Bug Bounty Panel Discussion at “The Bug Bounty Show” in BSides Ahmedabad 0X03

are you guys excited [Applause]

are you guys excited boardroom discussion for the table it is pretty interesting to note discussion on how to start how to get started in bug bounties and for this discussion we have with us our moderator Mr nikhil srivastava foreign [Applause]

we welcome you sir now our panelist for our board discussion are Miss Farah

she is team leader Security operation at bug crowd next we have with us Mr bhav Jain [Music] [Applause] he is a senior security engineer a certain service security next we have Mr avnish Pathak [Applause] he is the team security consultant next we have Mr Sandeep Singh foreign ER nctu at projectdiscovery.io finally we have with us Mr Janice sojitra [Applause] he is hacker one top 25 of all time and late security at Exodus most you used Bitcoin wallet on the behalf of besides Ahmedabad team I welcome each one of you thank you hey guys uh so we'll go to start uh our bug Bounty panel we have five guests here avnish Pathak Sandeep Singh and Janice

soyuthra I think they don't need any introduction so we'll start from uh first question uh first I I'll start then uh I'll give you all a chance to have questions with them at the last so the first very first question is CH required to for bug bounties okay so now I would like to elaborate just a little bit it's I don't think any certificate is required for bug Bounty uh I think that's the beauty of bug Bounty you can just submit reports if it's valid you get paid for it No One's Gonna check your resume or check your degree or your certificates um so you pretty much only need skills for bug Bounty no certificates and

especially not CES what do you think about I do not have any certifications so I think it's I still you found 100K yeah so I totally agree with forever like CH is not actually imported for bug Bounty unless you're learning something from it and if you're just aiming for bug Bounty and getting a CH it doesn't make a sense uh or else if you are aiming for a job or something then I guess CH or some other certification will be more important so that you can just tell the company that I've done ceh I have done this certification so it will help you and but yeah it's not that important yeah I guess I agree with all not just

CS any certification is not required if you really wanted to do it and not just for the bug Bounty I guess even for the jobs these days bug Bounty uh reports that you are disclosing Also let's say looks I see your profile for your skill set so something you can also listen uh that just makes it let's say it's not a mandatory thing but if you if you're learning something by doing those certification you should definitely do it it's not like it's not required so don't do it but something you get to learn uh you should go for it yeah so all of them already covered that it is not required so can you please let

it loud yeah or they already covered that it is not required to have a CES certificate so but it is something that nice to have when you go for a job so like other certificates such as oscp is also important great that was a joke actually is CH required for bug bounties or not we'll start with the first question they take do they take it so so seriously so uh please tell us about your background where are you from where you studied and your day job starting with pharah so I'm from Mumbai and I studied in Mumbai I studied mass media but you're into my degree I realized that this is boring and I don't want to do it so I

started getting into hacking and cyber security um so yeah that's how I started please uh so so um so I'm currently working as a senior security engineer with service cyber security and talking about my background I'm from Delhi and uh I did p-tech and electronics and communication and after that I went into development work building mobile applications such as iOS coding in Swift react native Objective C uh and after that I did that for like four years and after that I moved to bug bounties and did that full time for uh like I think three years before coming into again security as a full-time job yeah how I got started so yeah it was a

beautiful journey I started in 2019 when I first attained the nullcon conference and actually they met got to met Nicholson and yeah during that time those people were on the top of the game seeing them just really motivated me and to get started with everything so that was that was start where I got into bhagwanti I had my brother rajneesh like who guided me with everything and taught me like help me wherever the need and as part of the education I've done my bachelor's degree from Bangalore and currently I'm working in Abu Dhabi as a red team security consultant hi about background I'm natively from up and actually then I did my school links and graduation from Mumbai and after

that I I got into hacking interested in hacking and uh I get to know about the bug bounty in 2014 and yeah I did full time but quantity for five years and been into our top three on hack on platform and yeah later I also joined hacker one asset security TR journalist and worked for there for three years and yeah after that actually uh yeah I really had a lot of ideas around automation that I learned uh in all these periods and and now uh co-founded project Discovery and making those open source project uh to make it available for everyone yeah so I started doing bookbound in 2016. like when I started my college I was

