Looking back at the past 4 months
Table of Contents
I find it hard to write a good introduction or conclusion. It’s been a while since I made a blog post. While I tweet about various things often, I find it hard to write anything structured.
Some numbers
Since the start of the year, I have reported :
| Platform | Overall submissions | Accepted / Paid | Pending | Duplicate | Rejected / Invalid | Overall Bounty |
|---|---|---|---|---|---|---|
| Yeswehack | 10 | 10 | 0 | 0 | 0 | ~$15k |
| Intigriti | 37 | 35 | 1 | 1 | 0 | ~$14k |
| Bugcrowd | 23 | 15 | 4 | 4(got paid for 1 ) | 0 | ~$14k |
| Hackerone | 3 | 3 | 0 | 0 | 0 | ~$12k |
| GoBugFree | 3 | 1 | 0 | 2 | 0 | ~$2k |
To add to this I also made some money from self-hosted programs as well as some payouts came in for old reports.
I’ve roughly got $60.000 in bounties the first 4 months of hunting this year. I’ve also been working my daytime job 20-30 hours a week so I can’t say I have been doing full-time bug bounty yet.
A few things that stand out
Most of my reports on Intigriti have been to a few specific programs which aren’t paying super well so I think that’s why the bounty per report is on the low end – roughly $400 per report.
I haven’t been hunting as much as last year on Yeswehack. I’ll likely spend more time on Yeswehack and try to climb up the rankings again later this summer. I have however had quite high bounty per report.
Comparing the platforms
Having hunted a bit on all platforms, here are my opinions on them so far.
Yeswehack
Pros :
You often get to interact with the program triagers directly, rather than platform, which makes it a much smoother process to get bugs triaged. I don’t have to write a report with 100 steps. You also know if they say something is accepted risk, it actually is for them. Overall, most stress-free triage experience.
Usually extremely fast triage
Regular invites after a few valid bugs
Less competition than other platforms.
I was invited to a LHE in Paris and got awesome merch and met awesome people
Cons:
The average program definitely pays less than other platforms (Especially US based platforms)
Not many programs with big scopes or big applications
Intigriti
Pros :
Also very smooth triage experience generally. Despite the fact that the reports have to go through both the platform and then program triagers, it’s almost as smooth as Yeswehack. Triagers are friendly, and when they can’t validate a bug I have reported, e.g. they can’t make an account without having X, I’ll send a POC video and they’ll triage the bug based on that and let the program decide which I really like.
Most submissions get validated within 2 days by Intigriti
Regular invites after a few valid bugs
Intigriti’s fast lane is something every platform should have.
Huge catalog of applications, a lot of Swedish companies, and generally applications with a lot of functionality and big scope.
I really like how the website looks. It’s just got very sleek design.
Programs get updates quite often.
Cons :
- Generally harder than Yeswehack to get bugs through with high severity. Here is an example:
I always turn reflected/DOM XSS into a 1-click ATO or something similar. Reflected XSS is something that always gets marked as medium by Intigriti’s triagers no matter what impact you show. So I have to convince the program to increase the severity to high. I’ve usually managed that, but some programs just go along with whatever decision the platform makes. So as someone who reports mainly client-side bugs it’s a bit frustrating, especially considering a lot of programs pay 3 to 5 times more for a high.
- Most programs have big ranges both between different severity ratings (medium to high can be a jump of 5x) as well within the same severity range, and add to the additional “exceptional” severity, and it becomes very easy for the programs to underpay a bug. I think generally Intigriti programs have many ways to keep their costs down – automatically (I think?) suspending the program after X reports, huge ranges, which means it’s harder for the hunter. Good for the companies using Intigriti, but bad for me.
Hackerone
I haven’t reported enough to formulate an opinion about Hackerone but I’ve found it noteworthy that 3 valid bugs this year (admittedly 2 crits) got me over 50 invites. And they have the highest paying programs.
Bugcrowd
Pros:
A lot of big companies have programs on Bugcrowd and they generally pay very handsomely.
