π Daftar Isi
1. Apa Itu Bug Bounty?
Bug Bounty adalah program yang dijalankan oleh organisasi atau perusahaan yang mengundang security researcher (atau "ethical hacker") untuk menemukan dan melaporkan kerentanan keamanan (vulnerability) dalam sistem mereka. Sebagai imbalan atas temuan yang valid, researcher mendapatkan reward berupa uang (bounty), pengakuan, atau merchandise.
Konsep bug bounty sudah ada sejak tahun 1995 ketika Netscape pertama kali memperkenalkannya. Namun, popularitasnya meledak sejak berdirinya platform seperti HackerOne (2012) dan Bugcrowd (2012) yang memfasilitasi hubungan antara perusahaan dan hacker secara terstruktur.
Bagaimana Bug Bounty Bekerja?
Diagram: Alur Bug Bounty
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β BUG BOUNTY WORKFLOW β β β β ββββββββββββ ββββββββββββββββ β β β Company βββ(1)βββΆβ Bug Bounty β β β β (Target) β Launch β Platform β β β β β Program β (HackerOne, β β β ββββββββββββ β Bugcrowd) β β β ββββββββ¬ββββββββ β β β β β (2) Publish scope & rules β β β β β βΌ β β ββββββββββββββββ β β β Security β β β β Researchers β β β β (You!) β β β ββββββββ¬ββββββββ β β β β β (3) Hunt for bugs! β β β β β βΌ β β ββββββββββββββββ ββββββββββββββββ β β β Company ββββ Submit β β β β Triage Team β(4)β Report β β β β ββββΆβ β β β ββββββββ¬ββββββββ ββββββββββββββββ β β β β β (5) Validate & Assign Severity β β β β β βΌ β β ββββββββββββββββββββββββββββββββββββββββ β β β Bounty Payout π° β β β β β’ Critical: $500 - $50,000+ β β β β β’ High: $250 - $10,000 β β β β β’ Medium: $100 - $2,500 β β β β β’ Low: $50 - $500 β β β ββββββββββββββββββββββββββββββββββββββββ β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Jenis Program Bug Bounty
| Jenis Program | Deskripsi | Contoh |
|---|---|---|
| Public Program | Terbuka untuk semua researcher β siapa saja bisa berpartisipasi | Google VRP, Microsoft MSRC, HackerOne public |
| Private Program | Hanya diundang β platform memilih researcher berdasarkan track record | Banyak startup dan enterprise memulai di sini |
| VDP (Vulnerability Disclosure Program) | Hanya pengakuan (hall of fame) β tidak ada reward uang | Banyak organisasi pemerintah |
| CTF-Based | Kompetisi β temukan bug terbanyak dalam waktu tertentu | Bugcrowd CTF, HackerOne CTF |
Statistik Bug Bounty
| Metrik | Angka |
|---|---|
| Total bounty dibayarkan (HackerOne, 2025) | >$300 juta |
| Rata-rata bounty Critical (Web) | $2,000 - $10,000 |
| Rata-rata bounty Critical (Kubernetes/Cloud) | $5,000 - $50,000+ |
| Top earner (2024) | >$1 juta/tahun |
| Jumlah researcher terdaftar (HackerOne) | >1 juta |
| Bug yang valid per bulan (rata-rata) | ~10% dari semua submission |
2. Platform Bug Bounty
Platform Utama
| Platform | URL | Jumlah Program | Kelebihan |
|---|---|---|---|
| HackerOne | hackerone.com | 2,000+ | Platform terbesar, banyak program public dan private, komunitas aktif |
| Bugcrowd | bugcrowd.com | 1,000+ | Managed programs, Vulnerability Rating Taxonomy (VRT) |
| Intigriti | intigriti.com | 500+ | Populer di Eropa, payout cepat |
| YesWeHack | yeswehack.com | 400+ | Fokus Eropa dan Asia, compliance-friendly |
| Open Bug Bounty | openbugbounty.org | Unlimited | Non-profit, responsible disclosure platform |
Program Tertentu (Direct Bug Bounty)
| Perusahaan | Platform | Max Reward | Cakupan |
|---|---|---|---|
| Google VRP | bounty.google.com | $100,000+ | Google products, Android, Chrome |
| Microsoft MSRC | msrc.microsoft.com | $250,000 | Windows, Azure, M365, Edge |
| Apple Security | developer.apple.com | $2,000,000 | iOS, macOS, iCloud, Apple ID |
| Meta (Facebook) | HackerOne | $50,000+ | Facebook, Instagram, WhatsApp |
| HackerOne | HackerOne | $50,000 | HackerOne platform itself |
Memilih Target yang Tepat
π‘ Tips Memilih Target untuk Pemula
- β Mulai dengan program VDP (gratis, untuk latihan dan reputasi)