getting I was interested into hacking and all so I started with the hacker one and I am doing Pokemon full time uh since like last four years or later I joined my full-time job at Exodus the Bitcoin wallet uh well when I also do security uh as a as a manager so

hacker one so yeah yeah I heard about you from uh people when you uh scored like 30 000 in a day yeah so I was rewarded like 30 000 for five times uh back in 2018 for reporting multiple critical vulnerabilities in PayPal yeah yeah yeah I heard about it from there only so uh can you tell us uh the struggle behind your bug Bounty Journey when you started what the struggle you have gone through starting from you only yeah so when I started in 2015-16 there was there weren't like many resources uh right now we have great influencers and such as far away and uh stock and hamseek but back then it wasn't uh easily accessible to get uh our hands on

the Bounty resources so it was like a more of a struggle to get yourself onto Google uh trying to search for things and try to figure out things from blogs YouTube so it was pretty uh like I would say it was a struggle if you compare to the current times so that was one of the thing uh that was tough about uh back in 2015-16 but uh we really uh we really had broke accessible to us such as on device blog uh at gigbed dot ninja so certain things are really really help you said so actually I just wanted to share about the things that I gone through at that time in fact let's say it's now more

relevant at that time uh people who are starting doing bug bounties uh the thing which uh I generally see is important is is actually the patients so at that time when I started doing bug bounties this is something I've mentioned before actually I got my first valid bug accepted after six months of doing bug Bounty and 54 reports being rejected so there is a lot of patience there that you have to keep trying and wait and not just discourage and stop doing it and and these are these are the things which is let's say now more relevant these days where people start to let's say after getting one or two rejection they start to demotivated or it's not working and left

at that time and and that's the thing you you have to actually wait and be more patience and and things will work out but the key is you you have to actually keep trying yeah so unlike Sandeep said like patience in between patients we need consistency and that was the thing which I had I faced during my bounty days like during my college days I couldn't con like be consistent to the Bounty like uh us to hunt on week weekend and then whole week has to just uh attend the colleges everything then later I just realized that this won't work if I want to aim for long this won't work so I started giving my uh after evening time

for my bug bounties as to be awake till like date night like two o'clock three o'clock as to sometimes miss my college days College lectures also but yeah that was the thing like being consistent uh helping like it was something which I lacked in my starting days but now as I keep getting bounties it keeps on adding me and um these days I'm totally consistent on keep on forcing focusing everything so it's yeah that's the thing how do you buy 200k so talking about the struggle so I started bug Bounties in 2017. and I didn't have much struggle with bug bounties because I already had the programming background so I knew how things work under the hood

so the things that I learned during my development time I executed in bug bounties and it gave me reward so even in like when I started in 2017 I was ranked number five and you know pull them out Mike on you um so so when I started uh in 2017 I was ranked number five in Yahoo itself so I did not have much struggle with bug bounties I think having a programming background really helps you uh because you know how things work from the basics so that really helps so I think for me the struggle was uh very much different from them because when I started there were already a lot of resources available so lack of

resources was never a problem for me um but I think again building up that motivation uh what Sandeep said you lose motivation really easily that was a huge problem for me um so what I started doing was I started thinking like where are the top hackers not hunting let me go there and I think programs like vdps or programs that pay really less or they just give a Hall of Fame no one none of the top hackers are going to be hunting there so why don't I start from there and I can find bugs maybe more easily and that will help me at least build my motivation up so I think if I would have to give advice to

someone who's facing the same thing they you should start sacrificing a little bit on the money and maybe start hunting on vdps or something that just gives you a Hall of Fame because that will really help you build up your motivation and it will help you be more patient and when you start looking for bugs on paid programs after that it'll be a little bit easier because you already know you you are capable of finding the bug you just have to be a little more patient so yeah thank you thank you so uh yeah we got uh we did uh uh we asked about some questions on Instagram and we got one question from someone

