Mastering Bug Bounty: The Secrets of hunting bugs by Devansh Chauhan

e

e e

hopefully we are live now and everything is everything is going smoothly so let's start with today's podcast all right uh welcome to besides NOA podcast everybody I'm your host carika uh from besides NOA and welcome to besides weekly podcast today we have a very special guest um his name is devans Chan he's a talented freelance bug Bounty Hunter and a cyber security Enthusiast Devan has made significant contributions to the field earning recognitions from Top organizations and securing a spot as one of the top researchers for ncic in 2023 welcome Devan we are honored and very privileged to have you with us today and how's your weekend and K I'm good k thank you for inviting me

perfect and I'm really looking forward to today's podcast because you just like majority of us you are exactly doing what majority of us want to do uh bug bounty hunting and uh I'm very personally I'm also very interested in knowing and how do you got started so let's just I want to tell my viewers like let's take a like arto and let's start with today's podcast all right so thean uh first thing that I really want to talk to you about and I actually start my conversation with our guest with this question only why cyber security right so how did you get into this field and why cyber security specifically so can you please tell us

about that okay in my college time I was like Keen of I seen an internship of goodal police cyber security so I was Keen interest of uh cyber security so I applied on the applied for the internship and luckily I got admitted into it internship

I came into this interest that is very good and that's actually very unique so you were already in college you were you have for our viewers I would like to tell our viewers that our guest has done PCA and from in computer science and when you did that so you got into this field by getting an opportunity to work as an intern at gurugram harana po right right yes okay so over there while you were working then you met people I'm assuming both students as well as professionals and then up you realize that you were interested in this field yes all right that's that's great also um so in cyber security there are various domains right

people get into secure uh people get into code analysis to make sure that you know the code we application that is secure enough people get into people become so analysts people get into blue teaming why bug Bounty is there any reason have specifically bug

Bounty came into okay that's crazy and uh so while you started your journey I'm sure you must have faced a lot of challenges right like every any other individual so can you tell us about a few challenges that you faced when you were starting your career in cyber security and Bug bounty in specific so

all right that's that's interesting and I mean up it is crazy to know and I would like to tell our viewers as well including me most of the people suffer from imposter syndrome right and I'm sure stting but I am actually curious to know that once you started your journey in gurug as you said then from there you got interested in bug b you started learning about that and then how did you get involved with you know

NCI also sorry to interrupt you uh before you tell about that can you please tell our viewers about ncic sure ncic organization Indian government organization

nment NC organ

okay and I'm assuming H okay 500 around bucks

[Music]

all right so you started as a bug Bounty Hunter for the Indian sites as you said and bu enough report as you said more than 500 which is nuts but as soon as 500 plus report you got a working opportunity over there as a I'm assuming as a fulltime right so you had an opportunity to work over there you got an opportunity yes that's that that's really nice and this is exactly why we have you today because we want to talk about how you got started and you know we also want to talk about the technical skills and tools so that freshers and students and not only students I also feel working professionals who belong

from a different work working background even they can get motivated to you know start in this field so let's talk about a few technical skills and tools right um and obviously biased because you can obviously be biased as you should be uh particularly when you start a new project right let's assume you went to a bug Bounty Pro uh bug Bounty platform and after going over there you saw a particular project that you interested in and you decide okay I want to find bugs in this particular of this particular domain so I actually want to know what tools and methodologies do you use frequently and do you find vulnerability assessment and pesting

uh for

okay that's great and for example whenever my personal question to you is um whenever I enter into a bug Bounty program

right the domain name usually whenever I personally for example use SubFinder to find the subdomains right and you know a person usually especially a fresher a beginner he gets overwhelmed how how do I streamline so in that particular specific is it something that comes with experience or what

fap.com

[Music]