- β Cari program yang baru dibuka β persaingan lebih rendah
- β Pilih target yang scope-nya luas (banyak subdomain, API, mobile apps)
- β Baca dan pahami scope dan rules SEBELUM mulai hunting
- β Hindari target yang terlalu populer (Google, Facebook) di awal β terlalu banyak kompetisi
- β Cari program private β biasanya lebih sedikit hunter, lebih banyak bug
- β Fokus pada teknologi yang Anda kuasai (framework tertentu, bahasa tertentu)
- β Periksa "response time" dan "average payout" perusahaan sebelum mulai
3. Persiapan Sebelum Hunting
Pengetahuan yang Harus Dimiliki
| Area | Topik | Sumber Belajar |
|---|---|---|
| Web Fundamentals | HTTP, HTML, CSS, JavaScript, DOM | MDN Web Docs, freeCodeCamp |
| Web Security | OWASP Top 10, XSS, SQLi, SSRF, CSRF | OWASP, PortSwigger Academy |
| Networking | TCP/IP, DNS, HTTP/S, proxies | CompTIA Network+, TryHackMe |
| Programming | Python, Bash, JavaScript (minimal) | Automate the Boring Stuff |
| API Security | REST, GraphQL, authentication, authorization | OWASP API Security Top 10 |
| Browser DevTools | Network tab, Console, Sources, Application | Chrome DevTools documentation |
Setup Lab untuk Belajar
Contoh: Setup Bug Bounty Lab
# ============================================ # Setup Lab Bug Bounty # ============================================ # 1. Operating System # Gunakan Kali Linux atau Parrot OS (sudah include tools) # Download: https://www.kali.org/get-kali/ # Atau install di VirtualBox/VMware: # - VirtualBox: https://www.virtualbox.org/ # - Kali VM: https://www.kali.org/get-kali/ # ============================================ # 2. Install Tools Essential # ============================================ # Update system sudo apt update && sudo apt upgrade -y # Browser Extensions # - Burp Suite (community/proxy) # - Wappalyzer (teknologi detection) # - HackTools (payloads reference) # ============================================ # 3. Proxy Setup (Burp Suite) # ============================================ # Download Burp Suite Community # https://portswigger.net/burp/communitydownload # Setup browser proxy: # Firefox β Settings β Network β Manual Proxy # HTTP Proxy: 127.0.0.1, Port: 8080 # Install Burp CA Certificate: # 1. Buka http://burp di browser # 2. Download CA Certificate # 3. Import ke Firefox: Settings β Certificates β Authorities # ============================================ # 4. Practice Platforms (Legal Hacking!) # ============================================ # PortSwigger Web Security Academy (FREE) # https://portswigger.net/web-security # β Interaktif labs untuk semua OWASP Top 10 # TryHackMe (FREE tier tersedia) # https://tryhackme.com # β Guided learning paths untuk web security # HackTheBox (FREE tier tersedia) # https://www.hackthebox.com # β Challenge-based labs # DVWA (Damn Vulnerable Web Application) # β Local vulnerable app untuk latihan git clone https://github.com/digininja/DVWA.git cd DVWA # Setup dengan Docker: docker run --rm -it -p 80:80 vulnerables/web-dvwa # Juice Shop (OWASP) # β Modern vulnerable app docker run --rm -p 3000:3000 bkimminich/juice-shop # Buka: http://localhost:3000 # bWAPP docker run --rm -p 8080:80 raesene/bwapp # Buka: http://localhost:8080/install.php # ============================================ # 5. Reconnaissance Tools # ============================================ # Subdomain enumeration go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install -v github.com/tomnomnom/assetfinder@latest # HTTP probing go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest # Directory enumeration sudo apt install dirb gobuster # Technology detection pip install wappalyzer
4. Metodologi Pengujian
Memiliki metodologi yang sistematis sangat penting dalam bug bounty. Berikut adalah alur kerja umum yang digunakan oleh hunter berpengalaman.
