Greetings fellow bounty hunters! If you are looking for tips, tricks, insights, or otherwise helpful information related to the wonderful world of bounty-hunting with Bugcrowd, I am almost, nearly practically certain that you have come to the right place!

My name is “ZwinK”, and I started bounty hunting 6 months ago with Bugcrowd. Hacking only part-time, I’ve made over $100,000 since January, and so can you! Here’s my second tip to help you, fellow hacker, get an idea of how I found success doing this hacking thing.

Tip #4:  Test manually, avoid duplicateville

At first, I made the mistake of trying to scan everything. Don’t do that unless you want to live in “duplicateville” (it’s a real place and it’s not pleasant). I perform over 99% of my testing by hand, or with Mozilla, Firefox, and Burpsuite Pro (a great toolkit because it works interchangeably on Windows or Linux). I assure you, the low license cost has paid for itself many times over. There are times when you will need a Windows box to test thoroughly. If I need to do something custom, which is generally pretty rare, I code in Python which also works on Linux or Windows. 

Listen, my people, if everyone could just buy a copy of Burp Pro or Nessus and press the “GO” button on a target and get rich, they would. Most companies have these tools and test with them, so they are unlikely to find a tremendous amount of things for you, and the things they do find are likely to be duplicates (exception being brand new private program invites). I highly recommend testing manually!  Start burp up, and just use the target(s) like a regular user would, recording everything. Then go back and see what you can mess with. Testing manually requires you to have knowledge… see tip #2.

Tip #5:  VPN Service

Some programs will have rather vigorous WAFs in place, which will lead to your IP address being temporarily or permanently blocked due to payloads. You need to have a VPN service that allows you a large pool of IP addresses in different geographic locations to test with. I’m not recommending any VPN in particular, but having a large VPN pool will allow you to continue testing and learning what behaviors to avoid with that program. 

The world of web application firewalls can make testing certain vulnerability types devastatingly difficult – so if you encounter a program with well-tuned WAFs that are hard to bypass, you need to decide as to whether it’s worth continuing down that road. If you primarily get XSS, SQLi, or known-exploit related vulnerabilities, you may wish to move on, or, just “try smarter” 🙂 Sometimes simple things like encoding payloads as HTML then URL will bypass WAFs – you never know. Be creative, but know in the world of WAFs you are bound to get blocked at some point and certain vulnerability types will be difficult.

Check out my previous blogs in this series!

Tip #1: Bugcrowd as an MMORPG (Real-Life Video Game)

Tip #2: Complete the Portswigger Web Security Academy and learn the VRT

Tip #3:  Get ONE valid submission

About the Author

I first signed into the Bugcrowd platform in late October 2020 to see what it was all about, and I was pretty sure this was a video game disguised as work. In some ways, I was not all that far off. It’s all a little shocking, really – “What, I can just try to hack… uh… some company for money, and gain rank”? Indeed, this represents a departure from years ago when the only reward hackers may receive was a reduced prison sentence. Wow! How the world is changing!