This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing.
Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started.
- Don’t go all out
- Don’t ignore the rules
- Don’t report unnecessary stuff
- Don’t spam the Company/Beg for a reward
Don't go all out
Something I didn’t learn until I was well into adulthood: Cooking on higher heat doesn’t cook the food faster, it just burns it. The same is true of hacking; you can’t throw everything you got at a system and expect it to be ok with that. In the first place, that’s a great way to set off an IDS and alert the company you’re testing for to what you’re doing. And the goal is usually not to get caught. Additionally, it can be bad for the system in general to suddenly have all that action, or possible cause an unintended Denial of Service (which, look, I know would take a lot for most modern systems, but we all know there's a non-zero chance of something like that happening).
It would certainly take a lot, but you don’t want to inadvertently overload the system or slow it down for others. It’s important to test accurately; a real intruder wouldn’t want to be caught either, so they’re going to take their time. After all, they have all the time in the world to get in; they'll sneak around for months before doing anything. So it doesn’t make sense for you to have 7 machines, each running nmap three times and Nuclei four times, and each one powering a laser that is slowly drilling a hole into the molten core of the earth.
Take your time and make sure you’re doing everything correctly. Make sure that you’re documenting everything in an easy-to-understand system to save yourself time later on. And when you take your time, you tend to do better. Don't cook on high heat, y'all.
Don't ignore the rules
This is similar to scope, but it’s extremely important on its own as well. If you want to be rewarded and have the satisfaction of knowing you made the web safer, then you can’t just ignore the rules of the bounty. Knowing the rules saves everyone time; if something isn’t submitted correctly, it takes time to fix that. If you used an illegal tool, then the bug or test doesn’t matter, since they said NOT to use that tool. I know it’s important to get the bug, and finding success feels great, but it can’t come at the expense of the agreed upon rules of engagement. It can be extremely frustrating for the people receiving your report to have to deal with a rule broken. That decision to submit a report that was generated explicitly against the rules feeds into your reputation in the bug bounty community as well. Remember, the more positive the reputation, the more likely you are to be recognized by and find more value within these communities.
This goes for knowing the rules very well, too. Not just purposefully ignoring them. By agreeing to the bounty, you agreed to those terms. Whether you read them or not is irrelevant, you agree with them once you start participating. It’s important to know the rules so you can avoid mistakes and keep the whole process running smoothly.
Don't report unnecessary stuff
Yes, sometimes even something minor can indicate a larger problem, but generally, you shouldn’t be submitting reports for small things that aren’t actually making the company vulnerable. As much as we love Nuclei, running a Nuclei scan and just shipping off the results to a company does not a good report make. Bug Bounty hunting is not a get-rich-quick scheme; it takes work and dedication and most of all, time. It’s your duty to make sure to understand the specific vulnerabilities you’re checking for and to understand the severity of the situation.
One particularly common report that most bug bounty programs often complain about is DMARC vulnerability. Essentially, having a DMARC record makes it harder to use your emails to spoof for phishing campaigns. It is not a critical vulnerability, but it is something every company should be doing and many don't. And while it’s not great, it’s not a HUGE deal for the company. To make it worse, often these aren’t part of a bug bounty program, and are sent by people who are looking to make a few quick bucks off a person without an established bug bounty program. You can just look up the owner of whatever website you’re looking at, and send them a cold email about how they have a terrible vulnerability in their website and see if you can get some money for it.
This bleeds into Beg Bounty territory, where it’s not something that is not dangerously vulnerable, but is technically a vulnerability, but is not actually a high-risk danger to the company. There are many of these “vulns” out there, and that brings us to the next point…
Don't spam the Company/Beg for a reward
You work for Company A working with the bug bounty/responsible disclosure team. You open your email first thing in the morning on a Monday and see a message from your community about the bug bounty program. It reads,
“Hello, maybe this is not worth any money to you, but I think it could be worth a shirt or hat or something. This report exposes a massive vulnerability in your assets and I think it’s worth something, but if you don’t value hard work, then I guess that’s fine. I think it’s like free advertising for your company.”
What exactly is motivating you to even LOOK at the bug report after reading that? It’s clear that the sender is trying to guilt you into giving them a reward. But the reward is only given when the company is ready to. Especially asking for swag when that wasn’t indicated as a possible reward for the bounty. The truth is, it’s important to know what the reward is ahead of time. And that reward is not likely to change. So asking for more, or sending a passive-aggressive message like the above, is considered pretty bad form when submitting bugs. We are all on the same team; get rid of bugs and make the internet safer for everyone. Should you push back if they're not giving what's promised? oh yeah, stand up for yourself. But not like the email above; you'll make no good connections that way.
Common Sense / Remember the human
So, those are some quick ways to be a good bug bounty hunter; not in terms of skill and ability, but in terms of how you interact with people at the programs you are supposed to be trying to help. It’s important to remember the human on the other side of your reports, and that treating them with respect and professionalism will benefit you! There will always be people who take advantage of things, there will always be bug bounty hunters, and there will always be people looking to bend rules or regulations to benefit themselves. However, the best course of action is to build solid relationships based on trust and transparency.
And while this is all from the perspective of making life easier for the person who reads all these reports, there is something to be said for the red flags of bug bounty. In fact, someone already said it! Here are some things to look out for when checking out bug bounty programs.
It's a two-way street; companies must be open and transparent about their programs and hunters should remember to try their best to be helpful, which is the point of the program in the first place. If we all work to build good relationships with each other, then we will find a better bug bounty world for everyone. You never know who is noticing the work you’re doing, and who might want you working with them more closely in the future. So it’s best to always put your best foot forward and engage in these programs with integrity and honesty.