The Bug Bounty Dance

Starting with the update, I finally made myself some money with my first ever bug bounty. It was a simple logical flaw that was rewarded. I was, of course, very happy. I had dinner with my parents in a good restaurant, bought a backpack for my new laptop computer, kept some of the cash and gave rest to my mom and dad, equally.

Bug bounty isn’t new to me. I have been living in a community where it was not uncommon to read some or the other friend getting rewarded a bounty, every other day. As far as I remember, things were not like this in my early days. I started interacting with people in cyber security in early 2011. At that time, there were no bug bounty hunters. Some of us were into defacing websites and getting root of web servers for the fun of it. Others were more into blogging about the same. Blogs written on hacking tutorials, news updates and tool guides were dime a dozen. In fact, that was the only way in which most of the amateur pentesters could make some money out of their knowledge (see Adsense and link exchange).

I miss the old friends, the ‘Killerz Hackerz Zone’ group we had on Facebook, where we had some helpful people, who used to guide everyone when needed, and were excellent people to talk to. A particular friend I remember had the handle ‘Dexter India’. He was virtually my brother. There were others too, teaching and learning from each other. After a while, I was made admin of that group, which was, for me, something extraordinary. I learnt a lot from people there, about what a hacker really is, and most important of all, how to keep digging to get what we want. There was this thing written in the group’s description that read “Don’t be smart, be sincere. Then you’ll become a hacker”. A simple statement, but how true that was. It was from that time on, sincerity towards self that became a goal in my life. Learn, not for family, nor friends, nor in the least for society, but for yourself.

Then there were cyber wars, defacements of thousands of sites which included the top government ones. My group vanished. Friends, whom I knew by their handles, fell off the grid. I never got to hear from them again, till date. At some point in around late 2012, everyone realized at once that these cyberwars ain’t helping anybody. It stopped, and the age of hunting bugs for bounty and hall of fame began. It was something new altogether. Spend your time and skills finding bugs and shortcomings in sites that offer to pay for the bugs you report them. The payouts are usually quite high, and if done consistently, much higher than what the average engineering and business school joe gets as a salary.

This triggered a race between researchers, which for most of them, somehow got converted from finding the deepest flaws to finding the hidden low hanging fruits that make a quick buck and take less time to find. Suddenly, it wasn’t about the skills one had. It was all about who gets it first, that gets the bounty. And when a simple bug gets you around 500 in US$s, critical ones going well over few thousands, there was no reason to not invest time in this new business.

But I didn’t. I simply lacked the guts and determination to test an application thoroughly. Maybe it was the skills that I didn’t have. Whatever it was, I used to always get excited to read about bounties. It was raw money, for your time. I had, at times, tried to test an application, but never succeeded. Maybe that’s why I moved from web security to web development. Right down my alley.

Then later in July this year, my mate Kunal got rewarded for a cross site scripting bug he found in a popular social network. It was a respectable sum of money, which he used to build his own PC. You know the thing with money? You don’t fall for it’s greed until you see the possibilities that arise from having good sum of money in your pocket. No one wants to just have loads of cash. It is the things that you can do with it, makes you want it. Similar was the case with me. I needed funds to fulfill some of my long term materialistic dreams. That was the sole motive behind ‘researching’. No, it wasn’t to learn or anything, or test my skills (giggles), it was just the pure greed, that I have now tasted. Although not an awful lot, it was enough to get me a few things. Now I crave for more. Suddenly, the needs have increased. Branded bag, a prestigious phone, ultrabook. Damn.

The quote is still stuck on my mind. I miss those days badly.

Don’t be smart, be sincere. Then you’ll become a hacker

Leave a Reply

Your email address will not be published. Required fields are marked *