that how to upskill in bug bounties uh can we start from about can you please repeat that question uh how to upskill in bug bounties so there are a few things that you can do is uh so there are a lot of platforms you can try for example pen tester lab they have a lot of labs with various kind of vulnerabilities it can be over Texas csrf Samuel vulnerabilities that you can try that really that will really help you to upskill yourself apart from that there are certain courses like hacker 101 as well that you can also try apart from that I would say to really upscale yourself try out new technologies what are coming up these

days and try to understand how things work under the hood that will really help you understand the core logic part and you can find better vulnerabilities anything uh from genesh yeah see so I think this is very important question how to upscale the how to upskill in book Bounty so what happens is once you start finding a particular bug we get settled in into the particular book style so if I start finding a csrf I would just it is my comfort zone and I wouldn't be able to upgrade to some other kind of bugs so what I think is uh my Beast just stick to one Target and try to find another bugs within same Target that you're

already aware of rather than trying to search for a new Target and trying to find same work that you already know try to find another bug in same Target that you are aware of so I think that is a great way to upskill in uh upskill the book Bounty stops anything you would like to add Sandeep yeah I would say keeping up with the trends the current trends actually uh it's good that we we can be good at some vulnerability class and we should always let's say focus on that but but you have to keep in mind that any particular bug can be done at any point for example the fix got published so so it's really

important to know about what's being going on and getting to learn about those new things and I guess yeah once once you have visibility of everything those current trends I guess that's really going to help to keep up with your upskill so uh Mentor is uh very important in every aspect of life firstly tell us uh who was your direct or indirect mentor and how it's really important in terms of bug bounties starting from Farah so I have had direct mentor meant to say [Music] um that would be my manager when I worked at app secure they kind of really taught me a lot about web hacking but the one thing I really appreciated about them in the way

that they taught is that they never gave me answers to my questions directly or they never told me to read about something directly they asked me questions about what I was facing like for example if I was facing some weird behavior in an app and I didn't know what it really was instead of giving me the answer and telling me directly that oh this is what it is and that's where the story ends they didn't do that they asked me more questions and then they told me to read about certain topics and then I I got my answer after that and two days later they would ask me hey did you get your answer and then when I

would tell them they would confirm okay this is correct or this is incorrect or this is something you need to look into so I think that's what a really good Mentor does they don't give you answers because then you stop learning yourself you just depend on other people to spoon feed you so as a mentor I I think I really appreciated that about them well so when it comes to security uh for me Google is my mentor because you can find everything on Google itself but obviously on during my early days of development days when I was doing development I had a mentor whom I could clear my tablets and all understand the basics how things work so having a

mentor is really important uh at the initial stages so you get your Basics right so yeah that's all I had so when it comes to Mentor I believe I'm very lucky I had my brother at my home rajneesh so I guess that was like a good gift for me where he supported me during my background days I was he was already into bug Bounty and he's still doing good in bhagwantis so he got me into this field he used to get me in the conference used to get me to all the quantity people like Indian Burger hunters and really are just really lucky to have be in touch with all the Indian bug Hunters they've been really awesome

during this my journey they all have helped me a lot and I believe yeah as the Indian bhangatas uh keep on posting it's not working hello hello

yeah so yeah by as I was talking about Indian bug Hunters so I'm really lucky to have in touch with many of the Indian bug Hunters many of the sitting in the backseat so yeah I believe them to my mentor my brother rajneesh and they kept on helping me wherever I faced anything sir yeah yeah like well for me uh uh I believe mentorship is a good thing but but uh firstly I have played the self-interest the curiosity is what actually uh mattered me and then something I always share with others as well if you have that Curiosity inside uh you you're definitely going to make whatever you are looking to do so so uh

and apart from the mentorship I think also the circle you are in that's also going to place uh uh play his uh role in that uh your area you're interested in and that's why let's say for me I always try to be my bug born to your info sex like a friend so I keep let's say pushing on new things and the ideas or things like that so yeah that that's for me the mentorship Danish Sandeep sir be like I Mentor myself so yeah about Mentor I never I didn't really have any Mentor so I idealized accents so I just keep grasping something Pro like some things from everyone so yeah I didn't really help