[Music] intern fap.com all right makes sense makes sense and although already you spoke about you gave us a glimpse of your journey or your process as well and that was actually my next question and I would really appreciate if you could tell us viewers because I think this is the only question bug we want to know the process how do they find bugs so that is my next question to you when you get a project when you get a domain that you have to find bugs on is there any stepbystep procedure is it do you have a checklist that you go through and you know you take off the checklist for vulnerabilities what exactly a day in

your life on a project looks like

extension weizer ah yes

okay so you have one particular checklist and up experience according all the subdomains

how you find I mean that is the over Bird's I view of how you find bugs yeah all right all right also I was curious to understand about automation you spoke about automation a bit according to you uh and I'm very happy that you spoke on your own about automation because that is something that I I'm personally interested in as well according to you does automation play a big role in bug Bounty and if so then why and how can you please tell us okay according to me automation plays good

role autom Li

okay

aut okay all right so up you feel that autom and manual testing need to go hand in hand right it is not like because then you'll be missing on and you'll be spending a lot of time doing the repetive task all right and in case of automation is there any particular tool that you use yeah scpt which you run on majority of you know your targets

okay okay and like that and that script I'm assing obviously with experience when you got to know about new tools you try to you know include and integrate those tools in your script as well I'm assuming right yes so script it is a long journey so you do you recommend bug Bounty or aspiring bug bount someone else's

makes makes sense makes sense also one of the biggest issues that our um target audience and not even not even target audience but people in whole in cyber security profession feels that it is so difficult to stay up to date right I feel this is probably one of those fields in which you can't get complacent and if you get complacent then you know your your left behind right you have to stay updated there are so many different vulnerabilities coming out each and every each and every other day so I I'm actually curious uh that how do you yourself keep yourself updated so h lter

H okay so that's interesting okay so you personally prefer to read and rather than watching videos in general of you know content creators or technical stuff

related okay makes sense and uh another thing that you said do you feel that even though you're not studying a course but because up it regularly almost every other day as you said creators favorite bu bounty hunters blogs mediums so in a way you do study every other day you know to stay up to date okay that's interesting that's really interesting and my next thing was uh I want to talk talk to you about vulnerability disclosure programs uh and first of all I'm sure

vulnerability disclosure programs and bu bound programs Sim so can you please elaborate on that and and can you give our viewers the rough idea of what's the difference is

about okay VDP disclosure

programs okay of all right makes sense then I mean out of curiosity then why would a person like you still recommend people to go to VDP programs instead of bug Bounty programs

uh okay

okay all right and you know these days uh on LinkedIn on X whenever a bu Bounty you know recent you try to look at who is doing what in bug Bounty usually people talk a lot about okay I got a $10,000 Bounty right I got a $1,000 Bounty and people I remember myself as well I used to get really demotivated in the sense that I used to feel I'm also you know trying for that but am I good enough am I doing something wrong and that really discourages people that really discourages students beginners right so in that particular I'm when how you know you are where you are right [Music]

now I will try my best I will learn from them I will read their article and all okay so you again comparison is the thief of joy you should not compare your journey with others and all right makes a lot of sense and we were talking about VDP and Bug Bounty programs right and I wanted to talk about organizations now according to you um let's assume that there's an organization by the name of ABC right and ABC organization now has to they have a product or they have a web application and they obviously need to make sure that it is secure so in your particular case which option is better is it to have an in-house team of

Security Professionals that will make sure that you know the product is safe or do you think that okay it is better to have a bug to you know have a bug Bounty program in which bug bounty hunters all over the globe can you know try and find the applications when abil so what do you think about that according which is better I think Bounty

programs rather than inhouse security teams all right and according to you if a bug bound if a bug Bounty Hunter actually reports a vulnerability on an organiz in an organization's application then organization how should they handle that vulnerability report like how should they handle that report and how frequently you know they should stay in Loop and what should they do about

[Music] it Priority all right

P1 critical P2 High P3 medium P4

low okay

yeah okay and uh like also another thing when you submit a report uh in the report are you supposed to submit the remedi the remediation is as well in the sense ke this is the vulnerability this is how I exploited it and in order to patch this you have to do this

okay but it is not compulsory in yeah all right okay makes sense and now I actually wanted to shift the podcast to another section in which I want to talk about you know uh achievements recognition and your personal uh personal experience if I may put it that way um so let's start I I know I mean you said you reported 500 bugs in only in Indian websites which is crazy in itself but do you remember your first uh bug that you reported by any chance yeah what exactly did you feel okay [Music]

okay Facebook Twitter and all Facebook this link is broken

okay Facebook us broken broken link yeah

50 wow that's crazy and was it also the first bug like on a live website yeah first first uh yes Wow first and that motivated you to find 500 of them that that's actually very interesting you know because um like majority of cases May including me whenever we think about uh bug Bounty majority of people think okay SQL injection crossy scripting csrf ssrf like you know people always try to get into those technical terms and they forget the basic things just it is such a simple vulnerability but at the same time so impactful and I think say related subdomain jacking attack and I think that is crazy that's actually very interesting that you said also first I

