Doing bug bounty full-time
Table of Contents
Doing bug bounty full-time
July 3rd was my last day at work. I’m officially a full-time bug bounty hunter. People who know me know it was in the making for a while.
Jumping right into doing full-time bug bounty after not having done any bug bounty for 5 weeks was rough at the start. I had to get back to targets that I felt comfortable hacking so that I’d be sure I’d find something. But slowly I did get into small but newer targets.
Recap of the month
I reported 35 bugs across 4 different platforms this month. A few were duplicates, 1 was out of scope and 5 are still under review. A few of these were also collabs.
I made roughly $24700. A small part of that was from old bugs (I had 2-3 under review from June) but the bulk of it was from bugs found and reported in July. I still have 5 small bugs under review but I don’t expect too much from them as they are mediums on programs that don’t pay too well for mediums. So I’d estimate another $1000-$2000 from those coming in on August.
The month started off slow and I think I had my focus on the wrong targets at the start. It also took a few days for me to find the right work schedule. I’m more than happy with how much I made though, and going forward I’ll try to match it when I’m not on vacation.
Rant about XSS and client-side bugs
Anything I say here is my own opinion and I’m sure there’ll be those who won’t agree.
I’m a strong believer in the fact that bugs should be rated according to their impact, and not put into a severity bucket based on the bug class. If I show several ways to hijack accounts from any domain under *.victim.com with an XSS, I expect to be paid according to the impact - 1-click account takeover which I see as high. This has generally not been a problem for me on Yeswehack, Bugcrowd, and other platforms. I can’t say the same for Intigriti.
I reported 4-5 XSS with different ATO gadgets that were triaged as a medium by Intigriti’s triage team. Intigriti has its own contextual CVSS score, so XSS doesn’t get ‘scope: changed’ (whatever, it’s not important) but they also set both integrity and confidentiality to low no matter the impact. One of the companies I reported bugs to is by design vulnerable to account takeover on all other subdomains (they have 4-5 different applications with different customers running) if there’s an XSS on one subdomain. And, this is a design choice they aren’t going to change anytime soon. The truth is though, even without gadgets like that it doesn’t even matter. XSS is session hijacking by default, and often even credential stealing as a lot of people these days store their passwords in the browser’s or a third-party password manager. And I can’t ever accept a 1-click session hijacking, account takeover, or credential-stealing being rated as a medium. I’d never do it on a pentest, I’m never going to do it in bug bounty. And these are just a few of the things you can do with an XSS.
People seem to have very unrealistic ideas about how difficult it’s to get a click from a victim (PSST, it’s not at all hard), especially in applications that have social media components such as forums, messages, and so on.
And to add to that, if I can store XSS payload with an ATO gadget on one of the most used parts of the website, or on other users’ profiles and so on, where every user would visit daily, this is 0-click ATO for me and I’d rate that as a critical.
So to recap, every DOM or reflected XSS gets medium severity on Intigriti, regardless of its impact, and most companies just accept and pay whatever Intigriti puts as the severity. To add to that, the average program generally has a huge difference in how much they pay for a medium and a high. I think this is a lot more noticeable on Intigriti and Yeswehack; There can be as large as a 5x-10x gap.
And this means that on these 2 platforms, there are a lot of programs that would be paying €150-€250 for a medium, while a high would be €1000+. If it takes me a few hours to find an XSS and write a report on it, with an account takeover chain, I’m pretty much losing money from looking for it and writing that report for €150. I’d be reporting if it got triaged as a high, but most programs don’t pay well enough for a medium-severity bug, and it’s also against my principles for a 1-click ATO no matter what the underlying cause is - CSRF, XSS, or some CORS misconfiguration to be rated as a medium. I think it’s a step in the wrong direction and something that’s gonna hurt hackers a lot in the long run by setting a precedent.
Intigriti’s appeal to me has been that it has really interesting programs with a really good scope, a lot of nice SAAS platforms, and generally big applications with a lot to test. But I’ve realized, as someone who does fully manual bug hunting and spends a lot of time reading javascript looking for client-side gadgets and bugs, it’s just not worth my time to report any client-side bug on there, so I’ll be hunting there a lot less.
Some positive notes
Just for comparison, in July I received €1500 for an ATO (by adding another admin user to the organization) through reflected XSS on a Yeswehack program. The program had a maximum reward of €1500 for the high-severity grid.
On Bugcrowd, I reported two separate ATO chains with a self-XSS + login CSRF combo, which were triaged as high (P2) by Bugcrowd’s triage and resulted in bounties of $2150 and $2000, respectively. I also received some super encouraging words from Bugcrowd’s triagers.
Getting bugs triaged was a lot smoother on Bugcrowd in July. There was one bug that was hard for the triagers to reproduce, and I knew going in it was going to be hard. It was a bug that depended on where the attacker and victim users were indexed in the database as every attacker could on average attack half of all the other users. So you might have needed to try with several user combinations, which I’d noted in my report already. But it still took a lot of back and forth. I think although the triage process can be difficult, especially coming from Yeswehack and Intigriti, the amount of respect and kind words I’ve got from programs who seem to value my time and appreciate the effort I put in, has easily made it the main platform I want to hunt on.
So going forward, I’ll probably have Bugcrowd as the main platform where I hunt for meatier programs with higher payouts, and Yeswehack and another smaller platform that I hunt on (I’d mention it by name, but I don’t want more competition on there :P) for fresh invites and smaller programs. While I find it fun to hunt on Intigriti programs, I’ll probably be hunting on there a lot less considering the above rant. For low-competition programs, I’ve already got other platforms to hunt on, and for high-competition ones, I can just hunt on Bugcrowd (and perhaps Hackerone if I get into any of their programs) for significantly higher bounties, and on average 5-15 times as high bounties for a client-side bug chain.
Other highlights of the month
I met with a friend, Emil, who’s also in the same CTF team. We did some hacking together and found some really nice bugs. Later in the month I also met monke(Ciarán Cotter). It was really fun hanging out, getting some food and hacking together.
I found a 0-day (open redirect) on a big identity server provider that was used by at least 3-4 bug bounty programs. I reported it to the program I found it on and the vendor who promptly fixed it and thanked me. I got a small bounty from the program I reported it to.
I wrote a few cool 1-click account takeover exploits by chaining self-xss, login-csrf, and other gadgets on the website.
I found several high-severity vulnerabilities (2 SSRFs among other things) in a rather popular framework/tool accidentally. I haven’t reported this one to the vendor yet, and I’ll probably do a bigger blog post on it after I do.
I started setting up my own automation with my own tools. I’ve made really good progress, and it’s helped me find a few bugs already, and reminded me how much I love to code and build.
Conclusion
To sum it up, I think it was a great first month for me. I definitely made more than I was aiming for, and now have a much better idea of where and how I want to hunt than I did going into the month.