WHAT IS BUG BOUNTY? WHAT IS BUG BOUNTY PROGRAM?
WHAT IS BUG BOUNTY? WHAT IS BUG BOUNTY PROGRAM?
written by Nishmi Amin on 30/06/21
Table of Content
Insert Content Table
WHAT IS BUG BOUNTY? WHAT IS BUG BOUNTY PROGRAM?
Bug Bounty is the reward you get after you identify and report the bugs /errors in the system that causes major security problems to the system. The main reason behind application/software behaving/responding different from its intended behavior is bugs.
If you find most critical bugs like injections, you get thousands of dollars as a reward. The minimum reward is 500 dollars and depending upon what type of bugs you find, it may increase upto millions of dollars or so.
(Related: TOP 6 CYBER SECURITY JOBS IN DEMAND 2021)
WHAT IS BUG BOUNTY PROGRAM?
A bug bounty program is a program offered to individuals who identify and report bugs back to companies, websites or developers. These programs reward individuals for finding vulnerabilities before they cause security issues.
Netscape launched the very first bug bounty program on October 10th, 1995, which offered cash rewards to those who were able to find security bugs in their Netscape Navigator 2.0 Beta.
Tech Giants companies like Google, Microsoft, Intel, Website browsers, Search Engines, and many more companies where there are millions of users, announce bug bounty program from time to time. They create a different bug bounty section in their website where you need to enroll for that program.
And then you need to find bugs for the platform where the program is announced. Once you find and report the bugs, accordingly you get rewarded which is famously known as BUG BOUNTY.
Not only tech companies even defense companies bring such programs from time to time.
In 2019,Apple launched bug bounty programs for security researchers, and the reward value was one million dollar.
WHAT TO STUDY?
Clear your basics
- Computer fundamentals-Basics of computer
- How internet(http) works
- Knowledge of Computer networking(TSP/IP,OSI)
- Knowledge and hands on experience in Command Line Interface(Shell)
- Knowledge of Operating Systems(Linux, Windows)
- To test websites you need to have knowledge of web technologies like HTML, CSS, JS, Backend
- Master at least 1 programming language (Python, C, Ruby)
BE UNIQUE,THINK DIFFERENT,STAY UPDATED
(RELATED: Best Operating Systems for Pentesting and Ethical Hacking)
SOME OF THE BEST BUG BOUNTY HUNTING TOOLS:
Burp Suite– Burp Suite is a Proxy to intercept and manipulate Web Traffic(free & paid version)
OWASP ZAP– OWASP ZAP is a Proxy to intercept and manipulate Web Traffic(free version)
Wfuzz– Wfuzz (Web Fuzzer) is a tool designed for brute forcing Web Applications. It replaces any reference to the FUZZ keyword by the value of a given payload. It can help you secure your web applications by finding and exploiting web application vulnerabilities. WFuzz’s web application vulnerability scanner is supported by plugins.
Sublist3r– Sublist3r lists subdomains using many search engines such as Google, Yahoo, Bing and many more.
Nmap– Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. It is a well-known and powerful Tool for port scanning. Nmap gives the probability to use scripts to further customize its functionality.
Masscan– Masscan is an Internet-scale port scanner. It scans the entire Internet within 6 minutes, transmitting 10 million packets per second, from a single machine. It is similar to Nmap commands in many ways. It enable security researchers to run port scans on large swathes of the Internet as fast as possible.
Sn1per– Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.
XSStrike- XSStrike (Most advanced XSS scanner) is an open source tool that detects Cross Site Scripting vulnerabilities and exploits them. The tool is equipped with a powerful fuzzing engine that increases the accuracy of the tool.
Sqlmap– Sqlmap is an open-source penetration testing tool. It automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
Wpscan– WpScan is a WordPress security scanner. It is written for security professionals and blog maintainers to test the security of their WordPress websites.
Wappalyzer– Wappalyzer is a browser extension that uncovers the technologies used on websites. It discovers more than a thousand technologies in dozens of categories such as programming languages, analytics, marketing tools, payment processors, CRM, CDN and others.
