100 (very) short bug bounty rules:
1/ Spend at least 30 minutes on a new target
2/ Look for “No”s
3/ Use Italics Tags in your inputs instead of XSS payloads
4/ Focus on SaaS apps that are multi-tenant
5/ Buy Burp Pro
2/ Look for “No”s
3/ Use Italics Tags in your inputs instead of XSS payloads
4/ Focus on SaaS apps that are multi-tenant
5/ Buy Burp Pro
6/ On a new target go straight to the User Management section
7/ See if inviting an existing user to your org exposes their name
8/ See if inviting an existing user removes them from their own org
9/ If the scope has a wildcard, use sub finder to find subdomains
7/ See if inviting an existing user to your org exposes their name
8/ See if inviting an existing user removes them from their own org
9/ If the scope has a wildcard, use sub finder to find subdomains
10/ Run HTTPX on the list of subdomains to narrow down alive targets
11/ On an app you’re not familiar with, use it like a normal user first
12/ If the docs say you can’t do X, but you can do X then you have a bug
13/ Use match & replace rules to find new endpoints
11/ On an app you’re not familiar with, use it like a normal user first
12/ If the docs say you can’t do X, but you can do X then you have a bug
13/ Use match & replace rules to find new endpoints
14/ Budget time into your week specifically for hacking
15/ Give yourself a no-bug time limit. I do 3 hours.
16/ Go back to old dupes and see if you can still reproduce.
17/ Look for “+2” in your reputation log to find dupes that should be now.
18/Ask for help from other hackers
15/ Give yourself a no-bug time limit. I do 3 hours.
16/ Go back to old dupes and see if you can still reproduce.
17/ Look for “+2” in your reputation log to find dupes that should be now.
18/Ask for help from other hackers
19/ Make your report a conversation, not a sales pitch
20/ Accept & expect that dupes will happen
21/ File & Forget
22/ If an endpoint has “api/v2/“, try “api/v1/”
23/ If an endpoint has “api/v2”, try removing the “v2” altogether
20/ Accept & expect that dupes will happen
21/ File & Forget
22/ If an endpoint has “api/v2/“, try “api/v1/”
23/ If an endpoint has “api/v2”, try removing the “v2” altogether
24/ 6 $1000 Mediums pay more than 1 $5,000 crit. Don’t ignore any bugs
25/ Lows are still bugs that should be filed
26/ Be kind to your triager
27/ Say “thank you” when you get a bounty
25/ Lows are still bugs that should be filed
26/ Be kind to your triager
27/ Say “thank you” when you get a bounty
28/ If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”.
29/ If UUID IDORs exist, then look for an endpoint that exposes UUIDs
30/ Pin your success on whether your followed your plan, not if you found bugs
29/ If UUID IDORs exist, then look for an endpoint that exposes UUIDs
30/ Pin your success on whether your followed your plan, not if you found bugs
31/ A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit
32/ Going deep _will_ payoff
33/ Working with new hackers will payoff in dividends
34/ Don’t be jealous
32/ Going deep _will_ payoff
33/ Working with new hackers will payoff in dividends
34/ Don’t be jealous
35/ Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your own sanity
36/ If you find a bug that’s OOS, still ask the customer if they care
37/ There’s no end. Enjoy the journey
38/ Have a hobby that’s not related to hacking
36/ If you find a bug that’s OOS, still ask the customer if they care
37/ There’s no end. Enjoy the journey
38/ Have a hobby that’s not related to hacking
39/ Have friends that don’t hack
40/ Figure out what time of day you hack the best. Late nights aren’t for me.
41/ Spend that extra 2 minutes to make your report look/read nice
42/ “Subscribe” to programs that pay well and have good scope
40/ Figure out what time of day you hack the best. Late nights aren’t for me.
41/ Spend that extra 2 minutes to make your report look/read nice
42/ “Subscribe” to programs that pay well and have good scope
43/ Don’t whine on Twitter about a single report. Or at all for that matter.
