Anyone can join the bug bounty by registering on one of the online platforms. But in the case of Pwnwithlove, during a “live event” organized by YesWeHack in July 2023, she began to show serious interest in this discipline.
“For a whole day, all the bug hunters came together to work on the same program that I tried in this case, I didn’t find anything, but it allowed me to get to know this community a little bit,” explains this cybersecurity student who came in cyberspace through the world. of CTF after completing his pharmacy studies.
“At first the bug bounty seemed quite out of reach for me, but meeting people motivated me, then I had a few friends who helped me, at my school there are a few of us who do YesWeHack bug bounties,” she explains.
The platform game
The principle is well known: companies offer security researchers the opportunity to search for vulnerabilities in all or part of their services and pay rewards when the researchers actually find a flaw. Platforms like YesWeHack, HackerOne or Yogosha play the role of an intermediary by supporting companies.
On YesWeHack, for example, there are public programs open to everyone and private programs where researchers are invited: “Most of the time I prefer to stay on the private programs, they are usually less crowded and more interesting,” explains Pwnwithlove.
But to get access to these different programs, you must first be active on the platform through public programs and understand a little about how it works.
“We don’t actually know how the invitations are sent to the hunters. But we have some guesses! The platform uses, for example, an impact score that is calculated based on the number and criticality of vulnerabilities. We think this can play.” Platforms play quite easily with the principles of “gamification” to encourage participants to reveal vulnerabilities: scoring, tables, and sometimes even perks to reward the most active participants are common.
Facing reality
But the bug bounty also lets you experience real technologies and learn how they work. Pwnwithlove explains that through the programs, she was able to explore technologies she never had the opportunity to practice in the past and discover new flaws, such as Adobe Coldfusion, a program used to develop web applications. Although she had never had the chance to touch it before, curiosity drove her to look a little deeper into the subject until she discovered a 0-day flaw, which she reported to the publisher and which resulted in his alias appearing in the confirmations of a security newsletter from the publisher
“It’s a very good way to learn new things about technologies that are actually being used by companies,” she sums up.
She explains that she has developed her own research methodology to approach new programs and uncover flaws. “This is something we develop gradually, we automate certain reflexes, and having a good “reconnaissance” technique sometimes allows us to find flaws that no one else has seen,” the student assures. And bug hunting isn’t necessarily done alone.
“YesWeHack has features that allow multiple people to work together. We can have a collaboration with two or more researchers working together on the same program reporting bugs together and sharing the rewards,” explains Pwnwithlove.
Vulnerabilities, not charities
But the main appeal of the bug bounty is obviously the monetary rewards that can be obtained from it. Because to motivate fault finders, t-shirts and thank yous are not enough. Fortunately, the premiums paid can sometimes amount to significant amounts of money.
“It’s very variable, sometimes we find nothing for a few weeks and sometimes we can find two defects in quick succession that bring in €3,000 each. I don’t plan to make a living from it, but it still allowed me to get a new computer and furniture for the apartment,” explains the young security researcher.
But the life of a Rift Hunter is not always easy. If in most cases the companies that receive the researchers’ reports are open to discussion and eager for explanations, inconsistencies may appear in the assessment of the severity of a given vulnerability, for example. The topic is not trivial for researchers, as the value of the premium is often indexed to the severity of the vulnerability.
But in these types of cases, it is up to the platform to act as an intermediary. A certain risk, but one that remains tolerable: “Over time we learn to justify our reports, and by explaining, everything usually goes well. After that, many bug hunters have had uncomfortable experiences. But we can always go and see elsewhere,” sums up Pwnwithlove.