The programs have been extremely friendly as well. I’ve never received as many nice and friendly words from programs anywhere else. I’ve sent reports to 3 programs, all 3 have given me quite nice bonuses and also been quick to triage.
More mature and older platform, so there is a quite responsive support and a number of ways for hackers to get help.
I really like the idea of “Joinable” programs. I think they should have even higher requirements though, such as amount of bounty earned :P
Cons:
- By far, my least favorite platform triage experience which really sours my experience on the platform. As you can see in the table, I haven’t submitted any invalid bugs, so I’m happy with the overall result, but I’ve generally found it extremely stressful, time-consuming and frustrating to get bugs triaged on Bugcrowd. Here are a few examples of what has gone wrong :
I report a CSRF and provide a link in the report. Triager straight up doesn’t read the report and asks “Can you please provide us with a URL or .html file that we can use to trigger the CSRF?”. It’s literally in the report. This happened twice.
I report a stored XSS that is triggered by clicking a link with Ctrl/CMD + click or middle click of the mouse. The fact this interaction is required is mentioned exactly 6 times in the report. Triager 1 just clicks instead of doing the CTRL/CMD and click and says that a new window was opened. I reply and explain again, and a day later, triager 1 replies back – he has managed to get the XSS working but wants to test creating the payload himself – fair enough. I reply with a POC video showing the steps in the mobile application. Triager 2 comes in now, and gets stuck saying the XSS didn’t pop. He too, made the mistake of clicking instead of CTRL/CMD + clicking. It didn’t end there but you get the point. It shouldn’t take 2 weeks to get a simple stored XSS triaged.
Every back and forth delays the triage by a day or two.
Generally I feel like either the program/invite pool is much smaller than both Intigriti and Yeswehack or it’s significantly harder to get invites. I’ve started to get some invites in the past week, but definitely not as many as I would be getting on the other platforms for the same number of valid bugs.
I don’t know how to describe it and maybe it’s just me seeing things, but likely because it’s a much larger platform, and one that gets a lot of noise, I get a feeling of distance to the platform and the programs. It’s hard to describe what I mean. It’s just not as homely as Intigriti or Yeswehack to me so far.
LHE in Paris
This deserves its own post and it’s gonna come sometime soon, but here’s a summary.
I was in my first Live Hacking Event in Paris with Yeswehack. I got 1 of the 6 awards – “Best Dressed Bug” for the bug with the highest impact. It was a super fun event, and I enjoyed spending time in Paris hacking LV from their headquarters. Yeswehack’s staff was extremely friendly.
My goal is to get invited to Yeswehack’s LHE next year as well, so I’ll need to do some more hacking and climb the rankings. I’m currently sitting at #46 place on the overall leaderboard.
I’m hoping to score another LHE invite this year. We’ll see.
Doing full-time bug bounty
I’ll be doing bug bounty full-time starting July. Ever since my first month of doing bug bounty, I’ve managed to make enough that it doesn’t feel like a decision I should be worried about. Perhaps it’s not the right decision for my career but it’s likely the right decision financially and for my growth as a person. Doing bug bounty full-time will hopefully give me more control over my time so I can spend more time with family, travel, go back to the gym. Perhaps I can quit being a workaholic. Working a daytime job and then doing bug bounty in the evenings – even writing this blog post 3 am at night, isn’t healthy and I know it. I’m still 25 years old so I manage but I don’t think I could do this much longer. Not at the capacity I currently do.
Hopefully I’ll also have more time to do research on topics I find interesting and publish other research I’ve done in the past that I never had a chance to.
Conclusion
In conclusion, it’s been good 4 months. I got 3-4 new CVEs, found a big zero-day (which yielded a big bounty from Yahoo), participated and won an award at my first LHE, and I (slightly - by 20%) outperformed the bounty goal I’d set for myself. I’ve been hunting more on platforms other than Yeswehack which I think was necessary for my growth.