I gained over 1000 reputation points on HackerOne between April to June 2023!
I reviewed my past reports and would like to share 3 bug bounty tips with you!
I hope they are useful to you, have a great bug bounty journey, keep hunting!
My thoughts on receiving the Top Government Bug Bounty Program (GBBP) Researcher Award
Last week, I attended the Researcher Appreciation Ceremony held alongside the prize ceremony of Jaga the STACK Finale 2022. The Researcher Appreciation Ceremony was held as part of GovTech’s Crowdsourced Vulnerability Discovery Programme (CVDP), where they will present various awards, such as the Top GBBP Researcher award.
I could vividly recall that the entire event was filled with not only students, but also working professionals looking for young and bright individuals for internships or job offers, as the student competition includes categories for a variety of education level (e.g. University). Not forgetting that the organiser also invited the local white hat community to attend this event.
Receiving the Top GBBP Researcher and Most Staunch Supporter Awards
It was an honour to be the recipient of the following two awards:
- Top GBBP Researcher
- Most Staunch Supporter
It was an even greater honour to be able to receive the awards from our Senior Minister of State, Dr Janil Puthucheary.
Government Bug Bounty Program (GBBP)
The Government Bug Bounty Program (GBBP) is held multiple times within a year, whereby GovTech, the organiser, will liaise with various Singapore government agencies to invite them onto the program. After they have been on-boarded, they will provide a list of assets allowed to be tested by the invited white hat security researchers.
A Review of my Bug Hunting Journey
This post is a review of my bug hunting journey so far, from when I just started, to the point where I made it into the Top 200 bug hunters on Bugcrowd recently, after two years on the platform.
The Beginning Phase
Like anything else in life, you must start somewhere, or you will never make it. The worse way to fail is to never even get started.
Write-up for Gemini Inc: 1
This is a write-up on the Gemini Inc: 1, a VulnHub machine designed to be vulnerable. This write-up aims to guide readers through the steps to identifying vulnerable services running on the server and ways of exploiting them to gain unauthorised privileged access to the server.
Disclaimer: this write-up is meant for security enthusiast to set up and hacks the machine locally, in a safe environment while still having fun and get to practice. VulnHub provides users with many vulnerable machines for practice, similar to the ones in the OSCP course lab (read about my OSCP journey).
Word of Advice
As always, my advice for you is that you dirty your hands with the setup and try to hack the machines first before reading through my write-up, that way, you will be able to maximise your learning and be able to enhance your thought process towards hacking and compromising a vulnerable machine.
Setting Up
- Download the Virtual Machine (VM) from VulnHub (link)
- Start the VM and select “I copied it” and it should start smoothly. Note that the machine was preconfigured to obtain an IP address automatically using DHCP so that is no additional configuration required.
- Please note that for this write-up, I have explicitly switched my “Network Adaptor” options to “NAT”. You may choose to also do so or remain with the default settings (Bridge), it should not differ much in terms of the steps in the write-up.
My Review for CyberSec First Responder (Exam CFR-210)
I am happy to share that I have passed the CyberSec First Responder (Exam CFR-210) certification!
The CyberSec First Responder (Exam CFR-210) certification is designed for security professionals who are interested in pursuing a career in the defensive aspect of security. For example, to work on tasks such as to perform an analysis of threats, to design a secure network environment, to defend a network or to investigate a security incident.
Check out the official website of the CyberSec First Responder (Exam CFR-210) certification to read more about their official introduction.
My Background before taking the exams
My current job as a penetration tester is focused on the offensive aspect of security, which is also the first area where I started my career in the information security industry. Now, I still enjoy the offensive side of security very much.
As a penetration tester, it is almost mandatory to have the Offensive Security Certified Professional (OSCP) certification, so if you like the offensive side of security, go for their Penetration Testing with Kali (PWK) course and “try harder”, the examination is hands-on and the number of things you get to learn from it is enormous. If you’re interested, check out My OSCP / PWK Course Review where I share my OSCP journey and also some tips to pass the exams and also to get started more effectively.
I have been working in the IT industry for over 5 years now, of which over 2 years were in the information security industry. I hold the following security certifications before I passed my CyberSec First Responder (Exam CFR-210) certification: OSCP, CREST CRT, CPSA, CEH.