11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

5 Things Top Bug Bounty

Hunters Do Differently April 7th , 2016

https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 1/7
11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

This week, we had the pleasure of hosting 50 Belgian technology students,

who were on a tour of Silicon Valley technology companies. We had the
opportunity to share our experience in Silicon Valley as entrepreneurs. But
mostly we discussed hacking and security because after all, that is what
we live and breathe at HackerOne. We shared a few well‑known and public
examples of hackers working with companies to demonstrate how far the
https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 2/7
11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

industry has come. We covered Samy Kamkar's MySpace worm, Chris

Putnam's very similar "Facespace" worm, the Jeep and Tesla car hacks
and the United Airlines bug bounty, among other cool stories. After
storytime, we jumped straight into tips and tricks for becoming a
successful bug bounty hunter.
Here are 5 things top bug bounty hunters do differently:
They Know How to Build
Some of the best hackers say they learned to hack before they could
code. Some hackers picked up hacking after learning to code. Truth is, it
doesn't really matter. But the most effective hackers practice both the art
of hacking and the science of engineering software.
When you've been ‑ or better still, are ‑ on the side of creating new
product features, you get a better understanding of where to look for
bugs. Humans make mistakes, and having direct experience with how
these mistakes are made and turn into weaknesses is key to becoming a
successful bug bounty hunter. Software developers almost always use
frameworks that provide the building blocks for the application they are
trying to architect. Experience working with various frameworks gives you
insight in how they're used, but more importantly, it also tells you how they
should not be used. The latter is what you need to take advantage of as a
security researcher.
Having experience in writing software is the single most important thing
that helped me as a hacker.
They Have An Eye For Anomalies
Start by identifying the design patterns used throughout your target
application. Then match those against the instances you have found where
the developers chose to adopt a different pattern. When you find an
instance of a developer going out of their way to bypass a best practice,
you should start to smell vulnerabilities. In my personal experience, this
https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 3/7
11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

usually means there is at least one vulnerability near where you are sniffing
around. It is guaranteed that you will find these exceptions in any
application.
A deviation in the naming pattern used for HTTP endpoints, the way a user
input form is structured, the representation of data being passed around in
an API, or simply just the way it looks. These are all classic tells for
anomalies.
They Submit Quality Reports
One must not forget that quality often goes above quantity when it comes
to vulnerability reporting. For a team running a bug bounty program, it is
far more interesting to learn about a remote code execution vulnerability,
than a series of Self XSS opportunities.
As a hacker, if you enjoy the puzzle or intellectual challenge that is finding
a super‑severe vulnerability, you're good. If you also enjoy describing what
you found as clearly as possible, you're even better! Don't forget that
reporting a vulnerability is a professional interaction between you and a
security team. Use professional language, be concise, include clear
reproduction steps, and don't introduce unnecessary overhead for the
person on the receiving end. While you are excited about finding a
vulnerability, realize that the security team you are reporting to may not be
equally as excited about having a vulnerability. You also have to
understand that the security team you are reporting to may have
competing priorities ‑‑ you don't know their business. Being patient and
understanding in your exchange is always appreciated and sometimes
even rewarded appropriately.
They Set Goals
How do you tell if you're a successful bug bounty hunter? For some, there
is no better success indicator than $$$ in your bank account. Setting goals
for yourself helps you stay motivated and engaged. You will be able to
better choose where to spend your time ‑‑ it is a competitive game after
https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 4/7
11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

all. You can set goals for yourself around the amount of money you want to
make in a quarter, the types or severity of bugs you want to find, or the
specific companies you want to find vulnerabilities in. My goals are a
combination of all three.
For me personally, it is not all about the bounties. I enjoy the challenge and
contributing to the security of the Internet. I worry about the security of the
services I use, and I often spend time finding vulnerabilities in the service I
rely on the most. For me knowing I am helping secure my personal data or
my company's is extremely rewarding.
They Hack together
Together you find more. In 2015, my co‑founder Jobert and I made over
$100,000 in bug bounties. We almost always hunt for bugs together. We
bounce ideas off each other. We disagree, and we call one another out
when they are being stupid. We argue, we braindump, and usually it turns
into a brilliantly working exploit.
Working together is very powerful. It allows you to parallelize. More
importantly, it allows you to have someone to bounce ideas off to help
prove your theoretical, almost crazy vulnerability. If you don't already have
a hacking buddy, don't worry, it's not required to succeed. This is more of
a bonus trick that can allow you to optimize your bug bounty work.
Hack on!
Michiel Prins

     

https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 5/7
11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

Recent articles
The Voices of Vulnerability Disclosure: Look Who’s Talking
About VDPs
The attention being given to vulnerability disclosure policies (VDP) in the past year has
increased…
Read More

H1‑212 CTF results

Read More

Five Days Left to Hack The World 2017!

There are only five days left to Hack The World 2017 and earn the title! Now is the time to
find some serious  …
Read More

Product
Overview
HackerOne Response
HackerOne Bounty
HackerOne Challenge
https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 6/7
11/25/2017 5 Things Top Bug Bounty Hunters Do Differently | HackerOne

HackerOne Community
Resources

Community
Internet Bug Bounty
Bug Bounty Programs
Disclosure Guidelines
Hack. Learn. Earn.
Start Hacking
Leaderboard
Hacktivity
Zero Daily Newsletter

Company
About
Blog
Press
Careers

Contact
Sales
Help
IRC
Twitter

https://www.hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently 7/7