The Bug Bounty Hunter’s Manifesto
Hacking skills for bug bounty hunting will only be used
in bonafide bounty programs that are announced and run by the
The objective is to search for organizations that announce and
provide a professional and transparent ecosystem for carrying out
security testing, reporting and payments, while indemnifying the
tester from any legal or other action(s).
Permission will be obtained from the organization that has
announced the program. If there is no requirement to seek
permission the intent to test may be communicated.
At the very least, a record of start date, end date and access
times will be maintained and may be shared with the organization if
One's skills will not be used in any unauthorized tests or
searches for security bugs / vulnerabilities / weaknesses.
A vulnerability will be exploited ONLY for the purpose of getting a
screenshot of the extent of penetration into the organization's
Any and all testing will be non-destructive.
- This means that once the vulnerability has been exploited nothing
will be changed on the internal systems which have been accessed.
- This includes data at rest in databases or in motion as in
transactions or as it is being created. The proof-of-concept "may"
show evidence of change but the change will not be committed.
- Also any payload like an executable program, infected documents
delivered directly or through any other means.
- Making changes in source code of programs running on the
organization infrastructure or in documents stored on the systems
to which access has been obtained.
- If a link leads to a third party this will not be tested and will be
considered the boundary at which any exploit or penetration will be
No data or documents will be copied from any of the vulnerable
systems on which access has been obtained during the course of
searching for bugs and vulnerabilities.
The 'hunt' will not be restricted to technical issues as we are
aware that we may also discover logic issues which (usually) lead to
risks of infrastructure compromise.
If a website is available the bug hunting methodology and
approach will be put up and this will be communicated to the bounty
program organizer company.
Third party websites or infrastructure will not be tested even if it
is included in the scope, in the absence of explicit permissions from
the party concerned.
No testing will be done for "information" or "knowledge
enhancement" purposes as this is a professional activity and one
expects to earn from the same.
Payments as per the payout norms of the organizing company
will be accepted without dispute.
Any bug / vulnerability / issue that is reported under a bug
bounty program will be released in public only after it has been
repaired by the affected organization. This will be done if the
organization has no objection to the public disclosure.
Once a bounty program has been closed the systems will not be
revisited for personal gain or any other reason.
Any and all knowledge and discoveries made during the course
of the bounty hunt will be considered confidential between the
hacker and organization and will not be disclosed to any other
person or entity.
In event of the discovery or any unlawful activities or information
the same will be disclosed to the appropriate law enforcement
No backdoors or trojans will be injected into the host system that
is being tested to provide any means of re-entry or exploitation
once the bounty program is completed.
A Little Bit for the Organization’s too:
If you are a company intending to run a bug bounty program
there are a few rules you must include in your plan / program for
the same. Some of these guidelines are provided and if followed,
these will help make your program hacker friendly and provide you
with all the benefits that are expected to result from a bug bounty
- Provide contact information of the responsible person (email and
phone number at the very least). Also, this person must be
responsive and be able to provide required information quickly to
- Provide clear instructions about the program with start and end
dates along with the specifications of the overall surface that is
opened for testing (IP addresses, domain names), the type of tests
and reports that are invited.
- Enumerate any exclusions. Especially domains, IPs and
applications that you may not want to be tested.
- A publicly available general indemnity must be provided online
carrying the signature of the legal officer, stating the hackers have
been invited to "test" the identified system(s) and any and all
responsibilities are with the organization.
- In respect of payment transparent information must be available
in respect of amount, periodicity of release of funds, how will
payment be released, tax deduction and liabilities.
- Let the world know if you are paying in cash or in kind or
'mentions' and a listing in your hall of fame.
- Clarify responsibility for minors who are participating in the
program and make payment claims against reported bugs and
- Declare the amount of time required to repair the bugs /
vulnerabilities that are reported and communicate the repair to the
hacker who reported it.
- If it is okay with you to allow the hacker to publish the issue in
public after it has been closed.
This document is a creation of securians.com and is released in the public
domain under Creative Commons License (Attribution-Noncommercial 2.5
Disclaimer: The practices listed in the document are provided as is and as guidance and the
authors do not claim that these comprise the only practices to be followed. The readers are
urged to make informed decisions in their usage. Feedback is solicited and you can access other
topics at our website www.indiawatch.in
Contributors: Dinesh O Bareja
Title: Keep Your Laptop Safe Version: 1.0 / August 2013