because everyone has something good to say are good too they have good knowledge about particular domain or something they are really good at so that really helped to get a connection with everyone and stops so uh collaboration is pretty trending word nowadays so I would like to ask the same question uh a related question maybe uh how important is collaboration especially in the beginning of uh quantity uh Journey yeah so before I started collabing with someone I was I was like it's uh it's a crab it's a so later when I joined the live working events uh I met people who said similar skill set but in different domains so for example if I have a particular issue like I was able

to bypass email verification so I don't know what is the impact how how far I could I go how far I could go about this Ico so what I did is I shared with someone and they really came with camera with an impactful scenario that led to critical points such as accessing companies admin panel why are bypassing email verification so that is one of the example that how really how collaboration is really important for particularly book bounty yeah so deep yeah I guess uh as we can see on the hakon platform and any other bug Bondi program that we see the disclosed reports from the collaborated uh hackers it's pretty much Clear uh uh or everyone

will accept it it's impactful thing you always want to do it but what actually uh the thing that we wanted to keep in mind or something we should do before the collaboration is making the trust with your uh whom whomever you're collaborating with that's actually a place a critical role before starting with the collaboration thing so make good friends make unless they have trust between each other once you have that you start to share all the things between uh all your circle and once you're sharing the stuff you are always increasing your knowledge no matter on the reports or in general so so it's pretty much clear you should do it when possible

uh so I haven't done any collaborations yet uh but that's something I am really interested in and it's really important to do collaborations but you need to find the right person for it if you can find a right person then just go for it yeah

um so I for me collaboration is more like hacking with my friends I don't think collaboration is supposed to be like you hacking with the best hacker in the world or something you just need someone that has a different a little bit of a different mindset than you um like for example if you see once I saw this endpoint uh in Bob suite and I was like okay this looks weird and I don't know what it is and I just asked my friend uh like hey do you know what this is and they're like did you read the documentation so just that simple solution led us to a chain which led us to a chain which led us to a bug so just

someone who can maybe just point you in the right direction and you have to do the same for them as well so uh yeah a collaboration can also just be uh fun it can be chill it doesn't have to be like a very Hands-On hacking with the best hacker in the world type of thing that's what collaboration means to me avnish uh what is the one thing that you wish you did differently when you started the bhagwantis what is one thing uh you wish you did differently when you started the bug boundaries so one thing which I didn't do during a bug Bond like I missed something is that during my starting days I still just run behind bounties

and everything like as to aim Force low hanging fruits everything and I believe that was a success during that days I believe getting hundred dollar was my justification for success and during that time and I used to go for it but I remember I got to know that if you wanna go for if you're aiming for long this won't work so I got started learning with the basics get started with everything like learning new things and yeah so I believe during the starting days I have to just focus on getting small bounties and is to just celebrate those bounties but that won't work in the starting days if you're aiming for long then go for everything

learn the basics learn something new and obviously you'll just succeed in this gen issue yeah so I wish I could do this differently if I would have to start book Bounty honest once again uh in start I just keep hoping from one target to another Target when I don't find bugs so if I'm hacking on target a and I don't find bugs for like two hours I just jump on target two so that really didn't help me to find my first bug because later I learned that we have to stick to one program uh even if the scope is more targets are very small so I wish I didn't jump that one from one target to another Target

okay so the most important aspect of uh bug Bounty Hunter is consistency uh what do you do to stay focused and uh consistent starting from Sandeep uh being consistent yeah I guess it's uh it's mostly about the focus thing let's say what actually got into doing what you are doing so for me it was let's say when I got the first bug and reward uh that feeling was something like I should keep continue what I'm doing and any other was just start and after that I I'll say never thought about anything or looked bagged about anything I just keep uh keep going with finding new books or let's say now there are so many things involved when when it

