A quick take on penetration testing and how it can aid on your journey to bug bounty, is one topic not properly discussed or articles written in depth on its “ins and outs” of cybersecurity.
Money is very important and hence a lot of people (newbies and academic students) who are cybersecurity inclined (taking a course or training in cybersecurity or just concluded their training in cybersecurity), are always asking how do I get into bug bounty? How do I find my first bug in a bug-bounty program? Can I take bug-bounty program as a full career path?
Most people join the bug-bounty platforms such as: YesweHack, Openbugbounty, Hackerone, bugcrowd, and the newest one around the block intigriti. However, the common challenge is they just use the tools they have knowledge about or can utilize and start hacking, they use the concept of a crocodile (not studying its prey only lucky cos of its natural habitat), instead of the concept of a leopard (carefully studying its prey before pouncing on and feasting majestically).
The previous (concept of a crocodile), when utilized by these newbies sets them at the mercy of the natural habitat (the organization which the bug was reported), either due to the discovery is out of scope, or previously reported (I mean even you, if own a business wouldn’t want to pay for the same thing twice right?). The organization may end up compensating them for the effort of trying, and certain organizations will not, as they move strictly by laid out rules.
The later (concept of a leopard) is one who knows the do’s and don’ts studying its prey, in other to feast (Earn much and more added funds), to their findings (of course reporting new bugs with the POC). They strictly study the rules, understand the concept, and most importantly know which tools to use at every stage of their bounty hunt. These people have been in the cybersecurity profession for a long period of time, these people are known for their bug reports and funds they have amassed, these people understood penetration testing, and employed the skills in Bug-bounty, these people are what we call: Professional Bug Hunters.
How do you understand Bug bounty?
Take for instance the movie Django Unchained (written by Quentin Tarantino), we could see the bug hunter always have a flyer with a bounty written on it. He moves from town to town, country to country looking for the wanted criminal (In this case the bounty platform mentioned previously, seeking for bounty programs).
I want you to take a pause, now you will understand bug bounty:
In some flyers held by the bug-hunter, you would see words like: Wanted (Let’s consider this to be what is asked by an organization who has a bug bounty program on a bug-hunting platform), the other word which is vital you would see is either Dead or Live (we can consider this as scope or rules of engagement in bug hunting). You may ask why? The dead or live is a scope to validate the reward. If the scope says wanted alive, and the hunter brings him in dead, he might either be paid half of the bounty, or nothing at all depending on the sheriff paying out the bounty (bug-bounty organization), these you would have seen in certain movies when the sheriff argues with the bug-hunter, if the requirements are not met.
So, you see it is important to read the scope if you surely want to earn a reward without hitch or difficulty. In summary we have an idea that bug-bounty is our go to, to make money quickly.
Concept of Penetration testing:
By definition, when we are performing penetration testing, we are simulating a cyber-attack, in other to exploit the target system, server or even network. During penetration testing we can exploit already known vulnerabilities out there with written exploit codes, or in most cases even discover a new one, and build our POC (Proof-of-Concept).
Now when we try to pentest (conducting penetration testing) either for an organization based on contract work, or the organization we work for, we are exposed to larger environment and facility, and the scope of work might be broader when compared to Bug-Bounty, but might not be specific when compared to Bug-bounty.
You are confused right? Let’s explain.
Here what we imply for example if we compare Bug-bounty to Penetration testing an organization, the bug-bounty program listed, might just be a server housing their shipping cart (for instance we are considering a shipping company), however for an organization penetration testing you might be allowed to test an entire building for both physical security and much more even the servers. So, you see when compared to just a program listed on a bug-platform, the penetration of a facility is much broad when we review both activities (Pentesting an organization & Bug-bounty program) scope of work.
Why bug-bounty scope of work might be more specific compared to Pentesting an organization is this; for bug-bounty reporting a bug that was previously reported wouldn’t count (exception is at the mercy of the decision made by the company running the campaign), as the organization might have remediated and off-course made a payout for that particular bug, also the POC document is certainly in their possession which they can make reference to, in other to fix it.
However, Pentesting an organization is not the same as things might have changed drastically or even the previously reported bug might have been said to be fixed, however it has not been fixed. So, re-discovery has not hitch or cause problem, as penetration testing for an organization is contractual (Price has been agreed upon), before the test was carried out.
Understanding Bug-Bounty and Penetration testing Distinctively:
- bug bounty through a platform.
- penetration testing an organization is either based on a contractual term or organization you work for.
- Bug bounty more of like an organized freelance with reward determined by the level of disclosure, or amount awarded for the program.
- Penetration testing dependent on contractual terms.
- Penetration testing rules of engagement can be negotiated; let’s say to gain access to the administrative building requires an access card, however in the previous rules of engagement you are not allowed to clone an access card, you can negotiate a new term and state the reason why, if the building has the facility you need to test (depending if you wish to conduct a physical testing).
- Bug-Bounty, the rules of engagement is fixed (No negotiations), and already documented on the platform (running the bug-bounty program).
Similarities based on scope:
Both bug bounty and Pentesting an organization have a properly defined scope.
However, the difference is bug bounty might have limited scope, while penetration testing might have wide range of scope. For example, depending on the type of test being conducted, an organization can outline the scope, you can negotiate more scope during the drafting of the RFP (Request for Proposals), and RFQ (Request for Quotation), whereas in bug bounty there are no negotiations. It is based on what you see is what you work on (wysiwywo).
Similarities based on rules of engagement: Bug bounty and Pentesting an organization are always defining the rules of engagement to follow, and the one not to.
How Does Pentesting aid you in Bug-Bounty?
The master who has 99-skill sets (Penetration testing of an organization), will always have a new trick in the bag, compared to the master who has only 1-trick (starting with bug-bounty programs) with no bags.
If you understand penetration testing on a broad perspective, your ideas in Bug-bounty hunting would be like a funnel. At the top wide, and the bottom you can narrow it down to the specifics you are finding, and to the rules of engagement stated; as you do have a broader knowledge, fit it rightly to various perspectives, and challenges encountered during a bug-bounty program.
This is more reason you should know much and more about penetration testing, as it gives you a large view (pentest), which you can apply the concept on a narrow view (bug bounty). Also, penetration testing an organization, exposes you to a pool of tools, and with that you can know what tools fits into the program you’re testing when hunting a bug.
So, asking the questions how do I get into bug bounty? How do I find my first bug in a bug-bounty program? Can I take bug-bounty program as a full career path? Is ok, but not too ok, if you do not understand penetration testing. Like there is a saying “First you Learn, then you Earn.” If you understand penetration testing, and its concept, then you can Hunt a bug, as a matter of fact it is easy to get into Bug-Bounty if you understand and have learnt about Penetration testing, compared to when you have no knowledge on Pentesting.
Put your comments below in the comment section on your thoughts about this.