Post

Stop your bug bounty journey (for a while)

Posted Updated
By Neh Patel 7 min read

Introduction

Hello everyone, Hope you are doing great, I’m Neh Patel aka THECYBERNEH.A Security researcher, NOOB, and learner, just like you guys.

A little about my infosec journey…

recognized as Microsoft’s Most Valuable Security Researcher globally, currently holding the prestigious rank of 82. I have also achieved the 23rd position in Microsoft’s Top Security Researchers globally ( 2022 Q3 ). My contributions have been recognized with accolades in the Hall of Fame of major tech giants, including Google, Apple, and Microsoft.

Some of you may recognize me from my previous post on $6000 with Microsoft Hall of Fame | Microsoft Firewall Bypass | CRLF to XSS | Microsoft Bug Bounty where I shared insights on Microsoft Firewall Bypass, and CRLF to XSS and For those who are not acquainted with my blog, you might know me through my Twitter handle (even though I’m not a famous or popular personality lol )

This time, this is not a post about some writeup n all, this is going to be a different type of post.

A large amount of people gonna hate this post but really want to share a few things with you guys.

The post is for people who are beginners in bug-bounty or who are thinking about getting into bug-bounty. One more thing, Ashutosh Dutta’s LinkedIn post is the inspiration behind this blog and I added a lot of words from his post, I extend my gratitude to him for providing valuable thoughts.

Let’s start…

I often get these DMs from individuals asking me how to get started in Bug Bounty. Mostly these individuals come from a non-security background and are beginners. There is absolutely no problem wanting to do bug bounty but fundamentally speaking, it is a small niche in cybersecurity and simply jumping into the Bug Bounty space without knowing anything about cybersecurity is a huge problem.

People are attracted to the huge bounties that Bug Bounty Hunters share on the internet. However, what they don’t seem to notice is the years of hard work a person has invested into hacking and learning various topics that revolve around hacking which doesn’t necessarily help them earn a bounty directly.

If someone only wants to do Bug Bounty because they saw someone earn good money from it, it will be extremely difficult for them to earn from Bug Bounty at first, and then even if they manage to get a bounty, it will be really hard for them to sustain i.e., keep getting bounties. The reason is a lack of interest in the subject i.e. hacking. The only thing the person was interested in from the start was getting paid huge. That’s a very wrong approach to begin with.

Bug Bounty Hunting is not a get-rich-quick scheme. It is extremely hard. If you are from a non-security background and really want to try Bug Bounty Hunting/Security Research, first make up your mind that you will not be earning anything for at least a few years. Once you have realized this and still want to try it, begin by learning how to search for relevant information in cybersecurity on the internet, at least the basics. It is very confusing at the beginning but if you really want to succeed in Bug Bounty in the future, you really need to have this skill.

During the learning phase if your interest seems to fade away, then realize that cybersecurity( or Bug Bounty) is not for you. Learning never stops and is very essential to thrive in this field. If while learning the basic things, you seem to lose interest, then it will only be a waste of time for you to continue.

Trap of Low-hanging-fruits

Most of the time, people share good #bugboutytips as well as a lot of low-hanging fruits[ and honestly, I also try these kinds of stuff], but don’t fall into the trap of “only” low-hanging fruits, again, there is nothing wrong with learning low-hanging fruits and try to get easy bounty with them but in my infosec journey ( which is not that big ), I saw a lot of people “just” chasing those low hanging fruits “only” ( here the term “just” and “only” plays an essential role ).

Saw a lot of people learn only low-hanging fruits like [“do step 1, then step 2, check results in step 3, boom…. that’s the bug”] A lot of people just try a few low-hanging everywhere ( sometimes even without learning about its impact, the reason behind the bug, or other important information. [ Again, nothing wrong with low-hanging or #bugbountytips, they always teach you new things, just try to understand the basics ]

Another important point that I want to tell is about recon, saw a lot of people chasing recon like anything, and nothing wrong with it, a good recon methodology and a good attack surface detection methodology always help to pull bounty from your target because it helps you to discover hidden parameters or endpoint which may be never tested before and I also love recon.

Question: So Neh, what’s the problem here?

My Answer: WHAT TO DO AFTER RECON?

running NUCLEI on subdomains or some other automation tool huh🤔??

The Overlooked Aspect of Application Security

A good amount of people are ignoring Application security. I mean you have to understand the application before blindly running your tools, a lot of people even report bugs (let’s say reflected XSS ) that they get by nuclei and even they don’t know what is hosted on that particular site, again it’s totally ok if you want to follow such methodology, but at the end of the day, if you want to find good bugs with great impact n all, you have to learn basics.

Always follow good blogs about security research like i saw a lot of blogs that explain the root cause of vulnerability with code snippets n all, and they will always help you to understand a particular vulnerability in depth. For example, Assetnote has quality blogs about their findings, not only exploitation but they explain the root cause, their methodology, and a lot of other stuff like post exploitation n all.

Addressing Skepticism

Neh!! Stop for a while! Why should we take you and this blog seriously? you are not some senior person in bug-bounty.

My Answer: Yeah I mean it depends on you, I shared a lot of stuff here from my and my friend’s experience and I don’t want you guys to repeat the same mistakes as me also, I agree with you that I’m not some super pro senior in this field but i just wanted to share this with you guys. Now How you perceive and use this information is entirely up to you, you can just ignore this as any random internet blog.

Note: The purpose of this post is to spread awareness. Cybersecurity does offer crazy amounts of money to be earned but to actually earn huge, we need to keep learning many complex topics frequently. This is not an easy task, especially for individuals who come to this field just for the money. Lack of interest in the subject can be a significant waste of time, and time is extremely valuable.

Also, Really sorry if I said something that is wrong or irrelevant. These are just my thoughts.

I hope this post reaches individuals who are eager to enter the world of bug bounties, with a focus on monetary rewards rather than a genuine interest in the hacking field.

In conclusion, I appreciate your time and attention in reading this blog. Your insights and perspectives are invaluable, and I welcome further discussions on this topic. Feel free to share your thoughts and engage in the conversation with me over on LinkedIn or Twitter.

Let’s continue this dialogue and explore new ideas together. Thank you once again for your interest and contribution. Looking forward to connecting with you online!

Also, if you’re interested, you can check out $6000 with Microsoft Hall of Fame | Microsoft Firewall Bypass | CRLF to XSS | Microsoft Bug Bounty .

Cheers!

mythoughts, bugbounty
mythoughts
This post is licensed under CC BY 4.0 by the author.