[HackerOne] - Prioritizing and choosing a program to focus on

It's no secret HackerOne is my Bug Bounty Platform of choice. I believe they'll be the future of security, leading the bug bounty half; while the other half being taken by Cobalt's crowdsourced pentesting approach.

Right. So you've started submitting valid bugs in H1, got a bit of rep and good signal and you're now getting lots of invites to private programs. How should you choose which ones to focus on?

Decisions, decisions

Here is the secret: choose the one that suits your personal taste more. What I mean by that is, if there is a program for a web application you already are an user of - then that's a good candidate.

More than often, we as researchers lack perspective on what some web applications do - which means we have to spend some time navigating the site as an user or as a customer would do, understanding what it's about. If you already have that knowledge - you should use it. If all the programs/apps are unknown to you, read on.

Defining your goal

Depending on your goals, you'll want to choose different programs. Are you looking to make money? Consider bounty-only programs. Looking to gain rep? Choose newer programs, even if they don't pay - and so on.

Analysing program metrics

Before accepting the invites you'll want to study the available metrics and afterwards rank your available programs. Here is my typical analysis:

1. Response efficiency and time to respond

In the response efficiency, we want close to 100% and fast to respond - both in terms of triage and time to bounty.

Here are some example stats from Shopify, undoubtedly one of the best handled programs in the platform:

That's the type of stats you want to look for. HackerOne themselves have been pushing hard and enforcing to make sure the programs achieve proper response SLA.

2. Updates & View Changes

Understanding how long a program has been running is critical for your assessment. The longer they have been running, the better will be their security posture. If you're a farmer or only look for low hanging fruit / easy to find vulnerabilities, this won't probably be a good match for you.

However, the deciding factor comes in the form of Updates (next to the Policy, Hacktivity and Thanks tab) and Changes (in the bottom of the page):

Using the "View changes" option you can check out the latest scope / targets added or removed in the program. Here, there are two routes:

  • The most common is focusing on the latest assets added, which most definitely will be the ones exposed less to other researchers and thus more likely to have vulnerabilities
  • Another strategy is navigating to the first ever published assets and testing those - as many times you can find regression bugs
3. Assets & Scope

The thing to look out for is a scope where the main apps / domains are specified with a wildcard:

  • *.acme.com

This opens up a much bigger attack surface and allows you to leverage all the available recon tools. This might result in discovering administration panels, weakly protected services and other apps which you can start with.

4. Hacktivity & Reports

Looking at the Hacktivty is a great to way to gather more information about the program. Firstly, this will hint you on how active the program is and how many researchers are looking into it. It will also give you a feel for how the program actually pays, especially if there are disclosed reports. Secondly, check what type of reports have been submitted and who's done it:

  • If you're seeing big payouts and only high / critical issues being reported, it probably means that their security posture is decent and only high / complex vulnerabilities have been awarded. This in turn means that you shouldn't bother looking for low or medium stuff. Sorry! Copy pasting that XSS payload won't be enough.
  • If there are lots of reports and a mixed number of payouts - probably means there are still lots of low/medium issues you can look for.

You should also look at the Top hackers tab. This can give you some more information on what people have been looking for - e.g. if Frans is there, don't even bother looking for subdomain takeovers.

Additionally, here's a very interesting strategy that you can use after choosing what program to hack on. Head over to h1.nobbd.de and search for your program, e.g.:

Since you can now see all the reports ordered by their time of submission, you can:

  • Search for a specific type of vulnerability (Cmd+F or Ctrl+F), e.g: XSS, SSRF, etc
  • Read all the reports and re-test the issues. You might get lucky and discover that the bug is still there for some reason. Or at the bare minimum, by going through the reports you'll get more ideas on what to test as well as learning more about the web app, it's features and it's expected use.
5. Scope & Vulnerabilities

Lastly, read the scope. And then re-read it. What type of vulnerabilities are they looking for? What type of vulnerabilities are out-of-scope or already known? This will provide you with the necessary information on what to look for but especially - what not to look for. You might get a stored XSS - but if it's in one particular domain specified as out-of-scope, tough luck. RTFM.

Conclusion

Doing bug bounties long term is hard. It takes skill, discipline and resiliency. Time is essentially your biggest asset, so prioritizing and choosing the best target for you is of uttermost importance. Finally, the best hackers all share one thing: persistence. Don't get discouraged and keep grinding away at a program - with hard work and discipline results eventually show up, even it might look as plain 'luck'.

Until the next time,
Fisher

P.S:

Twitter is fun but not the best place to write so many thoughts together - I expect to be more active on this blog as I do more bug bounties. Please take everything I say with a grain of salt - there are many, many more hackers with much more experience and knowledge that I have. But I figure it's better to start a discussion anyway, rather than stow away knowledge. #bugbountytip #bugbountytips

Cover Photo: Inti's MVH coronation at H1-702 Las Vegas.