Finding Hidden Bug Bounty Programs with Google Dorking
Over the years, the bug bounty universe has matured a lot. Popular platforms like HackerOne, Bugcrowd and Intigriti are swarming with skilled researchers, making it challenging for newcomers to secure their first bounty. What many researchers overlook, however, is the wealth of independent bug bounty programs that aren't hosted on these mainstream platforms.
Companies of all sizes maintain their own security vulnerability disclosure programs, that aren't as widely known or targeted. These programs can be discovered through strategic Google dorking - a technique that uses advanced Google search operators to find specific information that might not be easily accessible through conventional search methods.
Why Independent Bug Bounty Programs?
Before we dive into the techniques, let's understand why independent programs are worth pursuing:
- Lower Competition: Independent programs often have fewer participants, which means less competition for bounties.
- Direct Contact: Some programs offer direct contact with the security team, which can lead to faster responses and more opportunities for collaboration.
- Rewards: Whilst they aren't guaranteed in the same way that mainstream platforms offer, some independent programs can offer gratuitous rewards, although your mileage may vary. Even without a reward, you can hone your skills and build reputation to eventually lead into private bug bounties.
Why NOT Independent Bug Bounty Programs?
There are a few reasons why you might not want to pursue independent bug bounty programs:
- No Platform Support: Independent programs are not hosted on mainstream platforms like HackerOne, Bugcrowd, or Intigriti. This means that you won't have the same level of support and resources as you would on these platforms.
- Iffy Scopes: Independent programs can sometimes have limited scope documentation, be it due to immaturity in the bug bounty program space, or negeligence. This can make it difficult to determine what you have permission to test, and what you don't. In these cases you should err on the side of caution - personally I wouldn't give such bounties a second look.
- Rewards Are Not Guaranteed: Whilst some independent programs offer rewards, often times they are specified as optional and gratuitous. In other words, you are not entitled to a reward, even if you get something juicy.
Google Dorking for Bug Bounty Programs
Google dorking is a technique that uses advanced Google search operators to cultivate more granular search results. This is a technique leveraged in other security spaces, such as open source intelligence (OSINT).
Here are some of my favourite dorks for finding independent bug bounty programs:
Rewards-
site:*.*.uk intext:security report reward -
intext:security report reward inurl:report -
responsible disclosure reward r=h:nl -
responsible disclosure bounty r=h:nl -
inurl /bug bounty -
site:security.*.* inurl: bounty -
site:*.*.de inurl:bug inurl:bounty -
intext:responsible disclosure bounty -
"If you find a security issue" "reward"
-
"If you believe you've found a security vulnerability" -
inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbugbounty -
responsible disclosure:sites -
responsible disclosure r=h:nl -
responsible disclosure r=h:uk -
responsible disclosure r=h:eu -
responsible disclosure swag r=h:nl -
responsible disclosure swag r=h:uk -
responsible disclosure swag r=h:eu
References
Most of these came from this repository by sushiwushi. Thanks sushiwushi!