Bounty Progress - January/February 2019

I have a few goals for my bug bounty work in 2019:

Obviously on this last point I’ve failed so far, so this first blog will cover the first two months of the year. I’ll update this one with any further bugs I find.

Additionally, I’m going to list bugs that were discovered in 2018 but weren’t paid until this year, because … $50k is a lot of money, and I need the help!

Goal Health #

Current total earnings for the year: $9862

This is 19.7% of my goal for the year. By the end of February I should be at $8333 to be on track, putting me $1529 ahead as of 2019-02-25

Bugs #

Plan and Concerns #

I’m going to spend 1-2 hours every weekday and 3-4 hours each day of the weekend on focused bounty hunting.

My strategy until now has been purely looking at private programs, spending a few hours looking at a given program and then ‘recycling’ the invitation to get another. Frankly, I don’t know if this is sustainable and I’m not super happy with this strategy. HackerOne has many programs, but I don’t know how many there are that I’m interested in and able to effectively test, and I know I’m leaving a lot on the table by so rapidly burning through invitations.

Should I be looking at public programs? I’ve done a bit of bounty hunting on them – I found a nice critical in November on a public program – but frankly I have found them to be fairly hardened and that they don’t pay enough to make it interesting, for the most part. Given my focus on high/critical bugs, maybe public programs wouldn’t be a bad route; I’m sure plenty of hackers have poured over them for XSS/CSRF but there’s probably some deeper, more critical bugs to find still.

I’m definitely concerned about hitting my goals, but I’m currently a bit unsure of how to best tweak my approach. I may just pick a few test cases with different approaches and see which pays off the most, with the least time used.

Happy Hacking,

- Daeken

 
25
Kudos
 
25
Kudos

Now read this

Running Project List

I always have a large number of projects, which shuffle between active, inactive, and effectively abandoned. In the interest of self-accountability and maybe letting others take over or get involved in projects, I’ve decided to make an... Continue →