✖️Thread by @ArchAngelDDay on Thread Reader App

100 (very) short bug bounty rules:

1/ Spend at least 30 minutes on a new target 2/ Look for “No”s 3/ Use Italics Tags in your inputs instead of XSS payloads 4/ Focus on SaaS apps that are multi-tenant 5/ Buy Burp Pro

6/ On a new target go straight to the User Management section 7/ See if inviting an existing user to your org exposes their name 8/ See if inviting an existing user removes them from their own org 9/ If the scope has a wildcard, use sub finder to find subdomains

10/ Run HTTPX on the list of subdomains to narrow down alive targets 11/ On an app you’re not familiar with, use it like a normal user first 12/ If the docs say you can’t do X, but you can do X then you have a bug 13/ Use match & replace rules to find new endpoints

14/ Budget time into your week specifically for hacking 15/ Give yourself a no-bug time limit. I do 3 hours. 16/ Go back to old dupes and see if you can still reproduce. 17/ Look for “+2” in your reputation log to find dupes that should be now. 18/Ask for help from other hackers

19/ Make your report a conversation, not a sales pitch 20/ Accept & expect that dupes will happen 21/ File & Forget 22/ If an endpoint has “api/v2/“, try “api/v1/” 23/ If an endpoint has “api/v2”, try removing the “v2” altogether

24/ 6 $1000 Mediums pay more than 1 $5,000 crit. Don’t ignore any bugs 25/ Lows are still bugs that should be filed 26/ Be kind to your triager 27/ Say “thank you” when you get a bounty

28/ If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”. 29/ If UUID IDORs exist, then look for an endpoint that exposes UUIDs 30/ Pin your success on whether your followed your plan, not if you found bugs

31/ A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit 32/ Going deep _will_ payoff 33/ Working with new hackers will payoff in dividends 34/ Don’t be jealous

35/ Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your own sanity 36/ If you find a bug that’s OOS, still ask the customer if they care 37/ There’s no end. Enjoy the journey 38/ Have a hobby that’s not related to hacking

39/ Have friends that don’t hack 40/ Figure out what time of day you hack the best. Late nights aren’t for me. 41/ Spend that extra 2 minutes to make your report look/read nice 42/ “Subscribe” to programs that pay well and have good scope

43/ Don’t whine on Twitter about a single report. Or at all for that matter. 44/ IDORs and Privilege Escalations are a great place to start 45/ Unmet expectations lead to disappointment 46/ Teach someone else how to hack 47/ Time spent reading/learning is time-well spent

48/ Focus on programs that you actually use in your day-to-day 49/ Establish a relationship with the program 50/ Try asking the program what types of bugs they want to see 51/ Look at a programs leaderboard to see who you should collar with

52/ When collaborating, an even bounty split eliminates hassle 53/ Take a break when you stop having fun 54/ At an LHE, start hacking ahead of time 55/ Look for programs that are active in resolving reports

56/ Look for programs that haven’t awarded a lot recently 57/ Look for programs that have collaboration enabled 58/ Look for programs that don’t list out a bunch of known issues 59/ Look for programs that have a history of adding new scope

60/ Change your strategy if you’ve gone a while without a finding 61/ If you’re on a roll, keep doing what you’re doing 62/ But don’t let success keep you from evolving/growing 63/ Compare yourself against yourself from last year 64/ Maintain online presence for new opportunities

65/ Be thankful for failure 66/ Read disclosed reports 67/ Focus on one program at a time. Cycle if you get bored. 68/ Don’t spray XSS payloads everywhere 69/ If possible, work at a company that has a BBP

70/ Spend bounty money on tools that will generate more bounties 71/ Budget a specific amount of your bounties for fun. And stick to it. 72/ When hacking a store, don’t be afraid to make small purchases 73/ Look for changes in JS files to know when there may be new functionality

74/ Look for references to subdomains in a company’s GH repos 75/ Look for references to subdomains in employee’s GH repos 76/ If the app uses Intercom, try booting it with another email 77/ Look for second-degree IDORs

78/ SSRFs exist when the app makes any external request. Look for these requests. 79/ Look for actuator endpoints 80/ Find hackers that hack differently than you. 81/ Try hacking in a different room of the house 82/ Try hacking at a different location altogether

83/ If you find the same bug on different endpoints, file as different bugs 84/ Try always having some pending bugs in your pipeline 85/ Break your yearly bounty goal into monthly goals 86/ Know when a bounty isn’t worth fighting over

87/ Push back gently when a report gets downgraded 88/ Use the leaderboard as motivation, not as comparison 89/ Don’t re-invent the wheel when a tool exists 90/ Don’t be afraid to build the wheel if the tool doesn’t 91/ Try collabing in real time over video chat

92/ Always ask why something works the way it does 93/ When collabing, don’t be afraid to be the underperformer 94/ When collabing, don’t get salty about being the oqerperformer 95/ Use mediation, but use it sparingly 96/ Be generous with your earnings

97/ Hack for fun, not for a paycheck 98/ LHEs are a privilege, not an expectation 99/ Programs are your friend, not your adversary. Work with them 100/ The platform is your friend, not your adversary. Work with them

profile: @ArchAngelDDay

• • •

Missing some Tweet in this thread? You can try to force a refresh