Selecting A Program for Bug Bounty on HackerOne
Hello hackers, welcome back to my new article. This article will be focused purely on selecting a program for bug bounty on the platform HackerOne. I try to keep this article small.
On HackerOne there are more than 300+ public bug bounty programs. Selecting a better program that will give a fruitful result is one of the initial steps before actual hunting. I have seen hackers spending more time selecting a program rather than hunting on it. I will try to reduce your time on the selection of programs through the matrix. So let’s get started.
Scope
The scope of the target area is one of the most important aspects of any bug bounty program. If the scope is large or wildcard then more area to look for vulnerability. During selecting a program, below or the key points for scope:
- Program with wildcard domains/multiple domains/multiple wildcard domains.
- Program with self-registration or with a demo account if credentials are not provided
- Program with too many features, more features more vulnerability.
- Program with Role-based Access. This will open a wider area for Broken Access Control vulnerability.
Bug Stats
Vulnerability stats define how many hackers are active on the program. Below are the key points for stats:
- Report Received | 90 days (I usually prefer 20 reports for a program with a single domain)
- Bounties Paid | 90 days
- Total Bugs Reported
- Percentage of the vulnerability reported scope-wise.
If the program with multiple domains or multiple features or with role-based access and only 20 reports received in the last 90 days then there is a high chance that you will get a valid vulnerability.
Response Time
Response time of the program also plays a vital role. If the program is less responsive then the changes of getting a duplicate are high, if hunters are actively hunting on the program. I mostly prefer the below matrix:
- First response/triage should be in between 1–2 days
- Time to bounty should be between 5–10 days.
- Some programs provide partial bounty on triage.
- Some programs provide full bounty on triage.
Bounty Table
The bounty table should be average i.e., not too low. If the program is paying a low bounty for high-severity issues then it may not defined the time you have spent on the program, depends hackers to hackers. The bounty should define the time you have spent on the program or spent on finding the issues. I mostly prefer below bounty range
- Low — $150–$250
- Medium — $500–$750
- High — $1500-$2000
- Critical — $3000+
You can also hunt on programs with a low bounty table means that some programs pay $1000 for critical, $500 for High, $250 for medium, and $100 for low then most of the hackers decide not to hunt on those programs as the bounty amount is less.
Once you are done with the selection of the program to hunt, I suggest you spend at least 7–10 days on the program depending on the functionality and features of the application. If you didn’t find any security vulnerability then, you can move on to another program but keep checking the previous program in intervals of 1 week as code changes and features are developed daily.
The number in the matrix provided in this write-up is based on my analysis and the way I select a program to hunt.
Thanks for reading. Do clap and share if you like. Sayonara and Happy Hacking!
Twitter: 7he_unlucky_guy
