This article I will tell you about how I make money from sites that do not have a Bug bounty program, because I think this is very interesting to discuss, from the beginning I found the site to being paid by the site owner as a thank you for reporting a vulnerability.
In the last few months I have been looking for vulnerabilities on random sites, and not on sites that have a Bug Bounty Program. Although the rewards are not as large as sites that have BBP, it is very enjoyable.
In general, sites that have a BBP (Bug Bounty Program) or are listed on platforms such as HackerOne or Bugcrowd have many other researchers who have found loopholes. And if I choose a random site, there are probably still many loopholes that I can find.
Searching for Target Sites
Of course, at the initial stage we will find a site that we want to test and report it to the site’s support team, and how do I choose a site that is likely to pay us?
I often look for sites from advertisements on YouTube, Google search, Instagram stories of Influencers (usually like to promote sites), etc.
You can also choose the category of sites you want to test with Google Search, for example you want to test Hosting & Domain service provider sites. You can search with the keyword “Buy Hosting” (Just change the keyword) on Google search, YouTube, etc.
Writing the Report
At this stage there are tips for you 👀 Most bug bounty hunters are lazy if they look for vulnerabilities on sites that do not have a bug bounty program, researchers are lazy if the findings are reported but do not get anything even though their findings are high risk for users and the site.
Before writing a report to their email, you should first ask the site’s livechat or support email, for example:
Is there a reward for reporting vulnerabilities?
Below are some of the bounties I’ve gotten on random sites, and I also don’t have high expectations for the value of the bounty, keep in mind that these sites don’t have bug bounty programs.
Ask for rewards on site2
Some sites don’t take Vulnerabilities seriously, and if you ask about bounties, they may reply “there are no bounties for vulnerability reports” If you get a reply like that, would you give up?
Try explaining in more detail about the Vulnerability you found and tell the impact! For example, in my recent case, at first they wouldn’t give a reward to anyone who reported a vulnerability.
But when I explained about the vulnerability that I could log into other user accounts, even I could log into the Admin account, at that time another Support account offered me with a $250 bounty for my findings.
If they still don’t want to give you a bounty, what do you do? Just report it, or it’s up to you to report it or not :D
On some random sites I found a lot of vulnerabilities, because not many other researchers have looked for vulnerabilities on the sites I tested.
Some of the vulnerabilities I found included
3. XSS Reflected / Stored
4. SQL Injection
5. Privilege Escalation, etc.
With this article, I want to show that finding random sites and reporting vulnerabilities on them can be a fun and profitable way to earn extra money. In my travels, I found many vulnerabilities that the site owners didn’t know about yet, and reporting them properly earned me cash rewards.
Not only that, but this experience also helped me learn more about web security and how to protect myself from online attacks. Digging up random site vulnerabilities also allowed me to contribute to improving overall internet security.
However, keep in mind that looking for vulnerabilities on websites should be done with ethics and integrity. It is important to talk to the site owner first and get permission before starting to look for vulnerabilities. Also, reporting vulnerabilities clearly and completely will help site owners fix them quickly.
Thank you for reading my writing, don’t forget to give your applause 👏
Follow me at https://x.com/parkerzanta
[!] The source of this article comes from Parkerzanta Blog which I wrote in English.