44/ IDORs and Privilege Escalations are a great place to start
45/ Unmet expectations lead to disappointment
46/ Teach someone else how to hack
47/ Time spent reading/learning is time-well spent
44/ IDORs and Privilege Escalations are a great place to start
45/ Unmet expectations lead to disappointment
46/ Teach someone else how to hack
47/ Time spent reading/learning is time-well spent
48/ Focus on programs that you actually use in your day-to-day
49/ Establish a relationship with the program
50/ Try asking the program what types of bugs they want to see
51/ Look at a programs leaderboard to see who you should collar with
49/ Establish a relationship with the program
50/ Try asking the program what types of bugs they want to see
51/ Look at a programs leaderboard to see who you should collar with
52/ When collaborating, an even bounty split eliminates hassle
53/ Take a break when you stop having fun
54/ At an LHE, start hacking ahead of time
55/ Look for programs that are active in resolving reports
53/ Take a break when you stop having fun
54/ At an LHE, start hacking ahead of time
55/ Look for programs that are active in resolving reports
56/ Look for programs that haven’t awarded a lot recently
57/ Look for programs that have collaboration enabled
58/ Look for programs that don’t list out a bunch of known issues
59/ Look for programs that have a history of adding new scope
57/ Look for programs that have collaboration enabled
58/ Look for programs that don’t list out a bunch of known issues
59/ Look for programs that have a history of adding new scope
60/ Change your strategy if you’ve gone a while without a finding
61/ If you’re on a roll, keep doing what you’re doing
62/ But don’t let success keep you from evolving/growing
63/ Compare yourself against yourself from last year
64/ Maintain online presence for new opportunities
61/ If you’re on a roll, keep doing what you’re doing
62/ But don’t let success keep you from evolving/growing
63/ Compare yourself against yourself from last year
64/ Maintain online presence for new opportunities
65/ Be thankful for failure
66/ Read disclosed reports
67/ Focus on one program at a time. Cycle if you get bored.
68/ Don’t spray XSS payloads everywhere
69/ If possible, work at a company that has a BBP
66/ Read disclosed reports
67/ Focus on one program at a time. Cycle if you get bored.
68/ Don’t spray XSS payloads everywhere
69/ If possible, work at a company that has a BBP
70/ Spend bounty money on tools that will generate more bounties
71/ Budget a specific amount of your bounties for fun. And stick to it.
72/ When hacking a store, don’t be afraid to make small purchases
73/ Look for changes in JS files to know when there may be new functionality
71/ Budget a specific amount of your bounties for fun. And stick to it.
72/ When hacking a store, don’t be afraid to make small purchases
73/ Look for changes in JS files to know when there may be new functionality
74/ Look for references to subdomains in a company’s GH repos
75/ Look for references to subdomains in employee’s GH repos
76/ If the app uses Intercom, try booting it with another email
77/ Look for second-degree IDORs
75/ Look for references to subdomains in employee’s GH repos
76/ If the app uses Intercom, try booting it with another email
77/ Look for second-degree IDORs
78/ SSRFs exist when the app makes any external request. Look for these requests.
79/ Look for actuator endpoints
80/ Find hackers that hack differently than you.
81/ Try hacking in a different room of the house
82/ Try hacking at a different location altogether
79/ Look for actuator endpoints
80/ Find hackers that hack differently than you.
81/ Try hacking in a different room of the house
82/ Try hacking at a different location altogether
83/ If you find the same bug on different endpoints, file as different bugs
84/ Try always having some pending bugs in your pipeline
85/ Break your yearly bounty goal into monthly goals
86/ Know when a bounty isn’t worth fighting over
84/ Try always having some pending bugs in your pipeline
85/ Break your yearly bounty goal into monthly goals
86/ Know when a bounty isn’t worth fighting over
87/ Push back gently when a report gets downgraded
88/ Use the leaderboard as motivation, not as comparison
89/ Don’t re-invent the wheel when a tool exists
90/ Don’t be afraid to build the wheel if the tool doesn’t
91/ Try collabing in real time over video chat
88/ Use the leaderboard as motivation, not as comparison
89/ Don’t re-invent the wheel when a tool exists
90/ Don’t be afraid to build the wheel if the tool doesn’t
91/ Try collabing in real time over video chat
92/ Always ask why something works the way it does
93/ When collabing, don’t be afraid to be the underperformer
94/ When collabing, don’t get salty about being the oqerperformer
95/ Use mediation, but use it sparingly
96/ Be generous with your earnings
93/ When collabing, don’t be afraid to be the underperformer
94/ When collabing, don’t get salty about being the oqerperformer
95/ Use mediation, but use it sparingly
96/ Be generous with your earnings
97/ Hack for fun, not for a paycheck
98/ LHEs are a privilege, not an expectation
99/ Programs are your friend, not your adversary. Work with them
100/ The platform is your friend, not your adversary. Work with them
98/ LHEs are a privilege, not an expectation
99/ Programs are your friend, not your adversary. Work with them
100/ The platform is your friend, not your adversary. Work with them
• • •
Missing some Tweet in this thread? You can try to
force a refresh
