Bug Hunting

Bug Bounty Platforms

Viewing 2 reply threads
  • Author
    Posts
    • #169225
      Don Donzal
      Keymaster

      In addition to many independent bug bounty programs run by organizations themselves, there are a few companies that specialize in creating those programs for them and recruiting hunters to be a part of their platform AKA Crowdsourced Cybersecurity Platforms. Those include:

      Bugcrowd
      HackerOne
      SynAck

      Please list any others that we missed as well as your experience with any of them.

      Thanks,
      Don

    • #169287
      Don Donzal
      Keymaster

      Couple more:

      Intigriti
      FireBounty

      Don

    • #169590
      sh4d0wman_eh
      Participant

      Hi Don,

      I have submitted some bounties to various platforms over the past years. Here are a few more for the list:

      ZDI
      SSD Beyond Security
      Zerodium

      Let me also give some input on the various programs:

      Both Hackerone (HO) and Bugcrowd (BC) are a good fit for penetration testers and I would suggest to see the talks of Jason Haddix to get an idea of focus area’s. It mostly deals with web-app and network level vulnerabilities although there are some customers who look for expertise in IoT, Mobile and/or desktop applications. Make sure to read the scope and do not violate the terms… Payments are in either Bitcoin (HO) or USD/bank transfer (BC).

      ZDI, SSD and Zerodium focus on vulnerabilities in common enterprise level software and IoT/SCADA/Automation. See advisories listed on ZDI for an idea of accepted vulnerabilities and target software. A large percentage are memory safety issues which will require decent fuzzing, RE and triage skills. On the webapp side injections and AA issues are not uncommon…. Zerodium needs a full working exploit, ZDI and SSD might accept PoC if clearly written.

      Happy hunting 🙂

      • #169607
        Don Donzal
        Keymaster

        Good stuff. Thanks for sharing.

        Jason also preaches about the better chance of getting paid (and you can get more) the more details and spelled out consequences contained in the submitted report. Is this your experience as well?

        How’s the $$$$?

        Don

Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?