Bug bounty lets you get your hacking game on, legally.
If you aren’t a medium member, you can read with no paywall via substack
We strive to provide informative articles, however, it is important for users to ensure their research is both ethical and responsible. Additionally, it is your responsibility to ensure you’re compliant with all applicable laws and regulations for your region. The information provided in this article is intended for educational purposes only.
In this previous article, we took the first steps into exploring and understanding Google Dorking as well as looking at how we can apply Dorking strategies to our investigative toolkit to uncover actionable data and information.
There were some great comments and feedback from that article and one of the things that came up was worth writing about on its own.
We’ve looked at Bug Bounty programs before in previous articles but today, we’ll take that one step further by looking at some active programs, with “safe harbour” provisions that can be a great learning playground for beginners. If you’re good enough and are willing to write a report, you might even get paid for the work you complete. Sound good? Let’s take a look!

Bug What?!

Aiming to leverage the skills of white & grey hat hackers the world over, bug bounty programs aim to pair companies with talented cybersecurity researchers in an active attempt to up their security game.
It’s an extremely simple, yet fun (and potentially lucrative) concept. Companies will list their infrastructure and create a specialised vulnerability disclosure program for freelance researchers to explore.
Once a bug has been found, the researcher will report it, by lodging the bug along with a detailed report about how to reproduce it as well as possible security risks. The company will then assess this information and if it’s in scope, you’ll be paid a cash “bounty” for your work.
So effectively what this means is that in the right circumstances, you can get your hack on and get paid for it without having to deal with the law or any adverse circumstances.
While you’d expect that only small companies would participate in this type of thing the reality is that the opposite is true. Many large multinationals with dedicated cyber and IT departments still rely on private researchers to help secure their infrastructure.

Where Do I Go?

There are plenty of active programs now but it’s worth starting with the best as it’ll help you find a good program to start with, as well as equip you with additional training resources to help start your journey smoothly.
No cyber skills? No worries. All you need is a healthy attitude to learning, some foundational technical skills and a bit of free time as both platforms provide an assortment of resources to help assess and upgrade your skillset.
Join Bugcrowd
Join HackerOne
When you’re signing up, choose the “researcher” option as this will give you access to open programs. It’ll also allow you to build a profile and market your skills as well as giving you opportunities to collaborate with other researchers.

What Can I Find?

While you’d think that some of the larger companies would be quite fine sorting themselves out the reality is that there are more than a few interesting programs available to users. For instance, if someone told you they’d hacked the US Department of Defence with no consequences you might start to question their sanity.
Taking a quick look at the stats for the DOD program shows us though, that nearly 3000 people have done just that since the start of the program in 2016.
Moving over to Bugcrowd, we can see even more in the way of US Government programs that are open to being explored.
We’ve talked about space infrastructure and satellite hacking in previous radio hackers articles and we can see that via the NASA VDP, we can legally take a look at some of NASA’s infrastructure as well.
It might surprise you to learn that such organisations rely on bug bounty programs to help keep their infrastructure safe, but the reality is that like many things in life, crowd-sourcing and collaboration brings a new and interesting dynamic to many existing problems.

Reporting & Safe Harbour

While this all sounds like great fun, there are a few points that need to be touched on to ensure everything stays legal and above board.
When researching programs you’ll often see references to the “scope” of the program. It’s important to pay attention to this, as these are the ground rules for what is considered part of the program and what is not. So, if you’ve gained access to a machine remember that safe harbour provisions won’t protect you if you decide to exfiltrate data or do other nefarious things.
This all sounds like pretty basic stuff but the reality is that this helps define the legality of the program, including providing you with the protections you need to act as an independent researcher.
It’s important to clearly understand this, as moving beyond this scope moves your research into black hat / illegal territory.
It’s also important to clearly understand what companies are trying to achieve with projects like this, and that's an enhanced cybersecurity posture. So, your research must provide value to both the organisation and the bug bounty program at large by delivering on this enhanced posture.
This means that the best bounty payouts go to researchers that have a demonstrable impact on security, by identifying and rectifying security breaches that provide a real risk to user safety. DDOS & social engineering is typically out while misconfigured machines or systems are in.

Data Control

Given that we started the article by talking about Dorking, it’s worth touching on the concept again before we close the article.
If Dorking is your first step into bug bounty, you’ll soon realise that there’s a very real chance that somewhere along the way you’ll uncover something of interest that shouldn’t be there. It’s at this point that you’ll have to make a decision on what type of researcher you want to be.
Ethical researchers will connect with the fact that despite the machine being part of an active VDP, they still have an obligation to protect sensitive data. So, while you should ensure that you have enough information to report the flaw, you should also ensure you’re protecting the sensitive information within.
Carrying out your research with a “do no harm” approach is typically the best way of staying within these guidelines.
If you aren’t at the stage where you want to tackle bug bounty, you can find a large assortment of training resources via Tryhackme and Hackthebox.
Happy hunting!
Medium has recently made some algorithm changes to improve the discoverability of articles like this one. These changes are designed to ensure that high-quality content reaches a wider audience, and your engagement plays a crucial role in making that happen.
If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.
🌟 Enjoyed this article? Join the community! 🌟
📢 Join our OSINT Telegram channel for exclusive updates or
📢 Follow our crypto Telegram for the latest giveaways
🐦 Follow us on Twitter and
🟦 We’re now on Bluesky!
🔗 Articles we think you’ll like:

1. What The Tech?! Rocket Engines
2. OSINT Investigators Guide to Self Care & Resilience

✉️ Want more content like this? Sign up for email updates