comes to platform there are rankings or invites or all those stuff but yeah I guess uh Focus was more about find as much as bug you can without thinking about all all the other things and I guess I went so I went with that flow so long at least for five years and yeah for me it was just doing what what likely worked for me Babu for me um consistencies is really really important but to uh but but there are days when you don't find anything interesting right so what I usually do is I stop hacking I go to programming try different Technologies try different things how different things work if something has new come up in the market

any interesting development tool something uh if we talk about like mobile development there's flutter coming up so you will take a flutter and see how it works so that really helps you to understand uh how things are working and it also helps you to relax yourself from bug bounties so that's what I do Sandeep do you say some resources for upcoming bug bounty hunters upcoming what do you can can you suggest some resources for upcoming book bounty hunters okay I say like uh for me if you ask me one thing what to suggest I guess being active on Twitter the Twitter security committee is is so so uh let's say so many details about exploit

discussion topics so many things are being discussed uh all the time uh so yeah apart from that I guess uh keep watch on the activity or any Source where you are getting the information around new vulnerabilities or discussion related to it just keep following it Danish yeah so one thing that really helped me from start is uh this website called pen tester.land it contains all the write-ups uh send start uh day by day and it also contains Weekly Newsletter that also contains new newly created resources work bypasses and a lot more so yeah uh pen test.land is still that I use from beginning of my journey producers for um so I I think I really like activity

as well it's something that I use till today and I think every beginner should also keep up with activity reports uh but apart from that one resource that really helped me in the beginning was uh ports trigger because the way they explain things was very easy for me to understand especially coming from a non-technical background um also they have like if they talk about ssrf they have like seven ways that ssrf can be bypassed and they have Labs with that so it's a really good way to practice uh especially if you're a beginner and to keep up with uh Trends and keep up with what's new uh activities great and also maybe you can subscribe to a newsletter so that every

week or however often it comes in your inbox and it can update you with the best resources of the week uh Danish uh what is the best and interesting book you have found till now and uh what struggle you have gone through to create that exploit chain so there is uh there is a website called ns1.com which actually hosts NS records of a lot of Internet websites big websites like Spotify Dropbox LinkedIn so I found a zero day in ns1.com itself uh back in 2019 uh so what I I was able to access a DNS zone of almost all of all of their clients which include all these big big tags so what I was able to do like

create a new sub domain edit even Mains main domain and delete all the DNS records so yeah and I reported it to lots of companies and it resulted in like 90 000 reward yeah so it was the issue uh using character manipulation so I was able to claim the DNS Zone very easily while just manipulating the characters having um uh null byte at the end of The Domain very easily yeah crazy about Sunday for me the most interesting work for was which actually already blogged about it it was a stored exercise on the Airbnb actually and the reason why I saw interesting for me it was actually challenging it was a self-stored exercise initially that I had to

escalate to one make it work for the other users and also I managed to escalate for the account takeover so the challenge that was there to actually escalate from being self-served exercise to a remote account takeover for the Airbnb account was how much how much days it would take they paid I guess collectively seven five thousand seven thousand five hundred no I'm saying how much days it is take to create that experience oh yeah actually it takes uh at least three four days actually when I identified the self stored exercises it was now more about the ways to finding how it can be escalated and and there was some previous reference about the concept that actually helped me this is

from the Jack Jack Wilton from Facebook who used to work at that time there was a Blog called Turning self exercise to good exercise so even I blocked by it uh my blog post right after it the next version or let's say the other version of it uh but yeah it took some time to actually get all the change to work together and it's a all around playing with the JavaScript so just learning okay all the stuff for two three days after finding the initial detection nice nice avanish I guess for me my best bug was which I found last year during like it was the covet time we were at home nothing to do

at home I was just fiddling around my computer and yeah there was one interesting Target which is very well known Target on background and many of my friends have worked on that and uh and in that like it was a very common vulnerabilities where are found around five to six account takeover on a single login panel like different functional different Metallurgy like OTP bypass login different things and that was one of the most in like uh exciting for me because for every five uh five findings I got four thousand four thousand four thousand and it was around twenty four thousand I guess yeah 24 000 which I got for that that was around you know in a single day and I believe that

