Hacking on Bug Bounties for Five Years

Presented at CrikeyCon VII (2021), March 6, 2021, 12:15 p.m. (45 minutes).

Bug bounties have become an established process in organisations with a mature security posture. Over the last five years, I have been submitting vulnerabilities to companies in almost every industry. By participating in bug bounties over such a long period of time, there has been an evolution in the skills, reporting and payouts. There is a broad perception in bounties that there is a secret to unlock to be successful and only a handful of individuals are capable of that success. This presentation will break down why that is not the case. I will walk through all of my favourite bugs that I have found in the last five years, explaining step by step what led to the discoveries. I will discuss some of the lessons I have learned from my participation, and how you can replicate my success.

Presenters:

• Shubham Shah / Shubs   as Shubham Shah 'Shubs'
  Shubham Shah is the co-founder and CTO of Assetnote, a platform for continuous monitoring of your external attack surface. Shubham is a prolific bug bounty hunter in the top 50 hackers on HackerOne globally and one of the top 3 hackers on HackerOne for Australia. He has presented at various industry events including Kiwicon, BSides Canberra and 44Con.

Similar Presentations:

• BSidesLV 2015 / Insider Tricks for Bug Bounty Success
• LocoMocoSec 2019 / Bug bounty botox: how to spot good security DNA & prevention from cosmetic security
• Diana Initiative 2019 / How Secure Is This Thing Anyway? A Guide into Mobile Security and Bug Bounties