Bug hunter's search for meaning in Low/Medium bugs.

By


Three years ago, I started to find bugs more often. 95% of my bugs were low/medium. Although bounties were nice, I often wondered if my reports have any impact on the security of companies I submitted to. If my reports were useful to developers, security teams, or they were a waste of time, and bug bounty programs have to accept low/medium just to comply with bug bounty community standard, but what they really want are high/crit reports.


I felt unease, while writing a new report for a low bug. I often thought If this report was really needed, or it was a waste of time for program staffs and everyone involved. Of course, the bounties were still larger than these doubts. So I reported.

I tried to answer these doubts many times, some answers I had come up with are:

  • Many of my low bugs are fixed, that means developers care about these bugs. Otherwise, they can just leave them in backlog for years.
  • They have option to not pay for low bugs at all, but they pay, that means these reports have value to them.
  • 7 low/medium bugs attack individually can cause many small integral issues on target websites. Although the impact are small, users can feel the lack of integrity here and there, which makes them feel unease using the website. Also, it is hard for developers to identify and recover all these integral issues.
  • If these small holes are not fixed, they will start the Broken Window Effect and start to drag the security quality of the whole website down.

After these answers, my doubts was smaller, but not completely gone. Fortunately, I begin to see a better answer for my doubts. It is in a website that I have reported around 120 valid bugs on in the past 3 years, most of them are low/medium.

When we test on a website for a few hours, we begin to get a feeling of how good the security stance of the website is. If it feels solid? When we enter unexpected data, the website responds in a uniform way or weird way? If it feels solid, I will likely switch target after a few days. So do attackers.

Three years ago, this website (the 120 bugs one) has small data leak and trivial integral issues everywhere, many of them are not impactful enough to even be a low bug. But that's a good sign for me to spend more time here. So do attackers.

Most of my bugs in this website are fixed (112). Not only that, I can see developers of this website are getting better at writing secure code, such as, reuse existing APIs for fetch/edit data in new features when possible, instead of writing new APIs. They also consider many business logic cases. They introduce new security rules that breaks many attack chains, while still keep the UX/UI harmonious. I can see some of these rules are inspired by my low/medium reports.

Now testing on this website feels like hitting a medieval castle stone wall. Very solid. All holes are closed, even small ones.

I am glad that I endured through my doubts and finally see the fruitful impact of my "trivial" reports years ago.




Comments

Post a Comment

Comments are very welcome. I read all comments!

Popular posts from this blog

Beginner Tutorial - How to learn the Technical Skill and Hacker Mindset That Are Required to Find Your First Bug Bounty.

By
In 2023, there are so many bug bounty resources for beginners, much more than before. I believe this is a bad thing for beginners, because now, they have to deal with so much unnecessary distractions just from choosing and sticking to a learning path alone. The over-abundance of free resources also fuels procrastination, we usually see people jumping from one learning path to another, without actually touch a real target. In this article, I will show you how much learning is enough. So you can get out of your learning rabbit holes and start hunting on a real target. By the way, this article aims to help you find bugs in IDOR, Information Disclosure, Business Logics, Broken Access Control. It may not help you to find injections bugs or misconfiguration bugs. Because I don't know how hunt them myself. # Technical Skill If you can solve Practitioner labs in PortSwigger with relatively ease, you have enough technical skill to hunt bugs: - https://portswigger.net/web-security/logic-flaw
Read more

The power of focus

By
A quote in the movie John Wick 1: John Wick is the main of focus, commitment and sheer will Out of all the good traits, the movie writer chooses only 3 traits to describe how bad ass John Wick is. That shows how powerful focus is. I believe he also gets his excellence skills thank to these 3 traits. Focus, commitment and sheer will are pretty similar to each others, they show that the man can stick to something for a long period of time, without switching goal, despite inconvenient challenges. If we apply this to bug bounty, it means, we make a goal, and stick to it, despite all self-doubts. For example, Losef is a beginner, who tries to find his first bug, he sets a goal to hunt on a program for 7 days. In day 1, he feels overwhelmed by how much details his target has. In day 2, he tests features one by one, but finds nothing, he feels down. In day 3, he feels that you have hit a steel wall, which he cannot even imagine how to get pass it. In day 4, he notices the program stats, which
Read more

How to succeed in bug bounty as a non-talented bug hunter

By
Image
When I started bug bounty hunting about 4 years ago. I looked up information about top bug bounty hunter and wondered how are they hunting bugs and grow their H1 reputation so fast. 1 year later, when I found my 1st, 10th, 20th bugs. I still had this question. Because although I had found some bugs, it took me a few days to find one. Recently, as I get more mature in bug bounty. I start to develop a deep understanding for a program. I see many attack surfaces that other people don't realize. When this program releases a new feature, I check if this feature can be abused to attack the attack surfaces A, B, C or D. Oftentimes, at least 1+ bugs are found. When I keep hunting on this program and discover a new attack surface, I check if any existing features can be abused to attack this attack surface. Oftentimes, at least 1+ bugs are found. When there is no new released feature and attack surfaces. I sometimes  wander the program, looking at already tested features and to my surprise.
Read more