Who was i ?
In 2013 I started take interest in Bug Bounty or you can call Beg Bounty (I’m not pointing it to Nakul 😀 ), anyway In starting i also report bug like OPTION Method, Weak Ciphers, Secure Cookie or blah blah blah. 🙂 that’s was my start to take my steps in Information Security. but then something strange happen, i meet some LEET (friends) 😀 who gave me real understanding about information security and i forget about all sh**y bugs which I’ve reported and i am ashamed of 😀 but this is not ends here. 🙂
Who i am now ?
After learning deep into Information Security with the help of OWASP, Google, Friends, YouTube. OWASP is too good to take your first step in Information Security and their OWASP Guide V4 is just awesome. I start taking interest in Networking, Web Application, Exploit Development and my favorite Radio Frequencies. Now i provide Penetration Testing service to private companies and they are better than others 😀
Bug Bounty Future ?
Many of you will not agree with this but everyone got a different point of view. So first thing i want to clear that there’s a lot of difference in Bug Bounty Program and Bug Bounty Platform, platform like Bugcrowd, Hackerone, Cobalt, Vulbox and I love these platforms. but bounty programs don’t treat well with the researcher. there are two types of people who report vulnerability, people like me NOOB(startups) and professional so now the problem is if NOOB find a vulnerability and don’t know how to write report and he just copy paste the information from the OWASP which is right to do if so. but program manager sees the report as vulnerability scanner report and they just mark the report as WONT FIX or N/A but when the same vulnerability reported by some professional researcher with man-made report they give him a green flag. I tried the same thing with the program (i don’t want to mention the name), i reported same vulnerability with two different accounts, one with copy paste report and one with man-made report and guess what who get the reward, ah you know 🙂 I just want to tell them that give a chance to them and tell how they can improve their skills and if you didn’t do this then i’m afraid there is no future for you guys.
Live Example :-
This is what happened to me, i reported a bug to Heroku something related to their Coldfusion Admin Panel, they fixed the bug and close my report as Not Applicable.
Here’s some screenshots of the bug.
Reported this bug a year ago and in disclosure policy we can disclose a bug after 90 Days.
Ch. Muhammad Osama