this post was submitted on 07 Jan 2024
26 points (100.0% liked)

chat

7976 readers
57 users here now

Chat is a text only community for casual conversation, please keep shitposting to the absolute minimum. This is intended to be a separate space from c/chapotraphouse or the daily megathread. Chat does this by being a long-form community where topics will remain from day to day unlike the megathread, and it is distinct from c/chapotraphouse in that we ask you to engage in this community in a genuine way. Please keep shitposting, bits, and irony to a minimum.

As with all communities posts need to abide by the code of conduct, additionally moderators will remove any posts or comments deemed to be inappropriate.

Thank you and happy chatting!

founded 3 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
26
Has anyone ever done those bug bounty things? (hexbear.net)
submitted 10 months ago by [email protected] to c/[email protected]
14 comments fedilink hide all child comments
 

Is it actually possible to make any good money doing that or am I better off doing surveys or some shit for money on the side lol

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 10 months ago* (last edited 10 months ago) (1 children)

Never done any myself, but I believe it's possible to make decent money at it if you know what you're doing--but that requires some familiarity with computer and/or network security; they're not just paying for finding any old bugs, they only pay for exploitable vulnerabilities (and they will often argue about what is and isn't exploitable). There are also legal risks to be considered; if you accidentally access sensitive data in the process of vuln-hunting, you could be at risk of prosecution, and there can be legal risks in communication/negotiation with the company, too (though I'm not really too knowledgeable about what those are, tbh).

[–] [email protected] 6 points 10 months ago (2 children)

Thanks for the input. I think I'm gonna look into it I just don't wanna spend hours and hours trying to find stuff to no success :(

[–] [email protected] 6 points 10 months ago (1 children)

Worth checking out; the jhaddix methodology

https://youtu.be/uKWu6yhnhbQ?

Also, on YouTube either nahamsec or The Cyber Mentor had a good roadmap for getting started and what websites to sign up with.

[–] [email protected] 4 points 10 months ago (1 children)

Thanks for the link, I'll check it out! (also thank you for removing that tracking code lol)

[–] [email protected] 4 points 10 months ago

Welcome. Lol, yeah, I miss hexreplybot.😞

[–] [email protected] 3 points 10 months ago (1 children)

If you're going to give it a try, I would recommend giving fuzzing a shot; it's a very effective way to find interesting and potentially exploitable bugs. I'm not too familiar with the tools these days, so I don't know if there are fuzzers you can just download and start messing around with, or if you still need to roll your own to effectively target the full attack surface of the application you're interested in, but I imagine there are plenty of resources on the subject online.

[–] [email protected] 3 points 10 months ago

I think there are fuzzing libraries you can use but in the end you still have to write a way to interface with the application somehow. I'm not too familiar either.