Higher level User to Lower level– Lower level User to higher level

9

SUBMISSION CLOSED EVEN AFTER GETTING TRIAGED

– Closed as N/A– Closed as P5/Won’t fix– Closed as duplicate

10

DIFFERENT URLS BUT STILL CLOSED AS DUPLICATE

– RESTFul URL– Universally Vulnerable Parameter– Systemic Bugs

11

XSS - INSERTION POINT VS EXECUTION POINT

– Insertion Point– Execution Point– Different ways to patch

12

HOW AND WHEN TO ESCALATE

– Standard response time– Unclear closure of submission– Lesser Priority– Lower Reward

13

THINGS WE CONSIDER WHEN INVITING RESEARCHERS FOR PRIVATES

– Under 250 rank– Verified researcher – Higher impact vulnerabilities finder– Activity logs– Trusted Researchers– Researcher’s behavior

https://blog.bugcrowd.com/a-look-at-private-bounty-program-invitations/https://blog.bugcrowd.com/become-part-of-the-id-verified-crowd

14

UNDERSTANDING THE PROGRAM BRIEFS

– Scope– Out of Scope– Exclusion list– Other Exceptions

15

Vulnerabilities Taxonomy Standards

– Vulnerability standards and priority taxonomy– Bugs variants– Standard Taxonomies vs Program briefs

16

Questions?

Learn more and get in touch:

BUGCROWD.COM

Code:

Bountycraft code for attending this talk: tuner lure diopside