Tahap 1: Reconnaissance (Recon)
Recon adalah tahap pengumpulan informasi sebanyak mungkin tentang target. Semakin banyak informasi yang Anda kumpulkan, semakin besar peluang menemukan bug.
Contoh: Reconnaissance Workflow
# ============================================ # RECONNAISSANCE WORKFLOW # ============================================ # ---- 1. Subdomain Enumeration ---- # Method 1: Brute force subdomain subfinder -d target.com -o subdomains_subfinder.txt assetfinder --subs-only target.com > subdomains_assetfinder.txt amass enum -passive -d target.com > subdomains_amass.txt # Method 2: Certificate Transparency logs curl -s "https://crt.sh/?q=%25.target.com&output=json" | \ jq -r '.[].name_value' | sort -u > subdomains_crt.txt # Method 3: DNS brute force gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt -t 50 # Gabungkan dan deduplicate cat subdomains_*.txt | sort -u > all_subdomains.txt # ---- 2. HTTP Probing ---- # Cek subdomain mana yang hidup httpx -l all_subdomains.txt -o alive_subdomains.txt -silent # Dengan teknologi detection httpx -l all_subdomains.txt -tech-detect -status-code -title \ -o detailed_scan.txt # ---- 3. Port Scanning (jika diizinkan scope) ---- # Quick scan nmap -iL alive_subdomains.txt -T4 --top-ports 1000 -oX nmap_results.xml # ---- 4. Directory Enumeration ---- # Untuk setiap target yang menarik gobuster dir -u https://target.com \ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -x php,html,js,json,txt,bak,old,sql \ -t 50 -o directories.txt # Fuzzing parameter ffuf -u https://target.com/FUZZ \ -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints.txt \ -o ffuf_results.json # ---- 5. JavaScript Analysis ---- # Extract JS files cat alive_subdomains.txt | katana -jc -o katana_js.txt # Analyze JS for secrets, API keys, endpoints cat katana_js.txt | grep -E '(api|key|token|secret|password|admin)' # Tool: SecretFinder python3 SecretFinder.py -i https://target.com/app.js -o cli # ---- 6. Parameter Discovery ---- # Discover hidden parameters paramspider -d target.com -o params.txt # Arjun (parameter bruteforce) arjun -u https://target.com/endpoint -m GET,POST
Tahap 2: Vulnerability Assessment
Contoh: Vulnerability Testing Checklist
# ============================================
# VULNERABILITY TESTING CHECKLIST
# ============================================
# ---- Authentication ----
β‘ Default credentials (admin:admin, test:test)
β‘ Password reset poisoning
β‘ Username enumeration (login, register, password reset)
β‘ Brute force login (rate limiting bypass)
β‘ JWT attacks (alg:none, weak secret, none algorithm)
β‘ OAuth misconfiguration (redirect_uri manipulation)
β‘ MFA bypass
# ---- Authorization ----
β‘ IDOR (Insecure Direct Object Reference)
- /api/users/123 β /api/users/124
- Change order_id, account_id in requests
β‘ Horizontal privilege escalation (access other user's data)
β‘ Vertical privilege escalation (user β admin)
β‘ Function-level access control (call admin API as user)
β‘ Bypass path traversal: /admin β /Admin β /ADMIN β //admin
# ---- Injection ----
β‘ XSS (Reflected, Stored, DOM-based)
- Input fields, URL parameters, HTTP headers
- Check CSP bypass techniques
β‘ SQL Injection
- Login forms, search fields, URL parameters
- Use sqlmap for automation
β‘ SSRF (Server-Side Request Forgery)
- URL parameters, file upload, webhooks
- Try: file:///etc/passwd, http://169.254.169.254/
β‘ Command Injection
- Input fields that execute system commands
β‘ SSTI (Server-Side Template Injection)
- {{7*7}} β 49 (Jinja2/Twig)
- ${7*7} β 49 (FreeMarker/Velocity)
# ---- Business Logic ----
β‘ Race conditions (simultaneous requests)
β‘ Price manipulation in e-commerce
β‘ Coupon/discount code abuse
β‘ Integer overflow (negative quantities)
β‘ Step bypass in multi-step processes