was like one of the uh best thing I even posted on the Twitter like it's raining in India and but it's raining a bounty for me and uh it's not till there I use that Bounty and after two days for my mom's birthday and I used that old wanty amount the bounties and I gifted my my brother gifted my mom a new house like a second house in Goa so I believe yeah that's something which I and yeah thanks congratulations so there's an interesting book that I found Apple 100k no it's a different one uh so so there was a website and it had login with Facebook functionality and uh there was a request where it was taking

a token parameter where you can send the Facebook access token to get access to the account so I was trying to find some vulnerabilities over there um so the thing was if you try to send any invalid token it will give you an error uh it won't give you any other details so you're not logged in but what I found was uh if you send a null character to the token it will leak the Facebook secret key with that in the error response so if you have this Facebook secret key in the response you can com you can access most of the settings of a Facebook application and make changes to it so that was something was interesting

nice nice yogurt so firstly I feel major imposter syndrome because these guys have some amazing bugs um but I think uh there was one time I found this bug where uh there was a postman uh Postman collection leaked and they the API endpoints were probably not sensitive but there were authorization tokens in them and uh one one of them belonged to a developer in that company so I looked for a few sub domains and I got access to the internal panel and after that point I didn't really do much to exploit it because that was critical enough to report uh so yeah that that was I guess an interesting one that I found so what is the advantage and

disadvantage of being a bug Bounty Hunter sorry what is the advantage what is the advantage and what is the disadvantage of being a bug Bounty Hunter so see uh advantages of course money right money is an advantage of like it's it's relatively huge amount of money you get from book bounty and uh even you get like another advantages challenge if you like challenge challenges is a great field to get challenged and to prove yourself to uh world and yourself so disadvantages like you you feel burned out do you feel imposter syndrome like there are there are a couple of weeks when when I don't find bugs and there are like uh there are times when I find

bugs instantly so yeah there is one thing for disadvantage when you feel impossible you feel like you doubting doubting yourself so that is the disadvantage of bookbound uh I believe there's no disadvantage in bhagwanti uh as you said burnout and all that's a part of bhagwanti it's all Advantage because if you are doing good in bhagwanti and if you're earning good money you your aiming your you you uh focus on the you aim with Google that you can achieve your goals which you have you can achieve the luxury thing which you are aiming to which you had in the child when like when you are 10 year old and aiming to have something luxury and who thought that you couldn't buy

that or couldn't have that and now when you're doing tea and when you have that so I believe that that's something advantage and for me it's something that's really helped me like I coming from the middle of class background bug bounty has really helped me a lot like we have achieved a lot during using bug quantities so I believe there's no disadvantage in bug Bounty just that burnout depression this all are the part of the quantity and I guess we have to adjust with that so there's no disadvantage so he raised a good problem but now is a huge problem and anyway you can tackle it for a burnouts how do you tackle it so I think

I'm I'm good at detecting when a burnout is coming so I wouldn't say I've been through a proper like major burnout but I can tell when it's coming so when I do feel that I I take a break I take like maybe one or two days off and I and I don't just sit and do nothing like I actively ensure that I'm doing something else maybe I'm playing a sport I'm going for a swim or I'm socializing with my friends or I'm I'm not I'm not just sitting in one place and uh like feeling bad about not being able to hack or not being able to be productive uh and then after taking that time off I I know I

feel better so I think it's it's a little bit simple but I I do see when it's coming so I I make sure I prevent it janish apart from Jim and protein shake sorry uh what was the question apart from gym and protein shake what do you do apart from gym and protein shake dimming and protein shake what I do about burnout sorry apart from jimin protein sec how do you tackle Burger burn notes uh so see I don't I don't I'm not unable to tackle burn out because when I take a break for one or two days I come back to work I feel more about an hour so yeah so I I haven't been really

try to figure out I'm trying to figure out where to tackle but now but uh I just accepted move on and start working

