DEV Community

Cover image for How to Get Started with Bug Bounty?
Muhammed Batuhan Aydın
Muhammed Batuhan Aydın

Posted on

How to Get Started with Bug Bounty?

I would like to thank Stable Diffusion for producing the cover image.

Hello everyone, I'm Muhammed Batuhan Aydın. Today, I'll be talking about the bug bounty field, which is something that everyone has in mind but wonders how to start for some, and that some people engage in as a professional.

What is Bug Bounty?

Bug bounty is an open call from an organization to an external person or group to find security vulnerabilities or flaws in their digital assets such as web sites, mobile applications, software or systems, in order to increase their security. This call includes paying a monetary reward to the individuals who find security vulnerabilities or flaws in these assets during a specified period. These individuals are usually referred to as "hunters" or "researchers."

Bug bounty programs are used as a powerful tool to quickly and effectively identify security vulnerabilities and flaws in an organization. These programs not only help to detect errors but also help organizations protect their reputations and avoid legal issues.

Bug bounty programs are used by many different organizations, ranging from open-source software projects to government agencies and large corporations. These programs typically offer a variety of rewards, such as money, vacations, equipment or other rewards determined by the organization, to researchers who identify bugs.

Bug bounty programs are a great way to detect and prevent security vulnerabilities that hackers and malicious users can use to harm organizations. Therefore, many organizations make efforts to increase the security of their digital assets and protect themselves against malicious attacks by using these programs.

Change Your Mindset

This is probably the part that most people struggle with and skip. Unfortunately, most new generation security professionals who enter this career field are more concerned with how much money they can make than with enjoying their education and work. The approach of "a self-xss is worth 200 dollars bro" from an outsider's perspective prevents taking the job seriously and also prevents enjoying the activity.

Start by educating your mindset first. You should not forget that the first vulnerabilities you find may be rejected, classified as information or may result in finding no flaws at all. According to my mindset, this is an unlimited source of entertainment that helps me to constantly improve myself and follow the technologies that many companies follow in their work. When you choose bug bounty as a hobby, which is much more accessible and logical in terms of your mindset and motivation, it becomes an activity that you can both enjoy and earn money from.

Beginner Level Books

After setting your thoughts and motivation, there are many articles and resources available on the internet and dev.to that you can use to educate yourself. However, books can be really effective. If you are new to bug bounty, beginner level books can provide you with basic knowledge. These books cover topics such as web application security, network security, programming, and security testing techniques. Useful books in this regard could be "Web Application Hacker's Handbook" and "The Basics of Hacking and Penetration Testing."

Web Application Hacker's Handbook : Web Application Hacker's Handbook https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

The Basics of Hacking and Penetration Testing:

The Basics of Hacking and Penetration Testing: <br>
https://www.amazon.com/Basics-Hacking-Penetration-Testing-Ethical/dp/0124116442

Online Courses

I am torn about writing this section, as some people believe that bug bounty cannot be learned through courses. However, while I have never been someone who learned through courses, I have met hundreds of people who have learned something through them. Online education platforms such as Udemy, Coursera, and edX offer a wide range of courses and programs in various security-related topics. My personal favorite has always been Coursera. If you cannot afford to pay hundreds of dollars for a course, you can explain your situation to Coursera and they can offer you the course for free.

Practice

It is important to note that any website you find on the internet is not your sandbox for practice. Do not attack any organization's website or apply security tests without permission, even if you know very well what you are doing. You do not want to deal with legal processes, which can be very painful and sad in many countries around the world.

However, security professionals who ask themselves how they can practice have come up with many solutions. Online platforms like HackTheBox, TryHackMe, and PortSwigger Web Security Academy offer virtual labs with different security scenarios. These labs mimic real-world scenarios and allow you to improve your ability to detect and solve security vulnerabilities.

Open Source Projects

If you've been in this profession for a long time like me, you know that open source developers who write code are superheroes and everyone loves them. You can skip this part because I'm going to praise open source.

The world is grateful to the people who write Open Source code. These individuals are improving the software world with the philosophy of free software. Open Source developers, who develop software for the benefit of society beyond their own interests, play a significant role in today's technology world. Open Source developers spend their time and effort to make their code open source, making it easier for developers to review, enhance, and modify it. This results in better software products. The contribution of Open Source developers to the software world is not limited to better software products. They also provide educational materials and help resources for people with different skill levels. This way, anyone who wants to participate in the software development process can improve themselves by using the resources provided by Open Source developers. Open Source developers also highlight the advantages of open source software. They believe that open source software enables more people to participate and contribute, resulting in better software products and a wider distribution of benefits to society.

In conclusion, people who write Open Source code make significant contributions to the development of the software world. By investing their time and effort, they make the software world more open, transparent, and free. These people play an important role not only for the software world but also for society. It is our duty to appreciate, support, and encourage them.

As someone who develops Open Source software, I would like to extend my appreciation and respect. Contributing to Open Source projects and software can help you better understand real-world scenarios. These projects may have various errors in application security, network security, and other security issues. By contributing to these projects, you can improve your skills in detecting and reporting security vulnerabilities.

Join Communities

Unfortunately, Hollywood has created a weird stereotype of a Cyber Security expert or "Hacker" in people's minds in the last century. This effect has created a stereotype of "acne-prone, hoodie-wearing, socially awkward, friendless, sociopathic, excessively thin, and asocial" for anyone who is new to the Cyber Security field. In reality, Cyber Security communities are made up of people who love to help each other and these people do this work without expecting anything in return. The same goes for me, if you have any questions, you can write them in any way you want via my social media accounts. These communities are areas mostly found on the internet where researchers from different countries, languages, and different sectors come together to exchange ideas, ask questions, and share what they have discovered. These communities can be accessed through platforms such as HackerOne, Bugcrowd, and Reddit's bug bounty channels.

How Long Will it Take?

I think this is one of the most frequently asked questions to me. People start asking this question a few days or weeks after they start. Unfortunately, I cannot give you a clear date, as I cannot give to anyone. However, the advice I will give you here is to never lose your self-discipline. Reading a few articles, practicing, or learning a new technology when you come home from work in the evening, or after school, or when you wake up in the morning will help you develop yourself in this field even if you don't make a career out of it.

I look forward to writing my content called "A day of a hacker next week". Don't forget to follow me for my future posts.

For your questions to me: You can message me on LinkedIn or write a comment under the post. Happy Hacking

Top comments (0)