The Bug Bounty Process
-
Pick a program
Find a program that you want to hit.
-
Review the scope
Review the program scope to ensure that you are looking for vulnerabilities that they are interested in.
-
Find a target via recon
On some programs you may have to perform reconnaissance to find targets within scope. In most programs you will simply be given a website URL and you can get started with that.
-
Hit the target and find a vulnerability
Take a quick shower and turn that open-redirect in a full blown remote code injection.
-
Write the report
This step might look easy but it's really important to write a clear and understandable report. If the company is able to verify your issue quicky you will save the company a lot of time and indirect yourself because they will be able to resolve your issue quicker.
-
Patiently let the company handle the report
Wait for the company to review your submission, triage the finding if it's valid, and fix the vulnerability. Your mileage may vary based on the submission, program, or even platform. Critical vulnerabilities tend to get resolved and paid very quickly, while lower/medium severity issues can take up to a month or longer.
The important part here is to be patient. Repeatedly poking the company for updates every few days will only hurt you. If the company does not respond after a month or two, you can ask the platform to get involved.
-
Get paid
Some programs will pay on triage, so you may get paid very quickly. Other programs may only pay once the issue has been fixed. It's common for many bug bounty hunters to have dozens of unpaid vulnerabilities in their queue at any given time. You will get paid, eventually. Once you do, the platform will offer your payment usually via PayPal. Some of the platforms offer alternatives such as Bitcoins. Even after getting rewarded by the program, you have to wait for the platform to pay you out which may take a few days or longer.
-
(Optional) Disclosure
Public programs will sometimes allow you to disclose the report. It's proper etiquette to request disclosure from the company before talking about your finding. Some platforms have disclosure integrated as a feature, so you can simply click and wait for the company to approve it. Others you may have to reach out to them directly and ask.
Depending on how you feel about disclosure, you can usually safely disclose vulnerabilities (on public programs) after a few months of the issue being resolved. You still risk the chance of being removed from a program/platform if you do not get approval from the company first.
-
Repeat
The top bug bounty hunters have reported hundreds of valid submissions on a single platform alone. Most of these hunters are active on every popular platform out there. The key to success is consistency. You successfully reported and got paid for a vulnerability, but you've got hundreds more to go to become one of the elite.