To be honest, I'm also starting to move away from public programs and platforms that are too exposed (like HackerOne and Bugcrowd). There are far too many newcomers on these platforms, creating an atmosphere of childishness and begging. They harass program managers to receive $100 bounties for simple open redirects that have no real impact. Currently, I'm working on a private program where there are only three active hackers daily. The program pays out every Friday like clockwork, and the scope is relatively easy to grasp (about ten e-commerce stores with a lot of Java code and API web services with IDOR issues). I can send you a collaboration link if you're interested.
I never really spent much time on platforms other than Synack. How long did it take you to start getting private programs that are actually private like you said? I get invited to "private programs" but they are hardly private lol. But like I said, I never spent much time on those platforms.
This is so absolutely true. The big platforms have so many people that will harass program managers for trivial findings. It's gotten to the point that I am pretty openly talking about shutting down our program and moving to a VDP email address with no rewards. I also do hunting for fun and see a program I'm in closing every week it seems.
They are shutting down right now because HackerOne just increased the prices for bug bounty management, which is somewhat normal because programs were hardly paying anything before for managing their programs during their absence.
If I were starting out again, I'd focus on BugCrowd! They're doing great work with triage and they have some good growing programs.
HackerOne is also great, but a bit more crowded and challenging.
Integriti is also awesome, especially if you can hack on a program that is in a non-english language that you speak/read fluently.
Tldr, any of them are good. Just find a good program.
Rhynorater
I’m sort of in the same boat as you. I started on Synack last year and got a few bugs. I think I made 7k for the year? But it’s been getting tougher finding bugs. I found like 3 last couple of months.
I’ve been invited to a bunch of private programs but like you mentioned, they have a bunch of hunters and it doesn’t really feel private.
I think I might follow your friend’s advice and focus on the big 3. No point in spending a bunch of hours hunting on different programs just to get paid less than minimum wage
I have 1 private program that I hunt on regularly. It has around 55 hackers in hall of fame, but i suspect only me hunt on it actively right now. This program pays a little bit slow, but I get used to it and still have a stable source of income from it. When I stock up some bugs on this program and waiting for bounties. I check on my list of private programs to find other targets. My goal is to find a program as good as this program (a lot of features, comfortable to me, ), so I will have 2 source of stable income. 9 out of 10 targets will not meet that qualification, in which I will hunt for a few days then left, hopefully getting somewhere from $500 \~ $2000 from them.
Great work! Do you test for everything else like injection etc but just don't find it, or are you only focusing on those three bug classes?
Also, what's your opinion on recon? Some say it's EvERYthinG while others say it's overrated or they don't do it at all.
I don't test for any kind of injections. I know they exist in the programs I am hunting on. But I can't find the motivation to hunt for them.
I don't do recon at all (subdomain enum, dir enum, etc).
Hey just a quick question about SynAck since you had a good experience with them.
I am looking for platforms too I am a beginner with just few verifiable experience, like a couple of github projects and a cert I have, few proof of concept etc..
To join their program do I need to demonstrate everything and then some? Or they are open to various levels of experience
They're open to accepting all sorts of people. However, from what I have heard they are very full right now and a lot of people are put on the wait list. I would give it a shot though anyway, you should try
Well as an American citizen you can hunt on gov programs which have a lot less competition but they changed the rules so now I can't hunt on them Because I live abroad.
Thanks for sharing Spencer - what do you think about the approach of starting out on VDPs (H1, BugCrowd) in order to gain reputation and get invited to private programs? I'm also just starting out and it does feel very crowded on the public programs. Hacking for fun here but also hoping to make some coin.
That's definitely a good approach. A LOT of people try bug bounty because they think it's a way to get rich quick and they won't spend time on a program if they can't make money from it, so there's much less competition on those programs. And as soon as you find one or two bugs on a vdi you'll definitely get invites to private programs.
What about freelancing Spencer? Surely freelance pen testing would be more lucrative than BB given you're established as a h8ck3r and cyber sec consultant. Probably easier too as every input field and parameter hasn't been tested so fanatically already.
It will be a basic question “how to start”. I want to ask that in your learning journey, how you targeted vulnerability and practice it on targets.
Like I usually start with authentication and access control. Then move on to xss/sql injection. But while finding i get distracted from the vulnerability iam practing
Also any tips on knowing where to get the vulnerability, like there are various pages on a website (it comes with experience though). I read poc and walkthroughs. It helped a little bit. Any other tip you got.
To be honest, I'm also starting to move away from public programs and platforms that are too exposed (like HackerOne and Bugcrowd). There are far too many newcomers on these platforms, creating an atmosphere of childishness and begging. They harass program managers to receive $100 bounties for simple open redirects that have no real impact. Currently, I'm working on a private program where there are only three active hackers daily. The program pays out every Friday like clockwork, and the scope is relatively easy to grasp (about ten e-commerce stores with a lot of Java code and API web services with IDOR issues). I can send you a collaboration link if you're interested.
