trieulieuf9

  You can't control your result in bug bounty. Only effort. The word Hunter makes us feel like we need to find some bugs. Otherwise, we fail to be a hunter, our job is worthless, the process is just a mean to an end. If we think ourselves as bug hunters, we will have a lot of unnecessary thoughts, which leads to  unnecessary  stress, which leads to  unnecessary  burnout and procrastination. We have these unnecessary thoughts because we try to control the result, we think the more thoughts we put in it, the better we can control result. But in fact,  we can't control our result in bug bounty. Instead, be a security researcher. Who emphasis on the process, not the result. When testing a target, we learn how its security works, learn its features capacities, discover some quirks, and see if we can spot any security bug out of them. This leads to more enjoyment and less stress while hunting for bugs. With this small change in attitude and mindset, you will get better result in bug

  https://www.youtube.com/watch?v=GoW8Tf7hTGA I just watch this video again. Maybe the 10th times. This time, I realize that there is something that connect everything else, people are pulled toward center on the Earth. All planets in the Solar System are pulled toward center of its center. The Solar System and many of its equivalents get pulled toward the center of a galaxy. Many galaxies are connected to form a supercluster of galaxies, at this point, we can't even see what is in the center that power all these galaxy-connections. The whole universe now looks very much like a living being. Each person is a cell of this GIGANTIC being. There is a rule in the universe, that's everything is available in abundance. When creatures on Earth need energy, the sun provides 100 times of what is needed. When these creatures need water, they are provided with rivers and rains. When they need air, there are so much air they take them for granted for the rest of their life. The Earth is va

Note : this is a journal. Me talks to myself. I think this is a good one, so I properly format it and post here. Yesterday, I spent around 7 minutes sky-gazing, I felt grounded, my mind is clear after that. Today, after I finish testing a small feature, I am about to switch to another feature. But I stop and brainstorm for 5 minutes for new ideas to test on this feature. And I indeed get some good ideas. I just realize that just a little bit of time spent consciously can make a noticeable impact. That's how generous life is to us. Life gives human 16 waking hours (960 minutes) everyday and we only need to spend 7 minutes to feel grounded, calm, clear. 30 minutes to exercise for a good health. And the rest is up to us to use. People who usually complain about not having enough time must have shove their heads in a lot of entertainment. Entertainment, on the other hand, is a counter-life activity. Because we usually spend a lot of time on it and feel foggy, lethargy afterward. We spe

Three years ago, I started to find bugs more often. 95% of my bugs were low/medium. Although bounties were nice, I often wondered if my reports have any impact on the security of companies I submitted to. If my reports were useful to developers, security teams, or they were a waste of time, and bug bounty programs have to accept low/medium just to comply with bug bounty community standard, but what they really want are high/crit reports. I felt unease, while writing a new report for a low bug. I often thought If this report was really needed, or it was a waste of time for program staffs and everyone involved. Of course, the bounties were still larger than these doubts. So I reported. I tried to answer these doubts many times, some answers I had come up with are: Many of my low bugs are fixed, that means developers care about these bugs. Otherwise, they can just leave them in backlog for years. They have option to not pay for low bugs at all, but they pay, that means these reports have

- Taking some weeks or months off always help. After months of doing bug bounty, you usually develop liking to something other than bug bounty. This is a good time to do it. Try to train like a pro-gamer in a game you like for a month is also a good option. - If you are burning out, there is a good chance that you are having many items in your bug bounty todo list. Just creates a file call archive.txt and move all these items to this and move this field to the deepest place in your computer. It will light up your head instantly. - Realize that there is no must-do, have-to-do, ought-to-do, should-do things in bug bounty (in life as well). You do them because they feel right for you, because they are interesting to you. And if they are not feel right for you, you don't need to do them. The worst that can happen is you lose some bounties. But you just save yourself from a lot of stress and burning-out. If you stick to this principle, your mind is clear and light. Hunting bugs with thi

An elite hacker, a normal hacker, a no-bug hacker hunt on a Survey feature on a website, the 1st one can notice 40 unique details about this feature, the second one notices 20, the 3rd one notices 8. Let assume 2 out of these 40 details are:    - Survey Editor cannot see survey result when settingA is enabled.    - When settingA is enabled, survey result will be sent to a redefined receiver list instead.    - Survey Editor can add more people to the receiver list (via direct API call) after the survey start. Combine these 3 details, the elite hacker just finds 1 logic bug. The no-bug hacker cannot even imagine that there are 40 unique details in this Survey feature. He tests the the feature very fast, at a first glance, this feature seems simple and straight forward, looking through the API calls the feature makes, nothing seems out of place. He concludes this feature is hardened and move to the next feature until all features in the target program are tested. He looks at the program s

The similarities between Bug Bounty and Video Game In video games, you usually see the consequences of your actions after 30 seconds. In bug bounty, it takes several days or weeks. That's why it is harder to stay motivated in bug bounty. In video games, the player with more actions-per-minute is more likely to win. It is the same in bug bounty, the bug hunter who performs more actions in a long period of time, is more likely to be successful than the one with lesser actions. The effectiveness of the actions matter too, but it will increase as the bug hunter gains more experience, so it happens naturally. Some examples of actions-per-minute in bug bounty. - Browses the target website and get familiar with its features. - Looks at the details and discover "advanced", hard to see features. (if you post a comment in French, the website offers to translate it to English, this is a hard to see feature) - Reads documentations, each article can be count as an action. - Brainstorm