Since the virus has locked people in their houses, there has been a hike in activities by hackers. They have been constantly trying to invent and use new viruses, malware, and identify flaws in smooth working software and websites. The only difference that sets us apart from these malicious attackers known as black hat hackers is, we tend to report the flaw rather than exploiting it further.
White hat hackers are in search of various live websites where they can hunt for new as well as existing vulnerabilities. If you are someone that is completely unaware of a few terms, here we provide you a walkthrough for easy understanding.
What is a vulnerability?
A vulnerability is anything that can potentially exhibit a weakness in a website. It can be absolutely anything- right from not displaying a picture even when you’ve uploaded it! It can also be described as an output behavior that occurs unintentionally due to unexpected inputs.
A vulnerability is a threat warning from black-hat hackers that they can exploit your website and that is what draws a line from them and ethical hackers- they report the vulnerability.
What are different platforms to earn and learn to hunt for websites?
HackerOne is a platform where various websites enroll themselves and provide certain criteria to accept the reports. The criteria can vary from a list of vulnerabilities that one should refrain from trying to list of domains where the attacks need to be performed. It is always better to thoroughly read these lists before proceeding as wrong actions might lead to critical exploitation and banning from the platform.
Bugcrowd is another platform where multiple websites come to register and hackers are given a chance to exploit it up to a certain extent. Once done, you’re allowed to generate a report explaining the severity, impacts, types, and additional information regarding the vulnerability. Depending on the genuineness of the report, you can be rewarded with points, cash, goodies, and gift cards.
If these platforms are not enough, you can find out any website that offers such provisions right through Google. Simply type, ‘vulnerability disclosure program’. Further, you can also provide filters such as location, and domains. Further, the filters can also be dependent on whether you want to gain cash (referred to as ‘bounty’), swag (formerly known for goodies), or simply your name mentioned in their hall of fame.
There are various vulnerability programs provided by well-known companies like Google, Microsoft, Tesla, and Netflix. But this is all about earning through the bug bounty programs. The real problem lies in learning how to earn.
Here are some ways through which you can learn on how to submit the bug report:
- Make sure your report is completely original and has unique content.
- Try to avoid lower standards and easily exploitable bugs with lesser importance and approach to understand ways of finding new bugs. The vulnerabilities are given priority from P1 to P5 where P1 is highly critical and P5 stands for informative.
- Your report should mention the title, information, steps to reproduce, a proof of concept (can be a video or images), severity rating, and impact of the vulnerability that you’ve just discovered.
- You must provide reference links to further understanding of the bugs and then maintain a respectful and clear communication with the people who ask for further clarifications.
- You can refer to previously submitted reports from the people on the same platform and learn their way of presentation. Mind you, this is only for learning purposes and doesn’t promote you to directly copy the content as it is.
- Try to be the first person to report the vulnerability so as to increase your chances of being rewarded. Late submissions lead to your report being marked as ‘Duplicate’ from them.
- Practice is the key! Not until you’ve practiced enough of a way to hunt a particular vulnerability, it might land you up in making a fool of yourself. Constantly habituate yourself in reading various submission reports and analyze the points where you can tackle the failure and get your submission approved.
- Lastly, do not forget to learn various courses from MOOC platforms like Coursera, edX, Internshala, etc. to enhance your dimensions of knowledge in cybersecurity and refine your skills in it.
So here are some of the ways through which you can learn and earn in the field of cybersecurity. What are you waiting for? Hackers, gear up your skills and start applying them and meanwhile, newbies can always think of beginning freshly and enthusiastically!
Also, we would give a word of caution to our readers that the good and bad sides of hacking are separated by a really fine line and during practice, one must not tend to cross it- even if it’s unintentional. Try to stay in ethical limits and then put your mastery into implementation!
You may also like to read:
Author’s Bio: This article has been written by Rishika Desai, B.Tech Computer Engineering Student at Vishwakarma Institute of Information Technology (VIIT), Pune. She is a good dancer, poet and a writer. Animal love engulfs her heart and content writing comprises her present.
You can follow Rishika on Twitter @ich_rish99, and connect with her on LinkedIn.