I Spent a Month on a Private Program and Earned $$$$$

I hope you all are doing great.

I got 200+ likes, and I’m not great at tracking time. So I thought, why not spend a month focusing on one program to see if I can find bugs? I usually work 4–6 hours each day.

I wanted to make it challenging, so I picked a well-tested Bugcrowd private program (let’s call the program REDACTED) with a limited scope. It only includes the app and API domain in scope. Here’s the program overview:

There’s only one app and API in scope, and as you can see, nearly 300 bugs have already been found on this target. Many top bug hunters have already looked into it. I noticed that the top 10 hunters on the Hall of Fame each have 300+ points, and the #1 hunter has almost 800 points, which makes this target really interesting to me.

What makes it even more interesting is that a friend of mine, who’s in the top 100 on Bugcrowd, spent 3 months on this program and made $15k. I asked him if it’s still worth looking into, and he suggested going deep since most of the obvious bugs have already been found, and it’s not easy to find anything quickly now.

On July 15th, I started looking into this program and reported a few low-severity bugs, only to find that all three of my findings were duplicates.

I stuck with the program for about a month, or 40 days, working 3 hours a day, sometimes 6. After a week of focusing on the target, I found a few bugs that paid out, which gave me the motivation to keep going. Here are my stats from working over a month on this program:

Bugs I found : 39

23 IDORs found

The app uses both REST and GraphQL APIs, and I believe not many people realize that the application uses GraphQL for the same tasks. After spending around 30 hours, I discovered the GraphQL endpoints and pulled all the queries, comparing them with the REST API. I found that GraphQL performs the exact same actions as REST. Most IDORs were fixed for the REST API, but every bug I reported for the GraphQL API came back with 0 duplicates. After investing a good chunk of time, I found 23 IDORs, which were honestly pretty easy to spot — just a matter of replacing IDs in the variables. The hard part was finding an app that used GraphQL, and I was lucky to find untouched APIs.

14 Privilege Escalation

It was a simple bug where a low-privileged user could perform actions meant for an admin or high-privileged user using the GraphQL APIs. The challenging part was developing the business logic in my mind and crafting new attacks based on it. This took a lot of time, but the more I focused on the target, the better I understood its features, and the more bugs started to surface.

After dedicating a month of hard work, I’m proud to say I’ve earned a spot in the top 10 of this program!

That’s all from my side for now. I’m not very active on social media at the moment as I’m busy with some important tasks, but I hope to be back soon. Have a beautiful day ahead, and thanks for reading!