Bounty Progress - January/February 2019
I have a few goals for my bug bounty work in 2019:
- $50k in total bounties/bonuses
- At least one $5k bounty (for reference, current best is $4802)
- At least half my reports rated high/critical (CVSS 7+)
- Blog about my progress monthly, with a continuously updated entry for each month
Obviously on this last point I’ve failed so far, so this first blog will cover the first two months of the year. I’ll update this one with any further bugs I find.
Additionally, I’m going to list bugs that were discovered in 2018 but weren’t paid until this year, because … $50k is a lot of money, and I need the help!
Goal Health #
Current total earnings for the year: $9862
This is 19.7% of my goal for the year. By the end of February I should be at $8333 to be on track, putting me $1529 ahead as of 2019-02-25
- HIGH Discovered 2018-11-24, Paid 2019-01-02 by private – $3362
- CRITICAL Discovered 2018-11-29, Paid 2019-01-27 by private – $1000 ($3000 bounty, shared with two other researchers)
- CRITICAL Discovered 2019-02-17, Paid 2019-02-18 by private – $3500
- MEDIUM Discovered 2019-02-20, Paid 2019-02-25 by private – $2000
Plan and Concerns #
I’m going to spend 1-2 hours every weekday and 3-4 hours each day of the weekend on focused bounty hunting.
My strategy until now has been purely looking at private programs, spending a few hours looking at a given program and then ‘recycling’ the invitation to get another. Frankly, I don’t know if this is sustainable and I’m not super happy with this strategy. HackerOne has many programs, but I don’t know how many there are that I’m interested in and able to effectively test, and I know I’m leaving a lot on the table by so rapidly burning through invitations.
Should I be looking at public programs? I’ve done a bit of bounty hunting on them – I found a nice critical in November on a public program – but frankly I have found them to be fairly hardened and that they don’t pay enough to make it interesting, for the most part. Given my focus on high/critical bugs, maybe public programs wouldn’t be a bad route; I’m sure plenty of hackers have poured over them for XSS/CSRF but there’s probably some deeper, more critical bugs to find still.
I’m definitely concerned about hitting my goals, but I’m currently a bit unsure of how to best tweak my approach. I may just pick a few test cases with different approaches and see which pays off the most, with the least time used.