I agree with what she said um if you're fine if you're having a burnout just take a um just take some time off and start doing other things and that will help you to relax your mind uh and you should be able to get into bug bounties again pretty soon just take some break and chill Sandeep like on this sometimes I feel lucky I never experienced it so so listen no real input on that but I acknowledge the real thing and many of uh let's say members in general in community experience I think but but yeah like in general I will say if you're feeling something like that just don't overdo it anything if you if

you realize at some point just take a break and how important it is to have a knowledge of programming in bug bond is I mean during bug change or I guess as about mentioned in the start of the session he actually let's say not struggled because he actually have the understanding of the how application is working or anything uh that he's talking about the program language which is which is true and it's always good to have that background it's always keep you on the Advantage side or you will uh let's say understand things more easily and more better because you have some context but but on the other side I would not say it's a requirement

thing but it it will always keep you on on the plus side compared to others whatever you like doing something so again I think the answer to the first one is a requirement uh but I I have built a few applications when I started out and the only reason I did that was to understand what it looks like from a developer's perspective or from the applications perspective and that helps you as an attacker when you're trying to modify something or when you're trying to bypass something you understand what they've built and it helps you modify your request or whatever you're trying to do so it's definitely important you can also do a lot with automation

so it helps a lot but like I said nothing is a requirement you can submit a report if you find a bug um avnish yeah regarding programming yeah as bhavok said it has helped him a lot so I do agree with him because if you know how things are made you'll be easily know how you'll easily get to know how to break it if it so that's the plus Point having to know like how the things are made like for example how this building is made you know what all things are required so you can just know how to break it but yeah it's not compulsory to have the knowledge there are many people whom I know who don't

have the actual programming knowledge but they're doing great in bug bounties but yeah it's really great to have the knowledge knowledge never gets based any tips for being productive starting from janesh about being productive uh have some discipline uh and try to focus on what you want to achieve whether it's bug Bounty or anything else in infosec to stick to your target if you are doing book bounties uh pick up pick a program that you like try to learn about products challenge the product challenge the way product works try to break try to break it uh so that's yeah that's a way to play productive about bug bounty in the book bounty Sandeep uh automation

uh and and just to let's say elaborate on that uh like generally we have discussion uh around uh automation versus manual thing and and that's that's the I feel it's a misleading uh let's say a topic in general because when we when we talk about the automation it's always about automating things which can be automated so so you can focus on your manual testing so automation is let's say always going to save your time get your data before you start hacking so what whatever steps you're following the if you are seeing any patterns that can be automated just automated so you don't spend more time repeating the same stuff that was expected reply you can make private template and use

yourself how about you avnish so being productive I will first suggest they fall in love what you do if you love what you do you'll eventually be productive in it so just fall in love with bhagwanti and it's really interesting and awesome thing and other than this like don't uh as we face but pronounce everything do something else in a day something productive like go for something right photography something else which will even deal with burnouts and also keep you productive in your day-to-day life wow so as Janice mentioned uh don't switch targets often and it's really important just pick one Target and start hunting on it as much as you can because you need to deep diver into it to find bugs

and if you can if you are able to deep diver you can find bugs there will be bugs over there so that's one thing apart from that to avoid burnouts and all keep your health good it will help your mind and everything so yeah photo so I make a lot of to-do lists uh so that I can be productive I use like notion you you just use something and write down what you want to do in a week before you start the week um that will give you some targets and I I think it's also important to not always rely on motivation to be able to work sometimes you'll not be motivated but you still have things to do and you

still want to be productive so having discipline rather than motivation is uh is something that I've learned to have and I think just if you eat well if you sleep well your body is going to allow you to be productive and exercise so sleep eat exercise and your body is going to allow you to be productive and if you do if you miss match any of those things then you're not gonna feel good and you're not gonna feel like working so yeah these few things that I do that to be productive thank you bro anyone else would like to ask something to the panel

