Choosing Your Hunting Ground                                                Chapter 2

            The company also provides a useful service where, every time you log in, Bugcrowd will
            set aside a relay email address for you at <VTFSOBNF>!CVHDSPXEOJOKB DPN for the next
            30 days. Sometimes program guidelines will ask you to create a testing account using this
            email so the participating company can monitor researchers, but regardless, they're a great
            resource. Because it's a Gmail service, you can also change the address if you need to spin
            up multiple accounts (for example, <VTFSOBNF> UFTU !CVHDSPXEOJOKB DPN and
            <VTFSOBNF> UFTU !CVHDSPXEOJOKB DPN).

            You can find a wide spectrum of businesses on Bugcrowd, covering every size and a
            variety of revenue models. The targets trend towards web applications, but there is also a
            smattering of mobile apps and the odd alternative listing.


            HackerOne

            HackerOne (IUUQT   XXX IBDLFSPOF DPN ) is a similar platform d it has its own point
            system (reputation) and also calculates a variety of metrics that it uses as the basis for its
            Leaderboard and for invitations to its own private programs.

            Like Bugcrowd, it also has a bug bounty policy for itself d if you find a vulnerability in one
            of its sites or apps, you're entitled to a reward. Interestingly though, you might still be
            entitled to a reward even if you don't discover a bug. From their site:


                 "HackerOne is interested in your research on our systems, regardless of whether you
                 found a security vulnerability. If you have found yourself looking at a particular feature on
                 one of our assets but didn't find anything, please submit a report that describes all the
                 different things you tried and failed. We may reward you for substantial research
                 performed on assets under our bug bounty policy."
            This is an usual policy that still makes sense: providing a detailed list of everything that
            worked is its own audit of the company's resources, even if it doesn't cover any vulnerable
            areas.
            HackerOne and Bugcrowd both have a similar breadth of different companies, with
            different products, business models, and security needs. HackerOne does have a few
            notable companies that are exclusive to its platform, most notably Twitter, but generally the
            offerings are very similar.









                                                    [ 18 ]