β‘ Time-of-check to time-of-use (TOCTOU)
# ---- API Security ----
β‘ BOLA (Broken Object Level Authorization)
β‘ Mass assignment (add role=admin in registration)
β‘ GraphQL introspection enabled
β‘ Rate limiting missing on sensitive endpoints
β‘ API versioning (older versions may be vulnerable)
β‘ Verbose error messages (stack traces, DB info)
# ---- Misconfiguration ----
β‘ Debug mode enabled in production
β‘ Directory listing
β‘ Exposed .git, .env, .DS_Store files
β‘ Default pages (Apache, Nginx, Tomcat)
β‘ CORS misconfiguration (Access-Control-Allow-Origin: *)
β‘ Missing security headers
β‘ Exposed admin panels (/admin, /dashboard, /wp-admin)
Tahap 3: Exploitation dan Proof of Concept
Contoh: PoC untuk IDOR Vulnerability
# ============================================
# IDOR Proof of Concept
# ============================================
# Temuan: Endpoint /api/v1/orders/{order_id} bisa diakses
# dengan order_id milik user lain
# Request oleh User A (order_id miliknya):
GET /api/v1/orders/1001 HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbG... (token User A)
# Response: 200 OK β data order User A
{
"order_id": 1001,
"user_id": "user_a",
"items": ["Laptop", "Mouse"],
"total": 15000000,
"address": "Jl. Sudirman No. 123, Jakarta"
}
# =====================================================
# Manipulasi: Ubah order_id ke 1002 (milik User B):
GET /api/v1/orders/1002 HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbG... (token User A β TETAP)
# Response: 200 OK β data order User B berhasil diakses! π¨
{
"order_id": 1002,
"user_id": "user_b",
"items": ["Phone", "Case"],
"total": 8000000,
"address": "Jl. Thamrin No. 456, Jakarta"
}
# =====================================================
# Impact: Attacker bisa:
# 1. Mengakses semua data order user lain
# 2. Mengetahui alamat, item, dan total pembelian
# 3. Menggunakan IDOR untuk enumerasi semua order di sistem
# 4. Potensi memodifikasi/menghapus order user lain
# Severity: HIGH (CVSS 7.5+)
# Category: OWASP A01 - Broken Access Control
# =====================================================
# Cara Mencegah:
# =====================================================
# 1. Validasi authorization di server: pastikan user hanya
# bisa akses resource miliknya
# 2. Gunakan UUID bukan sequential ID
# 3. Implementasi RBAC (Role-Based Access Control)
# 4. SELALU cek: resource.user_id === authenticated.user.id
5. Tools Penting
Reconnaissance Tools
| Tool | Fungsi | Install |
|---|---|---|
| subfinder | Subdomain enumeration (passive sources) | go install .../subfinder@latest |
| httpx | HTTP probing β cek host yang hidup | go install .../httpx@latest |
| katana | Web crawler β extract links, JS files | go install .../katana@latest |
| gau | Get All URLs β historical URLs dari Wayback, CommonCrawl | go install .../gau@latest |
| waybackurls | Wayback Machine URL extraction | go install .../waybackurls@latest |
| nuclei | Vulnerability scanner berbasis templates | go install .../nuclei@latest |
| ffuf | Web fuzzer β directory, parameter, vhost fuzzing | go install .../ffuf@latest |
Web Security Testing Tools
| Tool | Fungsi | Tipe |
|---|---|---|
| Burp Suite | Web proxy, intercept, modify, repeat requests | GUI (Community/Pro) |
| OWASP ZAP | Open source web security scanner | GUI (Free) |
| sqlmap | Automated SQL injection tool | CLI |
| dalfox | XSS scanner dan parameter analyzer | CLI |
| kxss | XSS reflection finder | CLI |
| interactsh | OOB interaction server (SSRF, blind XSS detection) | CLI + Cloud |
| jwt_tool | JWT analysis and attack tool | CLI (Python) |
Contoh: Automated Recon Pipeline
