BUG-BOUNTY HUNTING BUILDING CAREERS USING MAKING SURE THAT YOU BUILD CAREER IN A SIMPLE WAY Fardeen. A @infosecresearcher

Security Engineer and Ethical H4CK3R In security from 5+ years (I’ve been working from my university days) Part-Time Indie Developer Accidental Content-Creator Helping new people crack-in freelance market of Tech and Cybersecurity HELLO!

CONTENT Cool Bugs and Methodology - This section is all about sharing some cool bugs that have come up in the market, and you should try on, even if you’re a new security enthusiast. Another thing, this section we will discuss what are the targetted sections that you should work on within new sections in the market. Bug-Bounty Hunting (2024 edition) :A very brief introductions over what Bug-Bounty Hunting is (for new people), how it helped me as well as can help you build career in Cybersecurity 01 02 03 04 Job Roles in Cybersecurity - The talk is based on career, and no discussion over job roles.? How ironic. right.? We will discuss cybersecurity careers that connects the dots to a successfull growth if you’re good with Bug-Bounty Hunting Approaching Companies with a background of Cybersecurity - Now, even if you have skills, you need to crack the market, and not “all” people who hire for tech role are technical. So what are the steps needed to crack in and how to approach the companies, irrespective of the requirements they have.

Bug-Bounty Hunting, in a simple way, is about finding security issues and flaws (known as bugs) in a system of an organization, and reward is prepared for you aftermath of submission of accepted valid report It helped me get a decent job in a start-up, then a great internship and finally great jobs.

As a fresher, you’re constantly distracted with people, studies, university activities etc, and find it difficult to grow as a fresher, towards a career. Not completely, but partially I isolated from time- to-time from people to give my time in myself. My personal steps that I followed were as follows : -Learnt skills (Learnt scripting in python and bug-bounty hunting) -Enhance my skills (scripting to coding with DS Algo and pentesting-based bug-bounty hunting) -Enhance research skill (use of dorks and social media) -Watch interview videos of different paradigms The zeroth step (as arrays starts from zero) is to start setting up priorities in an arranged time management schedule. A very basic one, would be : Eat - Learn a new skill - University - Work on Projects - BBH - Sleep

Some of the cool bugs that you should be focussing on are : -OWASP TOP 10 LLM Vulnerabilities : Prompt Injection, Data leakage, Inadequate sandboxing, Unauthorised Code execution, SSRF Vulnerabilities, Overreliance over LLM content, Inadequate AI alignment, Insufficient access control, Improper error handling and training data poisoning. -Automation : Start learning basic scripting, setup the system, for instance, of yaml based tools, for fuzzing vulnerabilities such as Redirection attacks, Injection attacks as well as automating your web-proxy tools for custom enumeration. -Server Side Bugs : These includes the famous SSRF (as mentioned above), Sensitive Information Disclosure through enumeration and exploitation, SSL related bugs that can’t be “completely” enumerated with the help of automated tools, as well as taking API and Web as a single component while hunting for bugs. COOL BUGS AND METHODOLOGY Methodology : Approach each target with basic scan automation. First, work over parametric-based issues (use paramspider + httpx), then move forward with S.I.D issues (use dirsearch / FFUF), then functionality testing and it’s ethical abuse (use OWASP cheet sheet + Web-application Hackers Handbook), next step forward with fuzzing extended targets (use feroxbuster) and finally start working on manual approach of finding your favorite issues (Use OWASP cheetsheet), if there are possibilities

Some of the job roles that you should be working on as a beginner as well as you will be growing in an organization are as follows : -Offensive Security : Junior Level Security Analyst : Should have knowledge to OWASP Top 10 and basics of enumeration and exploitation Associate Level Security Analyst : Should have in-hand experience of breaking security. Defensive Security : Threat Intelligence / Researcher : Should have knowledge to Threats, Vulnerabilities and ASM. Network Security Engineer : Should have above knowledge as well as knowledge of configuring network of any infrastructure to it’s security posture. Infosec Management: Security Auditor : Should have updated knowledge as a threat researcher, Vulnerability Management within GRC paradigm. CAREER ROLES

You’ve a career role now, and you’ve gain skills. Now you need to work on one thing, APPROACH...!!!! -Linkedin / Naukri might be a great place to connect, so is Github, HackTheBox, Freelance.com and Discord. Tech people are everywhere. Make sure you build connection and then showcase your skills. -Github is a great place to showcase your work, including sharing POCs of disclosed issues that you’ve found. Try to maintain and populate it with people. -Dev.to is a place of socializing with developers and security people. Start as early as possible. -Whatever your findings are, your write-ups are going to be a great deal while cracking in interviews. These are not less than an experience that you’ve gain out. Add it in your resume. -Apart from socializing, it’s a “must” to create a resume based on ATS filtering, consisting of your projects as well as the anything that you’ve done. -Finally, make sure that you document each experience, from interview to approval / rejection to make sure that you are comfortable with next targetted area of work. APPROACH COMPANIES

CONTACT ME Linkedin Instagram Twitter https://www.linkedin.com/in/ infosecresearcher/ @infosecresearcher @infoscresearchr Topmate (For 1-1 consultation) https://topmate.io/infosecresearcher Careers through Bug-Bounty (Roadmap) https://whimsical.com/careers- through-bug-bounty- VFhqjdGW9MSQJsKkgv2Epe

THANK YOU!