Okay, I'm doing a bunch of learning and I am seeing small, slow improvement. I'll not be stopping the education but what's next? Well, I decided to see what I could do about bug bounties. It's a very scary move for me because it still seems unfathomable that I could even make money doing it. There's a lot of fears, I don't know much, there's better people out there, there's so may people doing it now that there's no WAY I'll find a bug and even if there is one to be found, someone better educated than me will for sure find it first...
All that is being put aside for a moment... which is also scary.
Step 1 : Signing up for bounty sites.
Okay this one should be pretty easy - just sign up for the site! I've decided to start with just one - bugcrowd.com . The site was easy to sign up to but I'm still not sure what to do. They seem to have some good resources so let's dig into the videos and such that show up as links when you first login. There's also a discord chat, so let's do that too.
Takeaways:
Set sustainable small habits that you can do easily so you don't fail and give up (say 1 hour a day doing bounties).
Build out automation (Write a python wrapper that runs the binary then stores the results)
Scalable, searchable storage (store the data you get) - relational databases
notification on found items - slack API, how you want to be notified - batch's, actual vulns found, different channels depending on what's found
nuclei project discovery for probing automation - be sure to build it out with custom things (everyone can't search for the same thing)
Add threading to automation, use multiple systems as well (rabbitmq, axiom, Kubernetes)
Collaborate and share knowledge and experience in community areas
Make sure you understand the fundamentals (TCP/IP, networking, how the internet works)
Hack where there's less competition (new programs, automate detection of new systems up, automations of existing systems that had a change)
Be creative, be healthy so you're always on point
Resources:
(457) The Bug Hunter's Methodology v4.0 - Recon Edition by @jhaddix #NahamCon2020! - YouTube
The Web Application Hacker's Handbook 2nd Edition
Follow other hackers (twitch, twitter, etc)