For those who know, I've been quite a fan of self hosted programs since I discovered them.

Anyone who has ever done bug bounty hunting knows that the big 2 platforms, Hackerone and Bugcrowd are very crowded, which is why, even if you find a valid bug, the chances are, someone has already reported the same vulnerability.

So I made the best move on the chessboard and tried my luck with self hosted programs.

What's Cool And What's Not?

After failing countless times on Hackerone, I started with external programs and reported many vulnerabilties including, clickjacking, urls explicitly showing customer invoices and bugs like session persistence after logout.

👉The Cool Stuff About External Programs

  1. I didn't have to be the master bug hunter to find bugs and get paid, little bugs got paid too.
  2. While I continue mastering bug hunting and learn to find the big vulnerabilities like RCE, SQLI, I can earn a few dollars here and there.
  3. They don't have strict policies around vulnerability research, because they're new, and their assets haven't been tested by many researchers, so you would most likely find something if you dig much.

👎The Not So Cool Stuff

  1. There are like hundred of programs I can show you today that haven't responded to me even today. All the hours, days of my life feel wasted in return for nothing.
  2. Some programs will pay you 20 or 30 USD for a vulnerabilty like stored XSS or even IDOR on account deletion.
  3. Many of them will not tell you anything upfront and come back with excuses like someone already reported this to us. The shady part is that you never get to know who in the world was the first person to report the vulnerability. That's a plus point of Hackerone and Bugcrowd, where they are transparent about who reported first and include the report id. Worst case, they have support system in case of any mishap.
  4. If I had spend the same time on Hackerone, maybe I would have found a SQLI that could net me a bigger bounty of 5000 or more.

That's why I don't find the reason why I would hunt on external programs anymore.

They can definitely be a motivation for newbies because of how easy it is to get bugs on there. I said 'easy' but don't think you'll just go there, find some program and report clickjacking and shout, Ok, hoorah! I'm gonna get paid now.

News flash! It doesn't happen all the time. Sometimes, you'll get these type of vulnerabilities duplicated.

But the point here is, you always end up finding some bug in self hosted programs and get paid, hopefully if the company itself is not a scam.

The downside is, you don't learn much and you start relying on the dopamine hit of finding simple bugs like XSS, clickjacking (not even considered a bug on famous hacking platforms), and other negligible issues for quick money.