Posted at 2025-06-07 dans Personal Tech | Back to the posts list
I've always used bug bounties as a way to safely "play around" with hacking skills. I made an account on HackerOne years ago, and I've only submitted a couple of "informational" reports. Over the years I'd randomly pick a website and use tools to mess with the requests and such. Things that never lead to anything significant, but nonetheless wouldn't be considered appropriate for a site not in a bounty program.
This week however, I've decided to take it seriously. I'd like to use it as a source of income, enough to be roughly a part time job. I don't want to get rich off of it, I just want enough to have a little more wiggle room in the budget each month. I've been doing a little research on it. Now, I have the skills and knowledge to find bugs. I did it as a dev and I've done it in a cyber security context. I've reported vulnerabilities before, just never for money.
But while I'm not starting at ground zero, could also tell that I was missing something. Since it had always been for fun, I'd usually just pick something at random to poke around. I realized that's not a good strategy for serious bug bounties. After reading around a bit I realized that effort needs to go in picking the target in the first place. A problem that I'd had in the past was knowing when to give up. If your not making progress you have to give up at some point and move on to another target, but I felt I had no idea how to make that call.
But given what I've learned about picking the target in the first place I think it's starting to make sense. If you know *why* you picked your target, your more likely to know when to move on.
Find a target that compliments your skills. Find one that is likely to have less competition. And check the metrics on the bounty program to make that company keeps their end of the deal. I made a list of 3-4 potential targets based on those factors. Then I started doing some recon. What does this company do? How old are they, what tech stack are they using? Things that you can usually find out without a lot of time spent digging deep.
Looking at the 3-4 I'd narrowed it down to, I realized that one of them sold a product that I already knew a lot about. It's something that I've used professionally and even built code around it. Like, I've got several years experience in the problem space. I also chose it because it includes a local app to be tested. Application testing (not web apps) is pretty tough, and has much less competition. It's also something my skills are well suited for. Admittedly, I've got a lot to learn in this area, but my background gives me a good understanding of how applications and their bugs work. In other words, I've never found or exploited a buffer overrun, but I understand what it is and how it works. Theoretically I already have the knowledge I need to be able to find/exploit one.
All of this got me thinking about *why* there's so few application pentesters compared to web pentesters. My first thought was that it's because application testing is harder than web testing, but I quickly realized that certainly not fair to the very talented web pentester out there. What I really mean is that application testing takes more effort to get started in.
The tooling for web pentesting is pretty great these days. If you know how to install a program you know enough to, at the very least, get started with web pentesting. Tools like Burp and ZAP let you type in a web address and click "scan". And sometimes that's enough to find something. Likewise tools like Nmap/Zenmap let you put a server address in and test for hundreds of different vulnerabilities without the need to really understand any of them.
To put it simply: It takes little to know knowledge or effort to *attempt* to test a website. That doesn't mean that person will be good at it, but it does mean that the playing field is more crowded.
Application pentesting is a whole other world though. While people who have never made a website can start a web scan, it is in no way feasible for someone who's never written an application to pentest one. There is no universal tool with a simple scan button that finds vulnerabilities for you. Just getting set up and ready to test the application took me about 8 hours of effort. I installed no less than six separate tools and created both a Windows and Android emulators. That was enough to get me started testing, but there's still more work to be done for some of the testing/analysis I want to do. Root certs to be installed, proxys set up, more VMs, and probably more debuggers. I've spent days looking at disassembled code, reading log files, reading documentation and taking notes.
Even with my computer science degree, my experience as a developer, and my time in cyber security, I still feel a bit out of my depth. I have the knowledge I need, but I lack the experience for this specific task. But as often is the case, with greater work comes greater reward. These difficult to find bugs are often critical bugs, which have the highest payout.
All this makes me feel like I have a better idea of when to switch targets. If you know what your good at, and you know what your capable of, you'll know when to switch. When you've hit nothing but dead ends and you feel that you don't know any more paths to explore, move on to another target. I know that with this application I'm going to spend a lot more time than I necessarily would on a web app. Heck, just the set up alone took a long time. But the idea of digging deep into one thing, instead of surface scanning many things, really appeals to me. Maybe it's less profitable, I don't really know, but for now I feel like it's the right path for me.
Hopefully bug bounties will pan out for me. It works so perfectly for my life circumstances that it would be fantastic if it allowed me to accomplish the financial goals that I have in mind. But only time will tell.
I'll post updates as I progress, but that's all for now!