This document provides an overview of bug bounty hunting. It discusses: - What bug bounty programs are and how they work - A brief history of major bug bounty programs from the 1990s to present day - Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment - Popular bug bounty platforms and programs - How to get started with the process of bug hunting - Tips for writing bug reports that document the issue and steps to reproduce it - Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept

1. {
Bug Bounty
Play for Money

2. #Whoami

3. Shubham Gupta (@hackerspider1)
Just another random lazy guy interested in security
Security Consultant at Pyramid Cyber Security & Forensic
Bug Bounty Hunter
{Just do when I need money
BCA Graduate
{Doesn’t Matter
Penetration tester

4. Lucky Enough

7.  Introduction
 History
 Why bug hunting?
 How to do bug hunting?
 Quick Tips
 POC
 Pros and Cons of bug hunting.
 Q&A
Agenda

8. What is #Bug Bounty
• Also calls as VRP (Vulnerability Reward Program)
• Company (Security Team/Vendor)
Create Program.
Offer Cash , HOF , Swag.
Acknowledge Your Work.
• Researchers / Bug Hunter
Hit Target and Get Bugs.
Sometimes Duplicates , Sometime $$$ , Sometime Swag.
Recheck Bug After Fix.

9. A Brief History of Bug Bounty
Programs.
- 1995 (Net Scape)
- 2004 (FIREFOX)
- 2005
- 2007
- 2010 - 2011
- 2012 - 2013
-2013
(Cobalt)
- 2013
(Synac
k)

10. Why bug hunting?
 Chances of finding bugs to put on
your cv.
 Possibility of getting job.
 lots of money in very less time
 Cool T-shirts, Hoodies, Mugs and
many more swags
 Recognition
 Connections
 Less security breaches
 Enjoyment
 Person will Learn to work hard
because of Competition

11. Bug Bounty Programs And Platforms
• Popular Programs
- Google (Min 100$ & Max 20000$)
- Yahoo (Min 50$ & Max 15000$)
- Facebook Min 500$
- Want to know More
 Github
 Twitter
 Microsoft

12. Want Few More?
https://bugcrowd.com/list-of-bug-bounty-programs
https://hackerone.com/directory
https://cobalt.io/programs

13. Popular Platform
BugCrowd
Managed Security Program for Company
27125 World Wide Researcher
200+ Programs
HackerOne
Security Inbox for Company
133+ Public Program
6.91M Paid
Synack
Everyone Want To Join
Cobalt

14. How to kickoff for hunting bugs?

15. How to do bug hunting?
 Bug hunting is all about Exploring Weaknesses and
Experimentation.
 It requires 30% programming knowledge and 70% logical out
of box thinking.
 Try each and every Combination to exploit bug .
 Dig dipper.
 Try more to find logical bugs it will increase your chance for
higher payouts and reduce chances for Duplicates.

16. Quick Tips

17. How to Write Report?
Title
Issue Information
Step by step instruction to reproduce the bug
Impact
Mitigation

18. POC

20. Video Demo

21. Yahoo Xss Filter Bypass

22. SVG XSS
 One of the most unique bug of 2015 and easy to find.
 Most of the web based projects include svg for a clear and interactive user
experience.
 To verify this answer I created an svg file with an XSS vector below and started
testing the websites that allow images .

24. Live Demo of SVG XSS on BugCrowd

25. Tapjacking Live Demo POC Video

27. Thanks 
-My Nigga