Bear in mind that this is a blog post from someone trying Bug Bounty Platforms for the past 8 days only. This is no means a post based on a lot of experience in the area.

I started on Synack Red Team on January 30, 2020 and by the time I’m writing this blog post I’ve submitted two (2) findings. One rejected for being a duplicate and the other rejected because another researcher sent a better report. But on the overall I think I did a somewhat good job within seven (7) days on the platform.

However, not everything is a bed of roses. Those two findings, one medium (API Key Leak) and the other critical (I could wipe out a whole US govt website), took me around 3 days of work. And since both findings were rejected, it was 3 days of work that I didn’t get paid at all.

Even though the paragraph above mentions the fact I didn’t get any money out of it I did learn a lot in the process. And also, money wasn’t my big incentive for doing it. I really want to step up my game as a Penetration Tester (and Red Teamer, but it doesn’t apply here) and Bug Bounty platforms will definitely push it to the next level. After all you’re competing with a lot of people out there and testing real world systems.

This is another downside of such platforms, the amount of people doing it right now. So you have two options mainly, you speed up your process of submitting valid vulnerabilities by potentially impacting the quality of your report, or you go ahead and submit the finding with the information you have already so you can be the first. Each have its downsides as well since you can submit a long and detailed report and have your submission flagged as duplicate, or you submit it as fast as possible and have it flagged as not applicable/sufficient/lack of details or even being accepted but with a small payout.

Bug Bounty Flowchart

Now with Synack Red Team this is a bit different since some targets have a 24-hours policy where all submission will be put on hold and only the best reports will be flagged as accepted (what happened with my second submission). This is great because enables the Researcher to do a good job, take his/her time, and send a quality report. But, as far as I know there is no exact definition of what is a good report and you don’t have the visibility on what others sent (the same finding).

So with eight days of active bug bounty experience I have no idea what to do next. If I should stay, try harder (I hate this sentence), and see what I can get in the future. Or if I should simply ignore it at all and focus on the Red Team (Threat Emulation) side, which I definitely love. Maybe even both? By lowering time on Bug Bounty, doing once a week or so? Let’s see.


Edit(s):

  • 2/10/2020: Fix typos and add clarification paragraph about Synack 24-hours policy.