Bug Hunting

Bug Bounty Platforms

This topic contains 3 replies, has 2 voices, and was last updated by  Don Donzal 3 weeks, 2 days ago.

  • Author
    Posts
  • #169225
     Don Donzal 
    Keymaster

    In addition to many independent bug bounty programs run by organizations themselves, there are a few companies that specialize in creating those programs for them and recruiting hunters to be a part of their platform AKA Crowdsourced Cybersecurity Platforms. Those include:

    Bugcrowd
    HackerOne
    SynAck

    Please list any others that we missed as well as your experience with any of them.

    Thanks,
    Don

  • #169287
     Don Donzal 
    Keymaster

    Couple more:

    Intigriti
    FireBounty

    Don

  • #169590
     sh4d0wman_eh 
    Participant

    Hi Don,

    I have submitted some bounties to various platforms over the past years. Here are a few more for the list:

    ZDI
    SSD Beyond Security
    Zerodium

    Let me also give some input on the various programs:

    Both Hackerone (HO) and Bugcrowd (BC) are a good fit for penetration testers and I would suggest to see the talks of Jason Haddix to get an idea of focus area’s. It mostly deals with web-app and network level vulnerabilities although there are some customers who look for expertise in IoT, Mobile and/or desktop applications. Make sure to read the scope and do not violate the terms… Payments are in either Bitcoin (HO) or USD/bank transfer (BC).

    ZDI, SSD and Zerodium focus on vulnerabilities in common enterprise level software and IoT/SCADA/Automation. See advisories listed on ZDI for an idea of accepted vulnerabilities and target software. A large percentage are memory safety issues which will require decent fuzzing, RE and triage skills. On the webapp side injections and AA issues are not uncommon…. Zerodium needs a full working exploit, ZDI and SSD might accept PoC if clearly written.

    Happy hunting 🙂

    • #169607
       Don Donzal 
      Keymaster

      Good stuff. Thanks for sharing.

      Jason also preaches about the better chance of getting paid (and you can get more) the more details and spelled out consequences contained in the submitted report. Is this your experience as well?

      How’s the $$$$?

      Don

You must be logged in to reply to this topic.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Copyright ©2018 Caendra, Inc.

Sign in with Caendra

Forgot password?Sign up

Forgot your details?