DEV Community

qing
qing

Posted on

How I Earned $2000 Fixing GitHub Issues (Bug Bounty)

#github #bounty #money #programming

How I Earned $2000 Fixing GitHub Issues (Bug Bounty)

I still remember the day I stumbled upon GitHub's Bug Bounty program like it was yesterday. I was browsing through the platform, exploring open-source projects, when I saw a post about a developer who had earned a significant amount of money by fixing issues on GitHub. My curiosity was piqued, and I decided to dive deeper into the world of bug bounty hunting. Fast forward a few months, and I've earned over $2000 by fixing GitHub issues. In this post, I'll share my journey, the strategies I used, and provide you with practical tips on how to get started with bug bounty hunting on GitHub.

Getting Started with Bug Bounty Hunting

Before we dive into the nitty-gritty of bug bounty hunting, it's essential to understand what it entails. Bug bounty hunting involves identifying and reporting bugs or security vulnerabilities in software, websites, or applications. In return, you receive a reward, which can range from a few hundred to several thousand dollars. GitHub's Bug Bounty program is one of the most popular programs out there, with a wide range of projects to choose from and a generous reward system.

Choosing the Right Projects

To get started with bug bounty hunting on GitHub, you need to choose the right projects to work on. Look for projects that are actively maintained, have a large user base, and offer a bug bounty program. You can use GitHub's search feature to find projects that match your criteria. Some popular projects to consider include TensorFlow, PyTorch, and Django. When selecting a project, make sure to read the contributing guidelines and the bug bounty program rules to understand what's expected of you.

Finding and Reporting Bugs

Once you've chosen a project, it's time to start looking for bugs. This involves reviewing the project's code, testing its functionality, and identifying potential security vulnerabilities. You can use various tools and techniques to find bugs, including static analysis, dynamic analysis, and fuzz testing. For example, you can use the bandit tool to identify potential security vulnerabilities in Python code. Here's an example of how to use bandit to scan a Python project:

import bandit

# Create a Bandit scanner
scanner = bandit.BanditScanner()

# Scan the project
results = scanner.scan('/path/to/project')

# Print the results
for result in results:
    print(result)
Enter fullscreen mode Exit fullscreen mode

This code creates a BanditScanner object, scans the project, and prints the results. You can use this code as a starting point to create your own bug hunting tools.

Reporting Bugs

Once you've found a bug, it's essential to report it to the project maintainers. Make sure to follow the project's bug reporting guidelines and provide as much detail as possible about the bug. This includes steps to reproduce the bug, expected behavior, and actual behavior. You should also include any relevant code snippets or screenshots to help the maintainers understand the issue. Here's an example of a bug report:

# Bug Report

## Summary
The project's authentication system is vulnerable to a SQL injection attack.

## Steps to Reproduce
1. Create a new user account
2. Attempt to login with a malicious username

## Expected Behavior
The system should prevent the malicious username from being used.

## Actual Behavior
The system allows the malicious username to be used, resulting in a SQL injection attack.

## Code Snippet
Enter fullscreen mode Exit fullscreen mode


python
username = request.args.get('username')
query = "SELECT * FROM users WHERE username = '%s'" % username
cursor.execute(query)



This bug report provides a clear summary of the issue, steps to reproduce it, and a code snippet to help the maintainers understand the problem.

## Tips and Tricks
To become a successful bug bounty hunter, you need to be persistent, patient, and thorough. Here are some tips and tricks to help you get started:

*   Start with small projects and work your way up to larger ones
*   Use a variety of tools and techniques to find bugs
*   Read the project's documentation and contributing guidelines carefully
*   Test your findings thoroughly before reporting them
*   Be respectful and professional when interacting with project maintainers

## Conclusion and Next Steps
Earning $2000 by fixing GitHub issues has been an incredible experience, and I'm excited to continue bug bounty hunting in the future. If you're interested in getting started with bug bounty hunting, I encourage you to explore GitHub's Bug Bounty program and start looking for projects to work on. Remember to be persistent, patient, and thorough, and don't be afraid to reach out to project maintainers with questions or concerns. With practice and dedication, you can become a successful bug bounty hunter and earn rewards for your efforts. So what are you waiting for? Start your bug bounty hunting journey today and see where it takes you!
Enter fullscreen mode Exit fullscreen mode

Top comments (0)