#!/bin/bash # ============================================ # RECON PIPELINE β simpan sebagai recon.sh # ============================================ DOMAIN=$1 OUTPUT_DIR="recon_$DOMAIN_$(date +%Y%m%d)" mkdir -p $OUTPUT_DIR echo "[*] Starting recon for $DOMAIN" # 1. Subdomain Enumeration echo "[+] Finding subdomains..." subfinder -d $DOMAIN -silent > $OUTPUT_DIR/subdomains.txt assetfinder --subs-only $DOMAIN >> $OUTPUT_DIR/subdomains.txt sort -u $OUTPUT_DIR/subdomains.txt -o $OUTPUT_DIR/subdomains.txt echo "[+] Found $(wc -l < $OUTPUT_DIR/subdomains.txt) subdomains" # 2. HTTP Probing echo "[+] Probing for alive hosts..." httpx -l $OUTPUT_DIR/subdomains.txt -silent \ -status-code -tech-detect -title \ > $OUTPUT_DIR/alive.txt echo "[+] Found $(wc -l < $OUTPUT_DIR/alive.txt) alive hosts" # 3. URL Discovery echo "[+] Discovering URLs..." cat $OUTPUT_DIR/subdomains.txt | \ gau --threads 5 > $OUTPUT_DIR/urls_gau.txt cat $OUTPUT_DIR/subdomains.txt | \ waybackurls > $OUTPUT_DIR/urls_wayback.txt cat $OUTPUT_DIR/urls_*.txt | sort -u > $OUTPUT_DIR/urls_all.txt echo "[+] Found $(wc -l < $OUTPUT_DIR/urls_all.txt) URLs" # 4. Extract Parameters echo "[+] Extracting parameters..." grep '=' $OUTPUT_DIR/urls_all.txt | \ qsreplace FUZZ > $OUTPUT_DIR/params.txt # 5. Nuclei Scan echo "[+] Running nuclei scan..." nuclei -l $OUTPUT_DIR/alive.txt \ -severity critical,high,medium \ -o $OUTPUT_DIR/nuclei_results.txt # 6. XSS Check echo "[+] Checking for XSS reflections..." cat $OUTPUT_DIR/params.txt | \ dalfox pipe --silence > $OUTPUT_DIR/xss_results.txt echo "[+] Recon complete! Results in $OUTPUT_DIR/" echo "[+] Subdomains: $OUTPUT_DIR/subdomains.txt" echo "[+] Alive: $OUTPUT_DIR/alive.txt" echo "[+] URLs: $OUTPUT_DIR/urls_all.txt" echo "[+] Params: $OUTPUT_DIR/params.txt" echo "[+] Nuclei: $OUTPUT_DIR/nuclei_results.txt" echo "[+] XSS: $OUTPUT_DIR/xss_results.txt"
6. Membuat Laporan yang Baik
Laporan (report) adalah bagian paling penting dalam bug bounty. Laporan yang buruk bisa menyebabkan bug valid di-duplicate (sudah ditemukan orang lain) atau informative (tidak cukup bukti). Laporan yang baik meningkatkan peluang bounty dan reputasi Anda.
Struktur Laporan Bug Bounty
Template: Bug Bounty Report
# ============================================
# BUG BOUNTY REPORT TEMPLATE
# ============================================
## Title: [Jenis Bug] di [Endpoint/Fitur] β [Impact Singkat]
# Contoh: "IDOR pada /api/orders β Bisa Akses Data Order User Lain"
## Summary
# Ringkasan 2-3 kalimat tentang bug yang ditemukan.
# Jelaskan apa, di mana, dan dampaknya.
"Endpoint /api/v1/orders/{id} tidak memvalidasi apakah user yang
meminta adalah pemilik order. Attacker dengan akun biasa bisa
mengakses order milik user lain hanya dengan mengubah ID."
## Severity: HIGH (CVSS 7.5)
# Tentukan severity berdasarkan CVSS atau platform rating
# Critical: RCE, Auth Bypass, Akses data massal
# High: IDOR, Stored XSS, SQLi terbatas
# Medium: Reflected XSS, CSRF, Info Disclosure
# Low: Version disclosure, Missing headers
## Affected Endpoint
GET /api/v1/orders/{order_id}
Host: api.target.com
## Steps to Reproduce
# Langkah SANGAT DETAIL β harus bisa direplikasi oleh siapa saja
### Step 1: Login sebagai User A
POST /api/v1/login HTTP/1.1
Host: api.target.com
Content-Type: application/json
{"email": "attacker@test.com", "password": "test123"}
Response: 200 OK
{"token": "eyJhbG...", "user_id": "user_a"}
### Step 2: Buat order baru (gunakan token User A)
POST /api/v1/orders HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbG...
{"item": "Test Item", "quantity": 1}
Response: 201 Created
{"order_id": 1002, "status": "created"}
### Step 3: Akses order User B (IDOR)
# Ubah order_id dari 1002 ke 1001 (milik user lain)
GET /api/v1/orders/1001 HTTP/1.1
Host: api.target.com
Authorization: Bearer eyJhbG... (token TETAP User A)
Response: 200 OK β SEHARUSNYA 403 Forbidden
{
"order_id": 1001,
"user_id": "user_b", β User lain!
