To earn more money from bug bounty programs, become the best in the world at one thing and ignore the rest. Here’s why.
It’s very tempting to try to learn and apply everything there is to learn about different types of vulnerabilities. When you look at bug bounty writeups like those one hackerone.com, it is clear just how different are each of the reported vulnerabilities. When I first started looking into bug bounty programs, I thought I had to learn everything about everything in order to compete. That just isn’t true. In fact, it’s the opposite. If you want to do well with bug bounty programs, pick something you’re interested in and could spend thousands of hours looking at, and learn everything there is to know about it. Find your niche.
The Difference Between Generalist and Specialist Bug Bounty Hunters
A generalist bug bounty hunter will look for everything. Cross-site scripting, SQL injection, unrestricted file uploads, remote code execution, XXE, subdomain takeovers, default passwords, and so on. The list is endless. Most people who try to be good at everything end up being average or worse. The typical generalist spends hours, days, and weeks struggling to find vulnerabilities in a program, finds very few or none at all, then gives up and moves onto something else. There are some generalists who do very well, but they are the exception to the rule.
There is a place in the world for generalists. In my day job as a Cybersecurity Architect, I must be a generalist. I need to know enough about most things in Cybersecurity in order to know what is good and bad, what is best practice, what is not, what I should be aiming for, and how to get there. I understand cryptography, but I don’t know the mathematical details of how it works. I understand how to design and implement a secure network infrastructure, but I’m not a NetSec engineer. I know how to avoid writing insecure software and to find vulnerabilities within code, but I’m not a full-time developer. I know enough to allow me to plot a course and keep us moving in that direction using the specialist skills of others. That is what generalists do well.
A specialist bug bounty hunter will still be aware of all of the different types of vulnerabilities that exist in system development, but they narrow their focus to a much smaller area. Applying focus means they gain expert knowledge quickly and become the best in the world in that space. By doing so they are able to find things that generalists can’t by using the information and understanding that only they have.
Some specialists are RCE wizards. Others are blind SQL injection masters. Some know authentication protocols, processes, implementations, and their flaws, inside and out. While they are capable of spotting bugs outside of their specialist area, they dedicate their bug bounty hunting time to doing what they do best. And it pays.
What Makes a Specialist so Great
Bug bounty programs are a crowded space and to join a program and be the first to find and report a bug means one of these three things is true:
- The program just launched and you were the fastest to stumble upon it and raise a report
- The program just updated their software and you were the fastest to stumble upon it and raise a report
- You know more than everyone else who has looked at this problem so far. Your unique insight has allowed you to see and understand something that nobody else did before you.
If you’re a generalist, the chance of you knowing more than everyone else who has already looked is vastly reduced. Therefore, you’re usually relying on points 1 and 2 in order to get paid. Being the fastest does work, someone has to find, report, and get paid for the generalist tier finding first, but it isn’t always going to be you.
Being a specialist gives you a significantly higher chance of hitting point 3. If you know everything there is about XXE attacks against a particular framework, and you’re on a program that heavily uses that framework to run it’s XML based API, you’re in luck. Once the low hanging fruit has been picked, you’re next in line to do the real work and find the problems nobody else could see. Like many things in life, being world-class at what you do earns you world-class pay, (provided you know how to apply it for maximum effect).
Every Exceptional Generalist is a Specialist in Multiple Areas
If you look at what great generalist bug bounty hunters do, it’s clear to see that they’ve dedicated their time, effort, and energy into becoming specialists in so many different areas that they’ve evolved into a fantastic generalist. They might have started going all-in on SQL injection, then transitioned into XXE when they learned all they could in the first area, then into buffer overflows once XXE no longer presented a challenge. They didn’t just spray and pray their way to the top – they did their homework. Don’t be fooled by those who find bugs in everything, there’s no tricks or shortcuts, they’ve just put the work in, time and time again.
How Do You Find Your Niche (What Should You Become World-Class At)?
Picking a specialty topic is a very personal thing. It depends on what motivates you. Are you using a particular technology a lot during your day job? Is there something you really want to learn more about? Are you looking to earn the most money from each report? What kind of subjects do you find interesting?
If I was looking to earn as much money as possible, I’d run through all of the different programs on HackerOne.com and see which kinds of vulnerabilities paid the most money, in general. Then I’d study those.
If I wanted to learn a skill that transitioned well between companies, I’d find out what technologies all of the programs are running on and then focus my learning on the most commonly used stacks. Not only would this be useful in bug bounty programs, but it would also be useful in everyday employment. Knowing everything there is to know about a common development stack is a valuable skill to have.
If I was really interested in the hardware side, I’d look for programs running with some sort of IoT component and then buy and test against the hardware. That’s a very different skill to testing a website or API. If you can pull the firmware off a chip from a motherboard, well done. Not many people are doing this because you have to buy the devices first. It’s one of the few areas where you can’t get started with just your laptop only. The setup cost dissuades a lot of people before they even begin.
World-Class Does Not Mean Out-of-Reach
If you narrow your focus enough, you can become world-class at anything. While the category Remote Code Execution vulnerabilities (RCE) is a narrower topic than looking at the full OWASP Top 10, it’s still a huge area to cover. RCEs in the Django framework is a lot narrower. RCE in Django 2.2 is even narrower still. The more targeted you are, the greater your chances of becoming world-class.
An Example: Android Bug Bounties
It would be wrong for me to claim that I’m world-class at Android bug hunting. I’m actually pretty awful at it. But when I first started, nobody else was doing it and I was one of the best Android bug bounty hunters in the world by default. And I sucked, and yet I did really well.
I spent no more than 8 hours learning about Android Bug Bounty Hunting and was able to dive into several programs and find a handful of new vulnerabilities within a couple more hours of searching. I picked a niche I was interested in learning more about, became a (relative) expert in it, and found success.
Pick your niche and become the best in the world at it. You can become world-class.
This is by far the holy grail I should have stumbled on months ago, I started bug bounty in March 2020, once lockdown was enforced and we had to leave school…..and I was a serious generalist, hitting if not all programs with every possible payload….short story 16 dupes, depressing NAs and burnout.
Thanks very much for this, am putting it into effect on Monday 3rd August 2020 once I make out a testing methodology based on another blog from you I read https://craighays.com/bug-bounty-hunting-tips-4-develop-a-process-and-follow-it/.
Incredible stuff ^_^. I can’t thank you enough for this precious blog. When I become a world-class “generalist” in android bug hunting, we should collaborate.
Craig Hays says
Thank you for the kind words, Benjamin. Glad you found it useful!