Ask HN: Any student bug bounty hunters?

[lukezli]

Have any students been rewarded for bug bounties/does security research as a hobby? I'm working on a journalism project on student bug bounty hunters and would love to ask a couple of questions.

Please comment/email me if you'd be willing to help! I'd really appreciate it.

I also have personal experience doing this kind of stuff (I've found/been rewarded for bugs in Facebook/Google/Firefox/Apple) so happy to talk about my own experiences with anyone I'd be interviewing!

[teacup]

I'm a student, but not a bug bounty hunter by any means. I've come across a few security bugs, nothing huge, and normally just send emails to the company with a quick note about what I've found. Every once in a while it leads to a little cash or so. I don't intentionally look for bugs, it just so happens that I enjoy poking other things to see what happens. The biggest bug I ever found was a wee-little searchbar error in LinekdIn (If typed a very specific gibberish string into the searchbar, you could crash Safari. To this day I'm still not exactly sure why), and instead of money, the guy offered me a job.

Am I student bug bounty hunter? No. I'm a student that sometimes breaks things and tells people when I do.

[trill_daddy]

Hey, how did you get into poking things til they break? I just got into a comp sci program and i'm clueless about all of this.

[teacup]

Poke things.

Seriously though, I started because I wanted to secure my server. So I looked at how other people secure better severs. Sometimes I looked so deep I found errors, normally little things like leaving a default account set up, or leaving FTP wide open.

If you're looking for some generic response like "Just go to http://hunt4.bugs", I don't think one exists.

[lukezli]

awesome, congrats on your finds! would you be willing to answer a few questions via email or something? would really appreciate it.

[teacup]

yeah, sure.

[lukezli]

thanks a lot! Do you mind dropping me a line at me email found at my profile (https://news.ycombinator.com/user?id=lukezli)? I can't find your email unfortunately.

Really appreciate your help, questions won't take too long!

[elyrly]

Take a look at - https://bugcrowd.com/programs

Here's some resources - https://forum.bugcrowd.com/t/researcher-resources-how-to-bec...

[teapot01]

I made 7.5k for a Facebook Vulnerability that i found while procrastinating instead of studying for exams.

Haven't done much since though.

[lukezli]

Wow, awesome! Do you mind answering a few follow up questions via email or something? You can drop me a line at the email found in my profile: https://news.ycombinator.com/user?id=lukezli (I can't find your email unfortunately).

Really appreciate your help, and no worries if you're busy!

[schwede]

I'd be interested in hearing others' comments, since I'm also interested in getting into bug bounty programs as a hobby.

[i336_]

Seconded, I'd like to play around with this too but am not really sure where to start.

I get the impression the big bucks are in black-box proprietary/commercial systems? My only experience is with finding a small credential-leakage design flaw in an open source web app while poking through its source code one day.

I currently view most bug bounty hunting a bit like this - https://www.corsix.org/content/malicious-luajit-bytecode - so any suggestions about where to get started would be interesting. I'm not talking about "this is what XSS is", I'm talking megalists of recent compromises with annotated source code, that sort of thing. That would be both engaging, mentally challenging, and highly educational.

(As an aside, there was that one time I accidentally crashed Uppsala University's PDP-11/70 a few months ago (the logout program may have stepped on some kernel data structures :D), but that was kind of a fluke.)

[lukezli]

Just to add my own experience since there seems to be some interest. The first bug I found in Apple I just ran across while developing an app (http://blog.appgrounds.com/content-blockers-track-browser-hi...).

I've gotten bug bounties from Facebook/Google/Firefox by applying fuzzing to open source projects, using AFL/Libfuzzer. I'd say that fuzzing open source projects are a good, easy way to start security research since its relatively low barrier to entry and can pay good dividends.

Anyways, hoping to get a response from someone I can interview for my project! Please drop me a line if you can help. Happy to answer more questions.