"items": ["Laptop"], β Data sensitif
"total": 15000000,
"address": "Jl. Sudirman..." β Data pribadi!
}
## Impact
# Jelaskan dampak secara detail:
# - Siapa yang terpengaruh?
# - Data apa yang bisa diakses?
# - Apa yang bisa dilakukan attacker?
# - Berapa banyak user yang terdampak?
- Attacker bisa mengakses data order dan alamat SEMUA user
- Data sensitif (alamat, item pembelian) terekspos
- Potensi untuk mengakses/mengubah/menghapus data user lain
- Jika dikombinasikan dengan ID enumeration, bisa dump semua data
## Remediation
# Saran perbaikan untuk developer:
# - Pastikan validasi authorization: check user_id === order.owner_id
# - Gunakan UUID bukan sequential integer sebagai identifier
# - Implementasi RBAC di level API
## Supporting Material
# - Screenshots (gunakan Burp Suite untuk capture)
# - Video PoC (jika diminta atau untuk bug kompleks)
# - HTTP request/response lengkap (dari Burp)
β οΈ Kesalahan Umum dalam Report
- β Tidak menyertakan steps to reproduce yang detail
- β Mengklaim severity terlalu tinggi (overrating)
- β Tidak menjelaskan impact secara konkret
- β Meng-submit bug yang sudah known/duplicate
- β Tidak mengikuti format yang diminta oleh program
- β Menyertakan screenshot tanpa konteks
- β Tidak menjelaskan remediation
7. Tips dan Trik untuk Pemula
Mindset yang Benar
| Mindset Salah β | Mindset Benar β |
|---|---|
| "Saya harus menemukan 0-day yang belum pernah ada" | "Saya akan menemukan bug logic yang developer lupa validasi" |
| "Saya perlu tools yang paling canggih" | "Saya perlu memahami cara aplikasi bekerja secara mendalam" |
| "Saya akan kaya dalam semalam" | "Bug bounty butuh kesabaran, konsistensi, dan pembelajaran terus-menerus" |
| "Saya harus hack seperti YouTuber terkenal" | "Saya akan fokus memahami fundamentals dan membangun metodologi sendiri" |
| "Automation semua!" | "Automation + manual testing = kombinasi terbaik" |
Strategi untuk Mendapatkan Bounty Pertama
π‘ Strategi Bounty Pertama
- PortSwigger Academy selesai: Lengkapi semua labs β ini memberikan fondasi yang sangat kuat
- Fokus pada bug yang jarang dicari: IDOR, business logic, race condition β jarang di-automate
- Cari program baru: Program yang baru diluncurkan = lebih banyak bug belum ditemukan
- Baca disclosed reports: Belajar dari laporan yang sudah dipublikasikan di HackerOne Hacktivity
- Manual testing > automation: Tools automated sudah dijalankan semua orang β manual testing yang menemukan bug unik
- Jangan menyerah: Rata-rata bounty pertama datang setelah 3-6 bulan konsisten
- Bangun reputasi: Submit ke VDP dulu, dapatkan valid/reputation, lalu dapatkan invitations ke private programs
- Bergabung komunitas: Discord, Twitter, Reddit β belajar dari hunter lain
Etika dan Legal
β οΈ PENTING: Aturan Etika dan Legal
- HANYA test target yang ada di scope β jangan test sistem yang tidak diizinkan
- Jangan akses data user lain lebih dari yang diperlukan untuk membuktikan bug
- Jangan menyimpan data sensitif yang Anda temukan β hapus setelah PoC
- Jangan melakukan denial of service (DoS) kecuali secara eksplisit diizinkan
- Jangan melakukan social engineering terhadap karyawan target
- Laporkan segera β jangan simpan vulnerability untuk eksploitasi
- Patuhi responsible disclosure β berikan waktu yang wajar untuk perbaikan
- Di Indonesia: Patuhi UU ITE (UU No. 11/2008 jo. UU No. 19/2016) β unauthorized access adalah tindak pidana
8. Quiz: Uji Pemahamanmu!
Setelah membaca tutorial di atas, jawablah 5 pertanyaan berikut untuk menguji pemahamanmu tentang Bug Bounty: