Reflection on my Bug Bounty Journey 2022
Synack Bug-bounty Program
Last year with Synack Red Team has been a wholesome experience for me.
My journey with Synack started in October 2021, but I have only started to get more hands-on since February 2022. Within the span of next 10 months, I was managed to reach the Level 5 in Synack and won 15of15 award twice in my Level-1 and in my Level-3. Due to my performance, I was inducted to Synack Acropolis within 4-5 months. I mainly hunt on synack since their payout is quite fast and very responsive customer support.
The first few weeks in synack was completely new, Since it is a private bug bounty program and I had to learn lots of new procedures which they incorporated and had to follow it. Since everything was properly documented in their help-guide. This helped me alot to understand and their customer support and the community people on Slack channel were really helpful and quite fast.
Synack only accept Impactful findings as a valid one. So for ex: findings like Security headers , Cookie Flags, TLS/SSL misconfigurations won’t be accepted, unless you show an Impact on it. For ex: phpinfo() output won’t be accepted as sensitive Information exposure until you show an Account Takeover possibility using that exposure. This gives me a new dimension and to always look for more Impactful finding during my every assessment. Not only that, they also thrives in report quality. This helped me alot to improve at my current work as well.
After few weeks, I understood the process and expectation from synack and then I have started to find bugs and started to make a good report as well. This helped me to improve my report-writing skills as well. I won the first month 15of15 award for Level-1 in synack and same during septemeber 2022 for the Level-3 as well.
Then, I have started to find more bugs on the platform on the regular basis. I have reported 54 vulnerabilities last year in below categories mentioned in the bar diagram. Majority of the vulnerabilities are from the categories Cross-Site Scripting and Access Control/IDORs
I have received the coins for each level from synack as a token of appreciation along with their first-vulnerabiliy swag, which they give to SRT for finding their first vulnerability on the platform.
By end of the year, I managed to reach Level-5 in Synack. Personally, It was a great amount of learning and findings bugs and competing with best hackers around the world. I would like to find more vulnerabilities in 2023 and also focus on the other vulnerabilities categories as well.
Leveled up to 0x05! pic.twitter.com/B7hPbyGa72 via @SynackRedTeam
— Siva Rajendran (@0xSh1v4) December 9, 2022