would really like if you could tell our viewers about your most recent one okay take

to all right so take

a all right makes sense okay and uh also if you could tell us about your favorite bug that you have ever found favorite okay

password for password

link this it's a Hotpot

all right and

I'm

obviously but which

Apple uh Google Apple Google and Uber olola or Mercedes Porche or I think you got the point we got the point that's crazy really I mean that's really motivating to you know think about it that how you started your journey uh from by meeting you know like-minded people in your internship program and how you you know started learning on your own you are so regularly you know you watch medium blogs and that's how you update yourself and stay up to dat with the re latest technology I mean that's really inspiring and uh so the next thing about is actually about community and collaboration that I wanted to talk about first of all do you feel

networking in um cyber security or in any profession for that matter do you feel Network matters

that's that's great that's great man and um so for in case of networking commun

join I start when

all right okay and do you what advice would you give to you know newcomers especially in bug bounty hunting space to that are you know looking to learn more and also make a name for themselves

you have to like learn

daily you have to learn daily also

[Music] all right okay and for your in your particular case when you started your journey in bug Bounty uh did you take any particular

INE resources did you pay for a course how did you you know get get so much knowledge okay so I learned from my own I used to see videos on YouTube and read mediums Vlogs and from them only I learned and I got the idea so you basic like the basic bugs in the websites and then slowly slowly I go on on medium high and critical all right so do you believe that it is I mean you are an example but still I have to ask you this question people a lot of times say that you know a learning of anything in security is so difficult in the sense that it is so expensive I mean there is certifications

you talk about courses uh do you feel that you know you don't necessarily have to pay for courses to get started in bug Bounty you can learn from online resources so you can you can learn from online resources also

but so you can take a course also okay

basic okay yeah all right and do you have any particular blogs yeah you know a particular course in mind that you would recommend students out there to go and get you know so that they can do you have any course or anything in mind yes sir actually I have a course live course next month all right so you'll be teaching the students only yes I will be teaching live and it will be from beginers to advance categories critical high medium and low all

right okay and like before if anybody wants to learn that do you expect any prerequisites from the viewers your anyone any beginner can join and loar any beginner can join and learn or

yeah makes sense that's great man and actually you know uh and how can one enroll in this particular life like do they contact you on LinkedIn or do you have a website how do they do so uh they can contact me on LinkedIn okay and then you can help them out yes that's perfect that's great so everybody watching if you guys want to learn bug Bounty and if you want to get started I would definitely go and check it out you can hit him up I'm sure uh he's a very nice guy he and he would 100% be able to take out time and you know help others out do you actually and you know talking about

this do you actually believe that you know contributing back to the community that really helps the person contributing as well yes I think it's very

helpful everyone different mindset all right and uh now we want to switch to you know the next section of the podcast which is about freelancing and mainly about time management and also a question because we viewers would like to understand you know your mindset behind your choices so what do I mean by that uh usually when uh a student you know they graduate from their you know undergrad they majority of the cases may they either go for higher studies or they you know go for the regular 9 to5 jobs the standard 9 to-5 corporate jobs right but you in on the other hand decided to go for full-time bug bounty hunting so I want to

know motivate to you know pick freelancing bug bounty hunting over a corer job

okay do bug Bounty as a freelancer freelancing

all right so that's the main reason you decided to go for freelancing 95 because you wanted to operate on your time right yes all right and that is exactly the next question that I was going to ask you which is up you've been working as a freelancer for some time now and obviously pros and cons right so according to you can you tell us a few of the pros although you did tell a few but pros and maybe freelancing okay freelancing

fible all

right 9 yeah duplicates that's actually the other thing that I wanted to talk about um so freelancing and Bug bounty in specific as you said there is no short I mean you can earn $10,000 from one bug but you can also earn nothing from by reporting 10 bugs because you know when you reported it so do you feel luck also plays a major factor in bug bounty hunting okay uh yeah I feel like little luck is good but uh you should know the proper techniques and the bypasses also uh

