Bug Bounty As a Career “Create you own path and live it” Ninad Mathpati

Whoami? ▪ Web application security engineer @Arisglobal. ▪ Security Researcher @Synack, @Bugcrowd. ▪ Hacker with an ethical bent of mind. ▪ Developer with skills. ▪ Known as Hacker2202 ▪ Find more details about me & my work @ ninadmathpati.com

Disclaimer ▪ Nothing presented here in todays session gives you permission to hack. ▪ Always hack with proper approvals. ▪ Use this knowledge for educational purpose only.

What is this talk about? ▪ My Journey & Experience in Cybersecurity. ▪ How can you be a successful bug hunter? ▪ Things needed to move forward in Bug Bounties ▪ Can Bug Bounty be opted as a career option. ▪ Myths about the certifications. ▪ Tips/Tricks

Journey & Experience in Cybersecurity. ▪ Hacking is in my veins, started at early age near to 10 years back form now. ▪ As it was my passion due to no access to PCs and Laptops, used internet cafes to learn and try stuff. ▪ All these years I was passively working in this field, from past 3 years I though of becoming active in this field. ▪ In past 3 years I have achieved many things that I haven’t though of too.

Journey & Experience in Cybersecurity.

Journey & Experience in Cybersecurity. ▪ Journey in this field is a bit difficult but possible. ▪ Some people take up to 6 months of continuous hard to get 1st bounty. ▪ Be motivated, today might not be yours but tomorrow will be definitely yours. ▪Eat -> Sleep -> Hack -> Repeat

How can you be a successful bug hunter? ▪ Start with basics. ▪ Understand the workflow of the applications. ▪ Like for example start with some basic development (Web/Mobile) ▪ Understand how the data is transferred for browser to servers. ▪ Then move forward with hacking, Application security, Network security, IOT security…etc. ▪ Nowadays almost in every field there is a bug bounty program.

How can you be a successful bug hunter? ▪ Once you know how to built, then it would be a lot easier for you to break it. ▪ Learn the “Art of googling” ▪ Something you might lose up you patience too like, you might work for 15-18hrs per day for continuous 10-15 days, and end up not getting anything. ▪ Learn to use all the resources over the internet like, try read blog that might open up your mind. ▪ If you are okay with coding learn to automate stuff. Like automating your information gathering process or git recon process.

Things needed to move forward in Bug Bounties

Things needed to move forward in Bug Bounties “As your methodology of approaching bugs will be different than others” “Thinking out of the box”

Things needed to move forward in Bug Bounties ▪ Do follow my mind map that is update on regular bases, so you might gets best of best resources to any vulnerabilities over the internet. ▪ Try to escalate the vulnerabilities like if you found HTML injection escalate it to XSS attack. ▪ If you found CSRF vulnerability try to escalate it to Full account takeover. ▪ Earlier Bug Bounty was about any vulnerabilities now its all about it’s bypass. ▪ Automation is the key, Automate as much as possible.

Web App Pen-test Mindmap

Can Bug Bounty be opted as a career option. ▪ Bug Bounty can definitely chosen as a career option. ▪ If you start bug bounty at early age and are eager to move your career in cybersecurity domain, you need not worry about your job. ▪ As cybersecurity is the only domain, whatever might be the situation jobs will be there. ▪ Try joining some Private bug bounty platforms like Synack, Detectify, cobalt (SAAS)...etc

Myths about the certifications.

Myths about the certifications. ▪ Is it necessary to do certifications to be successful in life? ▪ Does all the certs really value? ▪ If you are eager to learn something new, Give a try for Offensive- Security certifications like (OSCP,OSEE,OSWE)

Tips/Tricks ▪ Read blogs, keep yourself updated ▪ Be unique and try to escalate issues instead of simply reporting it. ▪ Read H1 Hacktivity. ▪ Google, Censys, Shodan. ▪ Learn the ways to bypass the vulnerabilities. ▪ Get started with bugcrowd platform as its more researcher supportive platform.

Q/A

Thank You