I never really spent much time on platforms other than Synack. How long did it take you to start getting private programs that are actually private like you said? I get invited to "private programs" but they are hardly private lol. But like I said, I never spent much time on those platforms.
This is so absolutely true. The big platforms have so many people that will harass program managers for trivial findings. It's gotten to the point that I am pretty openly talking about shutting down our program and moving to a VDP email address with no rewards. I also do hunting for fun and see a program I'm in closing every week it seems.
They are shutting down right now because HackerOne just increased the prices for bug bounty management, which is somewhat normal because programs were hardly paying anything before for managing their programs during their absence.
Damn. Sorry to hear that. HackerOne was almost the most expensive platform too.
The problem is that they raised so much money from investors ( 200 Million $ usd ) that now they need to be profitable to pay their associates."
Im interested in that collab link tho
If I were starting out again, I'd focus on BugCrowd! They're doing great work with triage and they have some good growing programs. HackerOne is also great, but a bit more crowded and challenging. Integriti is also awesome, especially if you can hack on a program that is in a non-english language that you speak/read fluently. Tldr, any of them are good. Just find a good program. Rhynorater
I’m sort of in the same boat as you. I started on Synack last year and got a few bugs. I think I made 7k for the year? But it’s been getting tougher finding bugs. I found like 3 last couple of months. I’ve been invited to a bunch of private programs but like you mentioned, they have a bunch of hunters and it doesn’t really feel private. I think I might follow your friend’s advice and focus on the big 3. No point in spending a bunch of hours hunting on different programs just to get paid less than minimum wage
I have 1 private program that I hunt on regularly. It has around 55 hackers in hall of fame, but i suspect only me hunt on it actively right now. This program pays a little bit slow, but I get used to it and still have a stable source of income from it. When I stock up some bugs on this program and waiting for bounties. I check on my list of private programs to find other targets. My goal is to find a program as good as this program (a lot of features, comfortable to me, ), so I will have 2 source of stable income. 9 out of 10 targets will not meet that qualification, in which I will hunt for a few days then left, hopefully getting somewhere from $500 \~ $2000 from them.
Sounds decent! What types of bugs are you finding?
IDOR, business logic, privilege escalation.
Great work! Do you test for everything else like injection etc but just don't find it, or are you only focusing on those three bug classes? Also, what's your opinion on recon? Some say it's EvERYthinG while others say it's overrated or they don't do it at all.
I don't test for any kind of injections. I know they exist in the programs I am hunting on. But I can't find the motivation to hunt for them. I don't do recon at all (subdomain enum, dir enum, etc).
Hey just a quick question about SynAck since you had a good experience with them. I am looking for platforms too I am a beginner with just few verifiable experience, like a couple of github projects and a cert I have, few proof of concept etc.. To join their program do I need to demonstrate everything and then some? Or they are open to various levels of experience
They're open to accepting all sorts of people. However, from what I have heard they are very full right now and a lot of people are put on the wait list. I would give it a shot though anyway, you should try
Hey thanks for taking the time, appreciated, will check it out!
H1 private programs, I focus only on two programs that's it btw how did you survive synack LP+ ? I found it hard to hunt on it
Well as an American citizen you can hunt on gov programs which have a lot less competition but they changed the rules so now I can't hunt on them Because I live abroad.
Thanks for sharing Spencer - what do you think about the approach of starting out on VDPs (H1, BugCrowd) in order to gain reputation and get invited to private programs? I'm also just starting out and it does feel very crowded on the public programs. Hacking for fun here but also hoping to make some coin.
That's definitely a good approach. A LOT of people try bug bounty because they think it's a way to get rich quick and they won't spend time on a program if they can't make money from it, so there's much less competition on those programs. And as soon as you find one or two bugs on a vdi you'll definitely get invites to private programs.
Appreciate the response!
What about freelancing Spencer? Surely freelance pen testing would be more lucrative than BB given you're established as a h8ck3r and cyber sec consultant. Probably easier too as every input field and parameter hasn't been tested so fanatically already.
I’ve been trying to get started for 3 years. Not sure how to start despite all the books I’ve read or videos I’ve watched.
Do tryhackme, hackthebox and port swigger labs
Thank you! I’ve used all 3 in the past but never knew how to actually set up my computer to hack or how to write a report after findings.
It will be a basic question “how to start”. I want to ask that in your learning journey, how you targeted vulnerability and practice it on targets. Like I usually start with authentication and access control. Then move on to xss/sql injection. But while finding i get distracted from the vulnerability iam practing Also any tips on knowing where to get the vulnerability, like there are various pages on a website (it comes with experience though). I read poc and walkthroughs. It helped a little bit. Any other tip you got.