A Year of Huting in Vulnerability Disclosure Programs(VDPs)

Last year, I began exploring Bug Bounties with a clear path in mind. As a seasoned Pentester with over four years of experience, I had attempted my hand at Bug Bounties (BB) several times in the early stages of my career. However, due to limited technical knowledge and a 9-to-5 job, I couldn’t devote much time to it.

Around the end of August 2022, I made a firm decision — I would either succeed or die trying.

I scoured Twitter for posts on selecting targets, conducting large-scale reconnaissance, frameworks, and how to get started. After extensive research, I realized that beginning with open Vulnerability Disclosure Programs (VDPs) not associated with any platform was preferable due to lower competition and easier bug detection. Starting with the NCIIPC RDVP, I progressed from there.

To date, here is a list of organizations where I successfully found and reported bugs:

• NCIIPC

• Dutch Government

• United Nations

• Nokia

• Australian Government

• GeeksforGeeks

• Meesho

• Vodafone

• Zeotap

• KPMG

Over the year, I learned several key lessons:

1. The quality of open-source tools reflects their developers. Therefore, always examine the code, understand its functioning, and then fork it to introduce your own modifications. This approach also applies to tool configurations (Flags).

2. Learning to code, or at least read and understand code, is crucial. Start with Bash scripting, then progress to Python or Golang. If Cross-Site Scripting (XSS) and JavaScript (JS) Analysis intrigue you, delve into JavaScript and HTML.

3. Develop your methodology for both automated and manual hunting, including Initial Reconnaissance. Focus on attack vectors where you excel and continually refine your skills. Aim to be so proficient that you can identify vulnerabilities just by observing a specific request or web application flow. Also, explore open-source frameworks such as ReconFTW and Rengine for large-scale reconnaissance and hunting.

4. Avoid scanning everything with tools like Nuclei. Consider that if these tools are open-source and easily configurable, they are likely already in widespread use, including by the organizations themselves. Overuse leads to IP blocking, unnecessary traffic, and disappointment. Instead, develop your own scanning configurations/templates.

5. Tool results are not always reliable or accurate, often resulting in false positives or missed major vulnerabilities due to incorrect outputs. Develop methods to enhance the reliability and accuracy of these outputs.

6. Invest time in deep research on attack vectors, application flows, and tools/techniques.

7. Commit fully and be patient. The journey is challenging, but with persistence and constant focus, success is achievable.

In the next phase, I plan to focus on VDPs associated with platforms and build a reputation there. Part 2 of my journey will be released next year.