Bug bounty hunters are highly-skilled hackers who detect security vulnerabilities and they are one of the most sought after professions in Japan today. The struggles to cope with rising threat of cyberattacks, along with huge costs that can incur to recuperate the losses are driving organisations to strengthen their cyber security.
Our recent Tokyo Cyber Security Meet Up uncovered the world of bug bounty hunting, bringing together like-minded experts as well as tech enthusiasts who might just be keen on joining the community. Joining us are experts in the field – Justin Gardner (Bug Bounty Hunter), Ruby Nealon (Computer Security Consultant), and Robin Lunde (Penetration Tester, PwC).
Moderated by Thomas Glucksmann and Gino Bautista, our discussion centred on how they ventured into this specialised field, as well as top tips for those who are thinking of breaking into this market both as a profession or as a hobby.
If you have missed the session, you may watch the full recording of it below.
What is Bug Bounty Hunting?
Justin briefly explained the term as a process where hacking companies, or hackers, act as ‘middle-men’ to detect bugs in software and address cyber vulnerabilities that organisations are facing. These hackers are then duly rewarded for discovering these vulnerabilities before they become a detrimental security issue.
How do Bug Bounty Hunters begin detecting a vulnerability?
Justin went on to share that the key is just to keep looking. Inspect authenticator routes, and unexplored, exploitable areas of the systems, web and software. These ‘dark and dusty’ corners are a great place to make a start on finding the most well-hidden bugs.
In his experience with a case he shared with everyone, a bypass took about four hours for him to find. The period of detecting something depends highly on the type of vulnerability, and it is also possible to detect multiple vulnerabilities after detecting a bug.
I am interested in Bug Bounty Hunting, but where do I begin?
Contrary to popular belief, there aren’t many barriers to get involved in this space as most tools are open source, and if you are pursuing it as a hobby, it might be worthwhile transforming this passion into a career.
1. Invest time in it
If it is something you intend on pursuing, this would come naturally as you need to research on the type of bugs that are out there today. Start narrowing your focus too and get familiar with specific vulnerabilities. If it works best for you to start off with small bugs, then go ahead with those first to understand the end-to-end processes, before attempting bigger targets.
2. Keep learning
Be familiar with your applications, software, scripts and stacks. Knowledge and curiosity is free so don’t worry about expanding your interests by reading up more. The most popular piece of community advice, and this is something that can probably be said of most any profession or hobby, is to always keep learning. This advice will get you far in the world, and it's certainly something we encourage ourselves.
3. Hack with a friend
Hacking with a friend keeps you motivated, and sometimes, your friend might also be a fresh pair of eyes after a long day of scripting. Get involved in the community as well. The speakers shared that most of the experts on this space are on Twitter, so if you are not already on it, it is time to create an account.
Below is a list of additional materials that you can get started on today!
Beginner’s guide to hacking:
- Penester Lab
- Hack The Box
- GitHub WebGoat
- OWASP Juice Shop
- Bugcrowd University
- Web Hacking 101
- Web Application Hackers Handbook
- ‘How to get into bug bounty’ by Thomas Glucksmann
- Technical Writeup of CVE-2020-13379
Your Bug Bounty Hunter Toolkit:
Taking the next step
We asked our speakers for some final advice for any would-be bounty hunters, from methods to discovering bugs, as well as their top resources that you can try out.
Ruby: “BugSuite has been the longest service tool for me. Anything to do with http requests, this would be your one-stop platform. For automation, I personally use tools that I’ve written myself, but you an interesting source that you can try would be BigQuery to generate lists. One thing to note is that you don’t need to really know how to programme, to programme. Trialling the tools on your own and at your own learning pace can be beneficial too.”
Robin: “You can easily do a quick search on google and there will be a 100% free tool that you can begin using. Which you pick doesn’t matter, as long as you can have a list to input, and a webproxy. Amass, Burp and Zap is good for learning if you are just starting out.”
Justin: “Depending on what bugs you are going after, you don’t need any more than 3 of the above mentioned tools. While a lot of the more successful bug bounty hunters have their own tools, don’t let it get in your way of starting out on your own. Ultimately, you don’t need the best algorithm to get it in place. Nonetheless, I do advocate to make your own tools to stand out. Git hub is also good for you to write scripts.”
There is no right or wrong way to begin
Ultimately, there’s no right or wrong method to start your journey. It all depends on personal preference and your own career goals and our consultants are ready to give you as much advice and guidance as you need.
Here at Computer Futures, we work with companies of all sizes which means we have access to some of the most in-demand IT jobs. So if you’re looking to find a new opportunity within the sector, or interested to look at IT job salary benchmarks, we can help.
You can either use our job search or sign up for a job alert, so we can notify you whenever a role comes up that suits what you’re looking for. You can also sign up for our upcoming webinars on our website here and be in touch with experts in the field.