This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world. For further details about the presentation/suggestions feel free to contact @abhijeth.

1. How to do well with Bug
bounties?
-- ABHIJETH D

2. Agenda
 Introduction
 Finding the right target
 Information gathering
 Approach to discover vulnerabilities
 Using various vulnerability scanners
 POC writing
 Few sample potential RCEs
 Annnd thennnnnnn bug hunting

3. www.abhijeth.comwww.null.co.in@abhijeth
@nullhyd
Hello
Time to brag:
Security Consultant at TCS for bread and
butter
Love speaking and training
Got lucky with Google, Y!, Microsoft,
Twitter .. Etc
Love anime and politics !!
Trying to contribute to the security
community and start-ups in Hyd.
 Abhijeth Dugginapeddi
 www.abhijeth.com
 @abhijeth
 Fb.com/abhijethd

4. What is a bug
bounty program
YOU FIND A VULNERABILITY
DO SOME R&D
GET FREE T SHIRTS
FREE SWAG
MOST IMPORTANTLY EARN
SOME BOUNTY
“HALL OF FAME”

5. ”
“Why do companies run such
programs
ARE THEY DUMB TO PAY HACKERS??
Free publicity
Cost efficient
Improve security

6. Where to get the list !!!

7. Lets start …!!
 How do we start ?? Which hall of fame do you want to get into ?

8. Lets test google.com

9. The road not taken
 Start with easier sites
 Find sites which were not tested by many
 New bug bounty program
leads to better success
 Find the right domain to find a bug.

10. Finding sub.sub.sub.domain
It is always important to find a sub domain

11. They say ..!!! BBP is all about XSS

12. A better approach
 Mixed content
 Click Jacking
 Logical by pass
 Bruteforce
 Directory Listing
 Open redirects
 And When don’t “pay” don’t invest much time!! Remember even a CJ
can give you a HOF

13. Few Tips
 Next time you get a single vuln in diff domains, make sure you submit
"individual" reports.
 It is always important to find the “right” domain to attack
 A right sub domain can give you a HOF in less than an hour
 Understand the logic before you start your magic
 It is very very very important to write a neat POC.
 Presentation skills do matter!!!

14. My Dupe Stories….!! 
First Magento

15. Then Facebook and Yahoo

16. Even Google

17. What do you realize??

20. Special Thanks
Harsha Vardhan
Boppana
For sharing his secrets
Gineesh George
In office, fortunately the only guy
who can “hack”
Lalith and Varun
Kakumani
My partners :D

21. Thanks a lot
dabhijeth@yahoo.co.in
www.Abhijeth.com
@abhijeth
Facebook.com/abhijeth