
Ask HN: Any student bug bounty hunters? - lukezli
Have any students been rewarded for bug bounties&#x2F;does security research as a hobby? I&#x27;m working on a journalism project on student bug bounty hunters and would love to ask a couple of questions.<p>Please comment&#x2F;email me if you&#x27;d be willing to help! I&#x27;d really appreciate it.<p>I also have personal experience doing this kind of stuff (I&#x27;ve found&#x2F;been rewarded for bugs in Facebook&#x2F;Google&#x2F;Firefox&#x2F;Apple) so happy to talk about my own experiences with anyone I&#x27;d be interviewing!
======
teacup
I'm a student, but not a bug bounty hunter by any means. I've come across a
few security bugs, nothing huge, and normally just send emails to the company
with a quick note about what I've found. Every once in a while it leads to a
little cash or so. I don't intentionally look for bugs, it just so happens
that I enjoy poking other things to see what happens. The biggest bug I ever
found was a wee-little searchbar error in LinekdIn (If typed a very specific
gibberish string into the searchbar, you could crash Safari. To this day I'm
still not exactly sure why), and instead of money, the guy offered me a job.

Am I student bug bounty hunter? No. I'm a student that sometimes breaks things
and tells people when I do.

~~~
trill_daddy
Hey, how did you get into poking things til they break? I just got into a comp
sci program and i'm clueless about all of this.

~~~
teacup
Poke things.

Seriously though, I started because I wanted to secure my server. So I looked
at how other people secure better severs. Sometimes I looked so deep I found
errors, normally little things like leaving a default account set up, or
leaving FTP wide open.

If you're looking for some generic response like "Just go to
[http://hunt4.bugs"](http://hunt4.bugs"), I don't think one exists.

------
elyrly
Take a look at -
[https://bugcrowd.com/programs](https://bugcrowd.com/programs)

Here's some resources - [https://forum.bugcrowd.com/t/researcher-resources-
how-to-bec...](https://forum.bugcrowd.com/t/researcher-resources-how-to-
become-a-bug-bounty-hunter/1102)

------
teapot01
I made 7.5k for a Facebook Vulnerability that i found while procrastinating
instead of studying for exams.

Haven't done much since though.

~~~
lukezli
Wow, awesome! Do you mind answering a few follow up questions via email or
something? You can drop me a line at the email found in my profile:
[https://news.ycombinator.com/user?id=lukezli](https://news.ycombinator.com/user?id=lukezli)
(I can't find your email unfortunately).

Really appreciate your help, and no worries if you're busy!

------
schwede
I'd be interested in hearing others' comments, since I'm also interested in
getting into bug bounty programs as a hobby.

~~~
i336_
Seconded, I'd like to play around with this too but am not really sure where
to start.

I get the impression the big bucks are in black-box proprietary/commercial
systems? My only experience is with finding a small credential-leakage design
flaw in an open source web app while poking through its source code one day.

I currently view most bug bounty hunting a bit like this -
[https://www.corsix.org/content/malicious-luajit-
bytecode](https://www.corsix.org/content/malicious-luajit-bytecode) \- so any
suggestions about where to get started would be interesting. I'm not talking
about "this is what XSS is", I'm talking megalists of recent compromises with
annotated source code, that sort of thing. That would be both engaging,
mentally challenging, and highly educational.

(As an aside, there _was_ that one time I accidentally crashed Uppsala
University's PDP-11/70 a few months ago (the logout program may have stepped
on some kernel data structures :D), but that was kind of a fluke.)

