HOW TO GENERATE INCOME AS A STUDENT IN BUG BOUNTY HUNTING?
HOW TO GENERATE INCOME AS A STUDENT IN BUG BOUNTY HUNTING?
written by Dharmesh Thorgavankar on 09/08/21
Table of Content
What is Bug Bounty
Bug Bounty Listings
Bug Bounty Platforms
Responsible Disclosures
Recent Reports
HOW TO GENERATE INCOME AS A STUDENT IN BUG BOUNTY HUNTING?
There are various ways to generate income as a student. However, at the initial level of cybersecurity students can start generating income through Bug Bounty Hunting.
What Is Bug Bounty Hunting?
- Bug Bounty Hunting is also Known as VRP(Vulnerability Rewards Programs), an initiative of crowdsourcing that provides individuals with rewards for reporting and discovering any bug or leak in the software being tested.
- Many enterprises & website owner’s run this program giving rewards or get paid to software security researchers and ethical hackers who report vulnerabilities in Software Application, Websites & Web Applications which can be exploited.
- The security teams at major companies don’t have enough time or manpower to squash all the bugs they have, so they reach out to private contractors for help.
- Major tech companies like Google, Microsoft, Facebook & Yahoo! have bug bounty programs. These programs technically allow the developers to discover and resolve bugs way before the general public is aware of them.
- Basically, you use your tools to break things (or break into things), write up a vulnerability report to the company that’s issued the bounty, then get paid. Some hackers make tens of thousands of dollars a year on the side just by hunting bugs.
Find Bug Bounty Listings and Go Hunting
- Once you’re armed with knowledge and the right tools, you’re ready to look for some bugs to squash. Companies will often have a link somewhere on their website offering bug bounties, but they can be hard to find.
- You’re better off checking a bounty board where hackers are reading publicly disclosed vulnerability reports and updating an active list on the daily
Some of the Bug Bounty Platforms are:
1. Bugcrowd:
Bugcrowd’s objective is to detect vulnerabilities that can violate their fundamental security/trust model. For example, an extension of license from an unauthenticated user to an admin, access to vulnerability data will be considered.
Bug crowd uses a number of third-party providers & services. Its bug bounty programs do not give you permission to perform security testing on their systems.
Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for rewards.
2. HackerOne:
Based in California this company deals with the vulnerability disclosure program. It established a bug bounty platform that connects security researchers with businesses.
This company identified approximately 10000 bugs & paid the hackers over $3 million by the year 2015. In 2016 HackerOne’s bug bounty platform was used by the pentagon for the hack of the Pentagon program.
3. Yes We Hack
YesWeHack is a Bug Bounty & VDP platform will help you to detect, fix & secure the vulnerabilities of your applications.
Thet have +400 programs over 175 countries.
YesweHack’s bug bounty platform complies with the strictest European standards and regulations to protect its customers and hunter’s interest.
4. Synack
It is a bug bounty platform in California that offers penetration testing & crowd security intelligence. They provide bug bounty programs or crowds security intelligence for vulnerability management.
Main thing to know about the bug bounty
Responsible Disclosures
- Responsible Disclosures is a computer security term that generally describes a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.
- Developers of hardware and software often require time and resources to repair their mistakes.
- Computer security has the social responsibility to make the public aware of the vulnerabilities of a high impact but disclosing these problems could cause a feeling of vulnerable security. To avoid any future damage.
- Depending on the potential impact of the vulnerability of the system, the expected duration needed for an emergency repair is decided. This period may vary between a few days and several months.
- It is easier to patch software by using the Internet as a distribution channel. Many reputed sites like Paytm, Microsoft, and Google have responsible disclosure schemes.
Recent Reports Of Bug Bounty
1. An Indian boy named Mayur Fartade from Solapur, Maharashtra, knowing the skills of C++ and Python was able to find the flaw that allowed hackers to access targeted media on Instagram. As an appreciation for his work, Facebook has awarded him Rs 22 lakh for discovering bugs on Instagram.
2. An Indian girl named Aditi Singh from Delhi, took interest in Ethical Hacking while preparing for Medical Entrance Exam, NEET. Aditi is a self-taught cybersecurity analyst and ethical hacker. Aditi detected a bug in the Azure cloud system and received a bounty of $30,000 (roughly over Rs 22 lakh). According to a news report, Aditi found a similar bug in Facebook 2 months back and had won a bounty of $7500 (over Rs 5.5 lakh).