Published on

Bug Bounty: Get paid to hack PayPal and TikTok // Featuring Nahamsec

Introduction

In a world increasingly reliant on technology, the security of digital assets has become paramount. Bug bounty programs have emerged as a lucrative avenue for ethical hackers to report vulnerabilities in applications and websites in exchange for rewards. In this article, we sit down with Ben Sadegapore, widely known online as Nahamsec, who has been an active hacker and bug bounty hunter since 2014. Through his experience, he provides insights on how to get started in bug bounties, useful platforms, and effective hacking strategies.

Getting Started in Bug Bounties

Ben emphasizes that there are several key platforms for bug bounty hunters. His favorites include:

  • HackerOne: A well-established option with a variety of programs, including big names such as the Department of Defense, Airbnb, and Lyft.
  • Bugcrowd: Offers different companies like Tesla and Pinterest.
  • Integrity: Focuses on European brands, with companies like Red Bull and Intel.

For newcomers, Ben recommends platforms with less competition—not just the high-stakes ones where top hackers are vying for the same vulnerabilities. Programs such as those run by GM or the Department of Defense can be gold mines for beginners.

Understanding Bug Bounties

The core principle of bug bounty programs is to allow participants to ethically hack into organizations' digital products while adhering to the outlined scope. If successful, ethical hackers may receive monetary rewards or non-cash incentives, such as acknowledged rankings. Even recognition can add significant value to a hacker's resume.

Ben highlights key terminologies to understand before diving into bug bounties:

  • Scope: Defines what is allowed for testing. Always read the rules.
  • Triage: The phase where companies assess the reported vulnerabilities for validity.
  • Duplicate: A report of a vulnerability that has already been submitted by another hacker.

Hacking Process and Methodologies

To showcase how to start hacking, Ben suggests focusing on a company of interest, like PayPal or TikTok. The process begins by creating an account on platforms like HackerOne. Once you're in, you can submit reports detailing any vulnerabilities you discover.

His methodology includes:

  1. Recon: Use Google and tools like certificate transparency logs to identify subdomains or hidden paths.
  2. Google Dorking: A technique that empowers hackers to filter search results and find hidden pages associated with a particular domain.
  3. Automation Tools: Applications like HTTPX can help automate the process of scanning sites for vulnerabilities.
  4. Learning Through Resources: Sites like Hacker101, tryhackme, and various books can provide valuable knowledge.

Examples of Rewards

Ben shares his memorable experience hacking Red Bull during its bounty program. For his efforts, he received significant non-monetary rewards, including cases of Red Bull and Ripple, illustrating that rewards go beyond cash compensation. Companies like United Airlines may offer airline miles, which can lead to amazing travel experiences.

Recommendations for Resources

To successfully navigate the world of bug bounty hunting, Ben lists several resources:

  • Books:

    • The Web Application Hacker's Handbook - A seminal text for understanding web vulnerabilities.
    • Real-World Bug Hunting by Peter Yaworski - Offers hands-on examples and deep insights into reported vulnerabilities.

  • YouTube Channels:

    • LiveOverflow
    • The Cyber Mentor
    • Vicky Lee’s Technical Blogs

  • Websites:

    • Hacker101 - Offers free content and an introduction to the world of hacking.
    • TryHackMe, Hack The Box, and various other platforms for practical exercises.

Final Words of Encouragement

Ben concludes by encouraging those interested in pursuing bug bounties to follow their passions. Whether it's for a specific company, like GM or an interest in mobile hacking, the journey can be rewarding. Be patient and persistent, and with practice and effort, vulnerabilities will reveal themselves.

Keywords

Bug bounties, HackerOne, Bugcrowd, Integrity, ethical hacking, scope, vulnerabilities, rewards, PayPal, TikTok, reconnaissance, Google Dorking.

FAQ

Q: What exactly is a bug bounty?
A: A bug bounty is a program that allows ethical hackers to find and report vulnerabilities in a company's digital assets in exchange for monetary rewards or recognition.

Q: What platforms are preferred for bug bounties?
A: Some of the preferred platforms include HackerOne, Bugcrowd, and Integrity.

Q: What should I prioritize as a beginner in bug bounties?
A: Beginners should focus on less competitive programs and learn about commonly exploited vulnerabilities such as cross-site scripting (XSS) and SQL injection.

Q: How can I learn to bug bounty effectively?
A: Resources like Hacker101, various books, and YouTube channels dedicated to hacking can provide the foundational knowledge needed to succeed.

Q: Is it possible to earn rewards without monetary compensation?
A: Yes, non-monetary rewards such as merchandise, airline miles, and public recognition can also be granted in bug bounty programs.

Read More