Table of Contents

Previous Bug Bounty Experience

I had tried bug bounty earlier in the year – around January – on Hackerone for a bit, gotten discouraged by getting duplicates, then reported a few bugs (2 critical severity bugs among others) on GoBugFree which paid handsomely and gave me some motivation. I didn’t have much time for trying Bug Bounty again until March, at which point I did a trial run of 3 weeks on YesWeHack, and reported 22 bugs at the same time as I working full time.

I don’t consider either of these my first month of Bug Bounty however as I didn’t do it for a full month or have full focus on Bug Bounty, up until last month, August of 2023.

August of 2023

I would like to summarize the findings and outcomes of the month here.

During August, I reported 58 bugs, 44 of these on YesWeHack, 13 on GoBugFree and 1 on a private, self-hosted program that I will not name.

Out of those, so far 21 have been accepted and rewarded, 10 rejected (mostly duplicates, 1 RTFS,and 2 closed as Informative) and 27 are still under review. I accept 80%-90% of those under review to be accepted.

The bugs

The biggest bounty of the month

The biggest bounty I recieved was a €4000 bounty that was split between me and my collaborator on the report. It was a critical IDOR with a CVSS of 9.9/10.

Favorite bug of the month

My favorite bug, which I received a 10 CVSS score for and a bounty of €1400, was a stored XSS where not only did I have to bypass a WAF with a custom payload – it helps to have worked as a javascript developer before – but also had only 100 characters to work with for the whole exploit. It proved a very fun CTF-like challenge to show impact to get that bounty for the critical vulnerability. I categorically never report an XSS with a single alert. It just isn’t fun unless I show some cool exploit even if it might make lose the bounty since someone else reported it faster with just an alert().

The session cookie was http only, and there wasn’t much more than 1 small get request I could do with 100 characters, especially considering how many characters were wasted on the WAF bypass. While I couldn’t steal the session cookie, I realized that when a user integrates the application in question with another one of this company’s applications, the created token is stored in localStorage which unluckly, had a name that was 12-13 characters long. Thanks to owning a pretty short domain (6 characters, I know there are 3 character domains and I will get to setting one up soon ^tm) I could still exfiltrate the token and achieve complete control of the sibling application as this token had full read, write rights. Due to this interesting pivot of exploiting the connection between the 2 applications, I also got the Scope Changed in the CVSS. FYI, I absolutely hate CVSS scoring and how companies don’t consider anything other than CVSS when giving out bounties, when business impact should be considered just as much and should be able to BOTH lower and increase the severity and bounties.

The delivery mechanism of this XSS (there is stored, and then there is stored) made it even more critical. It would essentially be seen by all user.

The strangest bug of the month

It wasn’t the bug itself that was strange but the fact that no one had POC-ed something so trivial before. It was a CORS misconfiguration, where the CORS allowed origins that were like *victim.com* so it only checked if the domain victim.com was part of the origin. I quickly spawned a new VPS and hosted an account takeover exploit (which was also extremely fun to code, and very specific to the application in question but I can’t reveal any specifics) at victim.com.attacker.com and sent the report. To my suprise, and why this I consider this the strangest bug of the month, this had apparently been reported several times before, but not been awarded as no one had done a POC and shown impact before.

Life and looking back at the month

This month of bug bounty has helped cure a bit of my imposter syndrom, as I ended up reporting a lot more bugs than I expected, a lot of them in programs that have been up for years and gone unnoticed. I tried to grow out of my comfort zone and look for new classes of bugs, that I usually don’t look for, and stuff based on either my own research or others. I ended up being 5th place on YesWeHack’s leaderboard for the August month.

I achieved this while having the worst week of my life due to certain family issues and being awake for more than 100 hours at one point in August.

It has always been a hard decision to get into bug bounty for me. I heard a lot of people say it isn’t worth it, and you’ll get sick because of the duplicates, and while I think there are some annoying parts, it is amazing way to grow as a security researcher if you try to. I had heard that bug bounty is very risky and you shouldn’t quit your full-time job to do it, and how it would take close to a year before you made enough money to make a living, I have so far, not found that to be the case. Maybe that has to do with the targets I look at, or my methodology which I might detail at a later post.

For now though. I am looking at September with hopeful eyes. I am extremely confident to get to top 100 on YesWeHack in September, but hopefully top 75, and top 30 before the end of the year.