uh thank you so much for uh providing us such wonderful insights on bug Bounty uh my question to you guys is what's your take on automated testing and manual testing and what do you think is much better and don't you think that that automated testing is taking away the essence of hacking yeah I think this is the exactly Point what uh I was discussing a moment ago uh uh it shouldn't uh be the way the manual testing versus the automated testing the automation you do around what you're doing manually now you just automated that workflow that when you're doing the manual testing you have all the information or let's say uh if you found any bug or less on the jira for

example now whenever you wanted to hack next time on a jira Target now you wanted to collect all the Zira hosted that are that are running uh on a particular version here the automation will help you to just collect all those hosted and present to you now you can let's say perform or do your manual testing steps so always take the automation as to complement your manual testing and never see as a versus uh one versus two yeah thank you I think yeah about about a question I think uh combination of both Automation and manual is really good so for example uh you can go from automation to manual and manual to us automation for example you've tried to

find all the sub domains so that's first Automation and later you dig into each sub domain so later you turn it to manual for manual to automation you discover a domain and let it try to find parameters by doing automation on the domain itself so that way you turn manual into automation so both of these are very helpful and try to figure out what work works for you whatever works and yeah just to add to that conversation let's say for example real example if you have one billion of force now you are not going to do manual testing on one by one so you take help of automation to do the initial thing and then you have the filtered stuff

that you wanted to hack on so always complement each other so there are certain things as well which you cannot automate for example finding business logic issues that are applicable to a particular product particular website you cannot automate that right so you need to do with the manual approach over there so it's a combination of both Auto automated and manual thank you so much anyone else uh would like to ask something

hello everyone so I'm epul jaswal and I go with my Elias regards the proxy on online world so I just want to know that like recently I got landed into corporate world and I find that sorry and just now maybe a one week ago I got landed into corporate world so I usually I do book bounty in my free time so what I find or what I noticed there is that like bug Bounty is completely different from the pentation testing incorporate so I just want to know from your experience like what kind of differences you face is while doing pen testing and Bug Bounty also both are similar but in the as we're talking about according to

corporate world it is completely different so what's your views on it so I believe uh bug Bounty and Pen testing are totally different when testing like as I work for my company uh for bhagwanti we just write something like we found a exercise navigate to this URL this is this finish but for pen testing we have to provide everything in detail and have a detailed everything and also test the application completely so in the in bug Bounty not everything is tested completely but fantastic never test everything give a proper report of everything so yeah I wish it's totally different and yeah I guess uh this is something I was also wanted to mention when we were

discussing about the advantage or disadvantage of the bug Bounty and this was a thought in my mind actually in the background is more about the freedom the way you want to do it there is no one to say you that you are doing it wrong or right or something to instruct but in the pen test or let's say uh in the regular job you have a set of rejection or steps that you have to follow so there is a difference uh and those things you will actually get to know or learn about actually having experience of that or going in the corporate scene so that's the kind of the the not directly disadvantaging but you will not

get that experience only by doing double quantity stuff also in bug also in pen testing you report best practices that you do not report in bug bounties so that's another thing you need to do in pin testing also you need to when you are doing pen testing you need to write a report very clearly with the pocs and with the proper remediations how to fix that bug so it helps your client for which you are doing a pen test for which is not applicable to bug bounties most of the time yeah I think there's also one important difference that you should understand is that there's a difference between the audience of bug Bounty and Pen testing

so when you're writing a pen testing report it sometimes goes to an executive level also so you have to write it in a way that people will understand and they don't come from a technical background bug Bounty for most most of the part is only handled by an internal security team and by triages who have the technical information so like you said even if you just mention in one line This is the xss URL that can be enough for a bug Bounty report but it won't be enough for a pen testing report uh I think the use cases are also different like pen testing sometimes is used to check a lot of boxes in terms of

compliance and stuff and Bug Bounty is purely about impactful issues that can also lead to like Revenue loss or whatnot yeah this is the major difference that I noticed in a week we can't take any more questions uh we have a closing note at the stand and it's going to start right now so we have to move there thank you I would like to express by getting you towards the community of besides the organizer the founder the panelist and the people or who have gathered here thank you so much