[Music]

like all right take that makes a lot of sense and um you said that you know one of the pros of working as a bug Bounty Hunter is that you are not restricted to one project at a time you can basically work on various projects right so app personally on your day-to-day task do you uh like work on one project or be multiple projects work and if you do work on multiple projects then how are you able to you know take out time to each particular project because I'm

assuming it used to get so overwhelming for me personally so how do you manage you know giving proper time to each project and how do you manage all these three different projects in in one at a time okay so

all right and overall Jo bug Bounty uh uh career you are able to do you have a personal social life are you able to take out time for yourself or is this your only true passion or do you enjoy something else as well Bounty

as so to take time all right and in your uh freelance career I'm sure um that you must have faced burnout right obviously you must have fa burnout in your career and if so then how did you cope up with it and if do you have any tips for individuals out there who are facing burnout as welln

[Music]

duplicates

valid makes sense and from that we're going to be moving to the last section of the podcast in which uh Devan I'll tell you about the last section we basically we tell our viewers one week in advance that this is the guest that's going to be coming so we told them about you we told them that you're about mounty Hunter and they obviously have a few questions so we roll out a Google form and they ask those questions to you so I'm going to be asking a few of them to you which I feel uh you know everybody has so let's start with the first one the first question is yeah in your particular case in bug bounty hunting do

you feel that a person can with from with having no technical background can start and you know a person basically my question is can a person from non-technical background can he also become a bug Bounty Hunter okay

H yeah

so yeah IED it into cyber security then ah okay okay that's very interesting so you feel even if you had Commerce or arts in school you and if you have little to no knowledge of programming you can still get started and starting me mus again then obviously you know you can once you stay consistent you can do it that's great and other thing obviously podcast regarding cyber security and certifications possible so according to you do certifications matter first part of the question and second part if they do then do you you have any personal favorite or any certification that you recommend students how to get there okay so

certification company certification okay favor ocp ah yeah cyber sec all right perfect and the last question was yeah that's exactly and I would like before I ask this question I would like to tell our viewers as well you're currently pursuing Masters uh in cyber security from Germany boand right so the thing was according to you um do students do they need to go for a particular professional graduate or postgraduate Master's course in computer science or cyber security to get started or as you said earlier it's not required uh to get it started it's not required have if you want to gain some extra knowledge and like an advanced level then yeah you can pursue Masters

all right and out of curiosity is there particular reason that you decided to pursue a masters from a broad especially from Germany yeah uh actually I I wanted to gain some International exposures and okay like International all right that that makes sense yes all right that is perfect and the last question was ah about program oh there are two questions and uh I'm sure you'll be able to answer them very quickly uh the first I mean the second last question is about programming you although already but again just to reiterate according to your programming does is it necessary for a bug Bounty Hunter to you know have experience in programming or do you feel it is not so

important but if you have it it's a plus Point okay programming important

a all right because I'm assuming because if you know how to code then maybe you know you can automate your stuff out of that checklist scans I think right and the last question is obviously about AI uh there are so many different companies now that are have laid a lot of emphasis on artificial intelligence machine learning um basically automating pen testing or red teaming in general right even there are companies that are trying to automate blue teaming so according to you if you know companies are successful which they are obviously does this mean that a you know bug Bounty is something that future may will AI or you know automation replace bug bounty hunters what do you

think about that okay uh aut

inre

okay so that's that's I think that's a very good news for all of us majority of us because that's great man and um all right I think that was all for the podcast that's a wrap for uh this episode of besides weekly we hope you guys found today's conversation with Mr Dean Chan as inspiring as and and as insightful as we did uh Devan before we finish this podcast do you want to tell the viewers about something about a course that you already uh talk spoke about a bit but maybe you want to tell our viewers again about it sure uh I'm going to take a course next month uh from beginners to advance

techniques live classes perfect that's great and for that you can obviously hit uh Dean up on LinkedIn his LinkedIn profile URL is obviously down in the description and we can also pin it on the comment section and that it his work is obviously true it obviously has a lot of highlights and he is an evolving he is in a very evolving bu Bounty field in cyber security be sure to check out uh next week's podcast uh because we're going to have another expert and a lot of good discussions about it don't forget to subscribe press that Bell icon and stay connected with us to you know explore latest things in cyber security until then I'm your host Karthik Karma and I'm

from besides NOA and always we have beside you thank you

[Music]

for