Bug Bounty Cartel Stories - December Edition

Bug Bounty Cartel Stories - December Edition

Hack, Evolve, Conquer the Bounty

0xryz's photo
0xryz
·

7 min read

Table of contents

Welcome to the December Edition of the Bug Bounty Cartel Stories

This month has been an incredible journey, filled with numerous challenges, valuable lessons, and, of course, a lot of bugs! From the 7th of last month to the 15th of this month, I decided to focus solely on one program. It was a rewarding experience that brought great results, making these 40 days an exciting chapter in my bug hunting journey.

During this period, I discovered a total of 80 bugs in that program, with more than 50% of them being accepted, and I received bounties for them. I still have a few reports in the triage stage, but overall, it has been a productive period.

Now, let's dive into why focusing on one program for an extended period can be incredibly beneficial and reflect on my experience over the last month.

The Power of Focus: Why Single-Program Dedication Works

In my opinion, dedicating yourself to one program for a long time is one of the best strategies a bug hunter can adopt, especially if you're following the manual approach. When you immerse yourself in a single program for an extended period, you begin to build a deep understanding of its inner workings. The more time you spend, the more familiar you become with the app’s structure, how each function interacts, and where potential vulnerabilities may lie.

At first, everything may seem overwhelming, but with time, you develop a sort of “sixth sense” for where the bugs are likely to be. By continuously analyzing the app and its features, you start to recognize patterns, identify weak points, and uncover hidden bugs. This in-depth familiarity opens doors to more discoveries. Each bug you find helps refine your understanding of the target and often leads to even more bugs waiting to be found.

The process is iterative: as you uncover vulnerabilities, you build a more complete view of the application, and your ability to spot new issues improves exponentially. This cycle of discovery is both rewarding and effective for consistent bug hunting success.

How I Started the Month

I kicked off this month by continuing the work I started last month on the program. Having spent considerable time analyzing the target, I gained a deep understanding of how things worked. I felt like I had pretty much covered everything on the main web app, so I shifted my focus to the Android app.

Working on the mobile app proved to be incredibly rewarding but also required a lot more effort to find bugs. The analysis steps were quite different from those I followed for the web app, and since I was still new to mobile app testing, I had to adapt quickly. I used my knowledge from the web app to map out the mobile app, and then I focused on identifying the differences between the web version and the Android version. The more I worked on the mobile app, the more I was able to uncover really cool bugs. Sometimes, these mobile app bugs even sparked ideas for testing the web app, where I was able to find additional vulnerabilities.

Here’s a breakdown of my findings on the Android app:

  • 12 bugs found

    • 9 accepted bugs

    • 3 duplicates

After completing the analysis and testing of the Android app’s functions, I thought I might be done with this target. But I still felt the urge to get more out of this program, so I decided to shift my attention to the API.

At first, I hesitated because I had already worked extensively with the API on both the web and Android apps, and I thought there wouldn’t be anything new to find. But I pushed myself to dive deeper.

I set up Postman and began testing the API endpoints with different permission levels and combinations. The result was nothing short of amazing—I discovered 18 bugs:

  • 9 accepted bugs

  • 6 triaged

  • 3 duplicates

The experience taught me a valuable lesson: sometimes, it’s worth pushing past initial doubts and going further than you think. In the end, it was a great decision that yielded fantastic results.

A New Target, A New Challenge

After wrapping up API testing, I found myself craving a new challenge. I decided to shift focus to a new target and am now collaborating with Lolamero on it. Transitioning after spending 40 days immersed in a single program—one that yielded solid bounties—wasn’t easy. It felt like stepping away from a comfort zone where I had found most of my success. But I reminded myself that success isn’t tied to one target; it’s about trusting Allah, working hard, and continuously moving forward.

We've been working on the new target for 10 days now, and I’m confident we’re on the right track. Our focus has been on thoroughly testing its functions and analyzing the JavaScript (JS) code. While I’ve never been the biggest fan of JS, I’ve discovered that diving deep into the code can actually be enjoyable. As we explore the documentation and scrutinize the code, I’ve started noticing small but crucial details that I might have overlooked before. These subtle clues have already led to some exciting bug discoveries.

So far, the results have been promising. Over these past 10 days, we've been making steady progress—testing, analyzing, and reporting quality bugs. The process is far from over, and I’m eager to see where this collaboration leads us. We're still actively working on the app, and I’m optimistic about uncovering even more impactful bugs in the days ahead.

Push Yourself: Unlock New Skills and Grow

One of the most important aspects of growth is constantly challenging yourself to try new things, especially those you wouldn't normally do. This month, I pushed myself to step outside my usual focus, trying things like hacking Android apps for a bug bounty program and testing API endpoints by going through the API documentation. These were areas I hadn't explored deeply before.

The first time you do something new often brings a mix of feelings: the discomfort of unfamiliarity and the fear of the unknown. But it’s in those moments of uncertainty that true growth happens. Even though I already had knowledge of APIs and Android apps, I had never put them to the test in a real-world bug bounty scenario. This was my opportunity to apply what I knew in a practical setting, and it was rewarding. Pushing myself out of my comfort zone opened up new skills and opportunities.

By stepping into areas, I not only unlocked new skills but also gained confidence in my ability to tackle challenges. The key takeaway is that testing new methods and pushing beyond your comfort zone will always lead to growth, helping you develop a unique style that reflects both your abilities and your personal approach.

Key Lessons of the Month

  1. Focus Fuels Mastery – Committing to one program deepens understanding, leading to more successful bug findings.

  2. Adaptability is Essential – Shifting between platforms (web to mobile) can be challenging, but core skills remain transferable and crucial.

  3. Push Beyond Doubts – Pushing past hesitation, like when I almost skipped API testing, often leads to unexpected rewards.

  4. Details Matter – Small details in code or documentation are often the key to uncovering valuable bugs.

  5. Trust the Journey – True success comes from persistence, hard work, and embracing the process, not just focusing on the target.

2025 New Year Plan: Leveling Up and Expanding My Skills

As we step into 2025, my focus is to continually evolve and challenge myself to reach new heights in bug hunting. This year, I’m committed to exploring new technologies and fields to push my skill set further. Here's a breakdown of my goals for the year ahead:

  1. Expand into New Technologies:

    • Web3 Security: Dive into decentralized applications and smart contracts to uncover vulnerabilities in the Web3 ecosystem.

    • Desktop App Hacking: Learn the ins and outs of desktop app security, gaining expertise in testing different platforms.

    • Client-Side Vulnerabilities & JS Bugs: Deepen my understanding of client-side bugs and JavaScript vulnerabilities to stay ahead in modern web app security.

  2. Refining Bug Hunting Skills:

    • Continue honing my manual bug hunting techniques, improving my ability to spot vulnerabilities by dedicating time to analyzing complex applications and systems.

  3. Embrace New Challenges:

    • Take on increasingly difficult bug hunting challenges to improve my problem-solving skills and unlock new discoveries.

I look forward to the challenges and rewards that lie ahead as I continue my journey in the world of bug bounty hunting. Here's to another year of learning, growing, and, most importantly, finding bugs! See you next month!

#cybersecurityhackingbugbounty