Page 39 - Hands-On Bug Hunting for Penetration Testers
P. 39

Choosing Your Hunting Ground                                                Chapter 2

            These swag-only programs are generally where you should start if you're just beginning
            your journey. Hacking Google, Facebook, or Amazon will guarantee you a big payout if
            you succeed, but they already have such large security teams and so many bug report
            submissions from independent researchers, it'll be hard for someone just starting out to find
            anything on their first try d much less something that hasn't already been reported.


            The Internet Bug Bounty Program

            The internet bug bounty program inhabits something between a third-party marketplace
            and an individual effort. The IBBP is a not-for-profit funded by big tech contributors such
            as Microsoft, Adobe, Facebook, and GitHub, for the purpose of protecting the integrity of
            core internet services. The technologies covered under their reward program are diverse,
            with languages (Perl, Ruby, PHP), application frameworks (Django, Ruby on Rails), servers
            (NGINX, Apache HTTP) and cryptographic tools (Open SSL) all covered.

            While this work is focused primarily on pentesting web applications as opposed to their
            more fundamental components, the IBBP is a great resource to keep in mind as your skills
            advance. The IBBP has been responsible for awarding payouts for some of the most high-
            profile bugs in the last decade, such as Heartbleed ($15k), ShellShock ($20k), and
            ImageTragick ($7.5k).



            ZeroDisclo and Coordinated Vulnerability
            Disclosures


            If you've discovered a serious, high-profile vulnerability affecting critical services on a large
            scale, it's important to be aware of certain quirks about coordinated vulnerability
            disclosures.
            Coordinated vulnerability disclosure is a set of protocols around report submissions that
            describe a process where the reporter of a vulnerability, the vendor of the component
            containing the vulnerability, and any third parties (including other companies that use
            those vulnerable components) come together to coordinate on fixing the issue and
            disclosing its existence to the general public.











                                                    [ 24 ]
   34   35   36   37   38   39   40   41   42   43   44