Is it actually possible to make any good money doing that or am I better off doing surveys or some shit for money on the side lol
I was going to suggest breeding whatever bug was being targeted but then I read the comments and realized it was a coding thing
I haven't yet, though I hope to in the future. But either way, the skills and infrastructural knowledge gained can be useful for "reasons" in the future. Just saying.
Never done any myself, but I believe it's possible to make decent money at it if you know what you're doing--but that requires some familiarity with computer and/or network security; they're not just paying for finding any old bugs, they only pay for exploitable vulnerabilities (and they will often argue about what is and isn't exploitable). There are also legal risks to be considered; if you accidentally access sensitive data in the process of vuln-hunting, you could be at risk of prosecution, and there can be legal risks in communication/negotiation with the company, too (though I'm not really too knowledgeable about what those are, tbh).
Thanks for the input. I think I'm gonna look into it I just don't wanna spend hours and hours trying to find stuff to no success :(
Worth checking out; the jhaddix methodology
https://youtu.be/uKWu6yhnhbQ?
Also, on YouTube either nahamsec or The Cyber Mentor had a good roadmap for getting started and what websites to sign up with.
Thanks for the link, I'll check it out! (also thank you for removing that tracking code lol)
If you're going to give it a try, I would recommend giving fuzzing a shot; it's a very effective way to find interesting and potentially exploitable bugs. I'm not too familiar with the tools these days, so I don't know if there are fuzzers you can just download and start messing around with, or if you still need to roll your own to effectively target the full attack surface of the application you're interested in, but I imagine there are plenty of resources on the subject online.
I think there are fuzzing libraries you can use but in the end you still have to write a way to interface with the application somehow. I'm not too familiar either.
CW: stimulant abuse
I was on way too high of a Vyvanse prescription for a short time in college (80mg IIRC) and once that much Vyvanse kicked in, I felt compelled to break things (in a hacker nerd way). It always felt like I was "still in the middle of making progress on X" whenever the Vyvanse was winding down, so I would take spaced 12 hours apart, doing this to stay awake days at a time (I would sometimes go to bed after 72 hours awake, but I wasn't productive by that time and I hallucinated if I looked at anything for longer than a second).
The cost of tuition was a big stressor to me, so taking that much Vyvanse inevitably made me feel driven to make money by doing bug bounties, and I would spend all of my time while on Vyvanse trying to break software that had bug bounties (I focused on 1 application in particular, but opsec). I ended up collecting bug bounty rewards for 2 separate vulnerabilities I found while staying awake on Vyvanse like this and submitted, about 6 months apart. I put all of it towards tuition, which was a big part of why my family could afford my tuition that year.
That said, IIRC I got all Ds during the semesters when this happened, and my parents threatened to stop paying for college until I convinced them the first bug bounty would pay out and look good on my resume. My teeth would hurt frequently because I would grind them while catching up on sleep after being awake for days. I also kept trying to find more vulnerabilities after the first 2, but I didn't know how to turn the crashes I found into vulnerabilities (or how to prove that they could be used for vulnerabilities, which would be necessary for a bounty), and nothing additional I found would qualify for a bug bounty (though having those first 2 on my resume ended up landing me my first internship). But bug bounties are real, and depending on the company offering them, they'll probably pay out.
Side note: Instead of a stimulant like Vyvanse the med combo that ended up working for me is Strattera/atomoxetine for ADHD and Wellbutrin/bupropion for depression (which is relevant because Strattera by itself makes me feel a little depressed), which I should be able to take my entire adult life without risk of long-term affects or tolerance.
cw: drug use
Thanks for sharing your story. I'm really tired rn so please forgive any nonsense I may write lol. I have had some similar experiences in my life (but I rarely have access to legit monoaminergic stims so mainly caffeine or whatever research chems I can find lol) where I just feel compelled to hack on something for days/weeks at a time to the detriment of the rest of my life/health. That is really cool though that you made significant money (enough to help pay tuition) and got some cred to get a internship! Particularly to me cuz I have both of those problems too lol. The comments here have convinced me to try the bug bounty thing out. I've been working with operating systems, compilers, etc for years so hopefully it won't be too hard for me to move from thinking about exploit mitigation to the other side. Some of those wild techniques people use these days to, for example, subvert the usual control flow of programs seems like dark magic to me though lmao. Mostly gone are the days when you could just dump your return addresses on to someone else's stack and expect to have easy control or whatever :3 People think writing C is like walking across a minefield but it is actually really hard to turn these oversights/mistakes (particularly in memory management) into actual working exploitable security flaws because of all these nice mitigations we have in place now.
I'm actually finally getting assessed for ADHD soon after having doctors dismiss my concerns for years so maybe I'll get some meds for that idk lol. I'm glad you found a more sustainable way to help with your ADHD and depression.
We host one where i work. We’ve routinely paid out 10 or more grand, but for actual, verifiable and legitimate issues.
There’s this thing where people do “beg bounties” where it’s just low hanging bullshit things like “ssl cert expires in a year” and we don’t pay for those.
So if you’re good at them, you can make some cash for sure! I am not, I’m just an infra engineers.
