How to succeed as a bug bounty hunter

US-based penetration tester Richard Ray (pictured) shares the skills, experience and tools he deploys to get paid for finding bugs, and the retired US army veteran also explains his five-step process. With AISA reporter Nick Moore.

How do you find the bounties you are going to target?

I find them in a variety of ways. Websites and are two pretty good sources that contain lists of companies and their bounties. These can include web applications or types of software. There are also companies that have their own bounty programs (such as Google, Microsoft, Facebook).

What is your professional background?

I am a US military veteran who turned to cyber security once I got out. Now I am a cyber security analyst (which included threat hunting and penetration testing)

What skills are needed to hunt bugs?

A solid understanding of principles is required. Understanding how to read and write code is very important, as they are not looking for methods that can be deployed by already created tools though you can still report these to the organisation. The more unique the method is can lead to larger bounties. Knowledge on how web applications work and networking principles are a must, you can't expect to accomplish anything when you don't understand it. Knowing the OWASP top 10 and how to leverage these methods is another crucial skill.

How did you acquire the skills to find bugs?

I got my base skills when I obtained my degree focusing exclusively on cyber security. Beyond that, a lot of self-teaching and learning through experience. Websites such as Pentester Academy, Hack The Box, and Try Hack Me are good places to start for a beginner. I taught myself to code and more advanced techniques you develop as you become more experienced.

What equipment do you use?

I use a desktop computer running virtual machines, as well as a laptop. The only operating system I use is Linux and the flavor is more a personal preference. Kali and Parrot are two good ones for those needing tools ready to deploy and easy to learn on. Black Arch is a more advanced flavor but once you understand it, it has amazing capabilities and is very light to run on your computer.

Please describe your process?

(1) Know the rules

First you need to go over the program completely. There are always limitation so you want to make sure you don't cross that line. Generally, things like social engineering, physical access, and any form of a denial-of-service attack are against the program. Also, checking to see if the program is a partial or full safe haven, this is what helps protect you from a company trying to get law enforcement involved. They also lay out the specific target, they usually limit you to specific domains or addresses.

(2) Information gathering

Second is all about gathering information. Determining IP addresses for your targets. Feeling out what defences they have in place (for example, firewalls, intrusion detection/prevention systems). Mapping out ports and services to see if there are any easy vulnerabilities to leverage. You would be surprised how many servers are still sitting with default settings and changing usernames. I have a handful of pre-made tools, and a few I've created myself for this process.

(3) Plan attack

Third part is planning out my attack. You can't just click a button and magically get in. It's also not like TV or movies where you open a page and find out all this crazy information in 3 minutes. You really got to dig down into the information you have found. Are there reported vulnerabilities for a service running, has that vulnerability been patched, and has your target patched it. Making sure all your request lines look legitimate to trick their system, and more research. In my opinion, research is one of the most important parts. That understanding of the target and what vectors you can attempt to leverage.

(4) Launch attack

Fourth part for me is the actual attack. Sometimes it's trying a bunch of different methods in succession, other times it's a slow process so you don't get flagged by the security countermeasures in place. This is where a person's level of skill truly comes into play.

(5) Report bug

Fifth is once you have found that issue, is the report. Companies want a full write up of what you did and how you did it. I always include a few screenshots of anything unique I do, like specific lines of code or the forged request that worked. If you know how to fix the problem you can also include that. Sometimes making their life a little easier to fix something gets you a little extra money.

Is it possible to make a living from bounty hunting? How good?

Yes you can definitely make a living doing this. At first you might be attempting small bounties, that might pay out $100 or $200 but as you become more experienced you can start bringing in much larger amounts. I have seen people find bounties and make $100,000 for it, though this isn't as common. My biggest find so far got me $25,000 which isn't bad money for a find. If you are constantly finding harder bugs you can make a good bit. The biggest catch is you have to be the first to find it, if someone else beats you to it, you don't get paid.

What have been some of your more noteworthy successes?

So when you find them you can always count on the non-disclosure agreement. Even if its a small find that doesn't get you much money. $25,000 is the largest I've been paid for one find. Others have ranged between $200 and $5,000. I've found things such as SQL injection yielding user and password data, gaining access with administrator privileges, among others.

Your best piece of advice for someone wanting to hunt for bug bounties?

Like most things, if you want to get good at it, practise. There are tons of resources that provide you with targets to practise on. Don't be discouraged if you don't find something. Expect to fail, this is not a bad thing so the quicker you understand that the better. Become good at researching, find sites and bookmark them, keep cheat sheets of common things you use. Don't expect to remember everything, there is so much information that I still don’t think is possible for one person to know. Understand things change. Hacking is a big business right now and attack methods are changing; sometimes they change on day and then again three days later. This goes back to the research part.

Richard Ray: "The biggest catch is you have to be the first to find it, if someone else beats you to it, you don't get paid."


Australian Cyber Conference Melbourne 2023