Cyber Soldier | Software Engineer

13 July 2020

How I got my first private invitation to a bug bounty program?

by Najam Ul Saqib

Bug bounty platforms are rapidly gaining popularity among ethical hackers and penetration testers, they provide crowdsource solutions to different companies, hackers look for security loopholes in the websites and in turn they get paid for a valid submission.

But as such platforms are gaining popularity and more and more people are finding security bugs in public programs resulting in lesser vulnerabilities to be found left, private invitations are a better choice in this scenario, as the word "Private" explains the story, not everyone is allowed to hack on the private program like public ones. Only selected hackers based on their skill set and achievements are invited to private programs.

Hence, I got invited to one of the private programs, it is pretty confusing for newbies to know that how they can be invited to a private program but don't worry I'll make it clear & concise for you. 

HackerOne is a famous and probably number one bug bounty platform, with some hackers making over 1 million $ in bounties through this platform. This platform introduces an interesting way for you to learn hacking and making your path to your first private invitation. Hacker101 is a project of HackerOne in which they post videos and lectures related to hacking, they also have some CTFs for hackers to get hands-on experience. The interesting thing with CTFs is that CTFs carry points and once you complete some CTFs and get a total of 26 points you get invited to a private program, this cycle goes on, to get your next private program you have to get 26 more points in CTFs again.

You may have noticed that I have been posting walkthroughs of CTFs from Hacker101, that's exactly what I was doing, trying to hone my skills and smoothen my path towards the private invitation. I completed 26 points successfully and got a private invitation instantly.

Quite obviously, these are PRIVATE programs meaning that you are not allowed even to discuss their name in the public, forget about security bugs, if you do so, you are breaking the law and is committing a crime.

The CTFs I solved included many different vulnerabilities like XSS (Stored & Reflected), SQLi, IDOR, Privilege Escalation, etc so its a good practice as well to go through these CTFs.

I hope it is pretty clear to you about how you can also get a private invitation. If not, ask me in the comments.

tags: hacker101 - bugbounty - ctf - hackerone