#bug bounty

a short bug bounty write up on how i randomly stumbled onto samsung cloud infrastructure

Day 47: 100 Days of Infosec

My New Position as a Web Application Pentester

I was able to obtain this position through the power of LinkedIn. In The Ultimate Guide for Getting into Cybersecurity for Beginners, I explain how utilizing your LinkedIn account as a portfolio and network can help you get recognized. In my case, I took my advice, and it allowed me to win this position. I was in Louisiana visiting for Christmas, and I had set my Linkedin profile to be open for networking. During my last week there, a recruiter reached out to me about a position that involved hacking, knowing OWASP Top 10, and remediating security holes; I was all in. Luckily, I completed my remote six-month internship with Safer Internet Project while also working. Safer Internet Project taught me about penetration testing, exploiting different vulnerabilities, using various hacking tools, etc. As a result, I scored a remote opportunity with a reputable company within four months of their training. I highly recommend anyone interested in transitioning into an ethical hacking career check out Safer Internet Project. You won't regret it! Massive shoutout to David and Gareth for being incredible mentors and having the best live pentesting calls.

Chapter 1 & 2 Bug Bounty Bootcamp: Picking a Bug Bounty Program and Sustaining Your Success

I've been interested in bug bounty hunting for a few years now, and I wasn't sure where to start. It seemed like a taboo subject before receiving Bug Bounty Bootcamp by Vickie Li from No Starch Press. The book begins in chapter one, detailing the different bug bounty programs and helping you pick the right one. A bug bounty program is program companies can run that allows hackers to hack on potentially vulnerable products or services they offer to the public. If the hackers find a legitimate vulnerability, they can get paid a bounty or receive reputation points. Hackerone, Bugcrowd, and Intigriti are three different types of bug bounty platforms on which hackers can find various bug programs. To successfully find bugs on these platforms, most hackers utilize Burp Suite. This web application pentesting tool analyzes the overall functionality of websites. I have been completing labs on PortSwigger academy, a resource offered by Burp Suite, to become certified in web app hacking. It also helps to know about web vulnerabilities, how different programming languages work, and web development to find bugs.

I've decided to participate in a VDP (Vulnerability Disclosure Program) to start. You don't get a bounty for VDP programs but reputation points instead to get access to more private programs the more skilled you get. These programs are also less competitive and can be used as a learning experience to talk to security engineers about improving your hacking skills. After picking a program and getting my first approved security bug, I'm going to continue to sustain my success so I can continue to become a better hacker. Chapter two gives an excellent outline for beginner hackers to maintain their success in bug bounty and how to build a great relationship with the security team. Supporting your success as a bug bounty hunter involves writing great security reports. A security report is a business document helping companies keep their assets secure and potentially provides you payment for assisting them. It's best to make sure you have all of the recommended components of a security report and to make sure it's clear and concise for your reader. Anyone can sustain success in bug bounty by knowing how to deal with conflict during payout disagreements and being professional throughout the entire process. Building relationships with security engineers, keeping your skills fresh and new, and knowing when to take breaks when needed can help you continue to be successful as well. Participating in bug bounty is hard, and it may take me some time to find my first legitimate bug. However, nothing can stop me if I continue studying and applying what I'm learning. I have also been getting first-hand experience with a famous bug bounty hunter on Twitter. I have been providing help and insight on programs he's hacking in to get my hands wet while also learning new tools and hunting techniques. Soon I'll have enough knowledge to share with you guys.

Where is the Digital Empress Brand Going?

The Digital Empress is still here to stay. Instead of focusing so much of my energy outward and across different platforms to inspire and educate, I'll solely be here and on Youtube. I've decided to make my content more journey-focused rather than service-based. I've come to a point where I've gotten bored, and it's not enjoyable anymore. I want to go back to my roots and show you all what new skills I'm learning and the latest projects I create. I also want to own my content and not have a third party taking out a percentage just for hosting my products and content. One day I'll eventually move away from Youtube as well. The Discord and Buy Me a Coffee service is no longer accessible or active, and I'm back to #100DaysofInfosec. Having a baby also changed my perspective heavily on making this decision. Now that I'm a mother, I want to teach him everything I know and give him all the attention in the world. Hopefully, he'll be saying bug bounty and SQL injection by age two. Thank you all for sticking around this long to see me and my brand grow, and I plan to continue growing and reaching new heights. I'm so excited to share this new journey with all of you!

More Information:

100 Days of Infosec Twitter Thread:

Twitter Thread Associated With this Material

Start Your Career In Cybersecurity with my Ebook:

The Ultimate Guide for Getting Into Cybersecurity for Beginners Ebook

Cover Your Macbook and other webcams with my Cute Webcam Covers

Webcam Cover with Penholder (for Macbooks)

Regular Webcam Cover 

Get Cute While Hacking with The Digital Empress Beauty

Digital Empress Ethanet La$hes

Digital Empress Innanet La$hes

Exciting news! It's been almost six years since we launched our Bug Bounty program and it has been amazingly successful. We've realized how instrumental you—the security community—is to keeping Tumblr a safe place for millions of people. 

Over the years we’ve gone from a self-hosted submission form to a program under Verizon Media. Today, we’re announcing with great gratitude that our Bug Bounty program is available directly on HackerOne.

Again, a huge, huge thank you to everyone who has participated in our program so far and we look forward to working with all future reporters as well. We highly appreciate your honest submissions and hope that you will continue to send us any future discoveries you find =]

Security fixes found by an EU-funded bug bounty programme:

a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification

potential recycling of random numbers used in cryptography

on Windows, hijacking by a malicious help file in the same directory as the executable

on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding

Mubassir Kamdar is an Ethical Hacker And Security Researcher from Karachi,Pakistan.

With over years of experience in cyber security, Mubassir Kamdar identified major security flaws in world's well known companies. This includes Eset, Facebook, Uber, Sony and many others. A huge number of Halls of Fame and Certificates were rewarded as a token of appreciation from these companies.