Chapter 36 Quiz: Bug Bounty Hunting

Question 1

Who became the first teenager to earn $1 million through bug bounty hunting on HackerOne?

A) Katie Moussouris B) Santiago Lopez C) Alex Birsan D) Frans Rosen

Answer: B Santiago Lopez from Argentina became the first person to earn over $1 million through HackerOne in 2019. He was self-taught, having learned to hack through YouTube videos and blog posts.

Question 2

What is the primary difference between a public bug bounty program and a private program?

A) Public programs pay more money B) Public programs are open to all registered researchers while private programs are invitation-only C) Private programs only accept critical vulnerabilities D) Public programs do not require platform registration

Answer: B Public programs are open to any registered researcher on the platform, while private programs require an invitation based on the researcher's reputation, skills, and track record. Private programs typically have less competition.

Question 3

What is a Vulnerability Disclosure Program (VDP)?

A) A program that forces organizations to disclose all their vulnerabilities publicly B) A program that accepts vulnerability reports but does not offer monetary rewards C) A program that provides free penetration testing to nonprofits D) A government database of all known software vulnerabilities

Answer: B VDPs accept vulnerability reports and provide legal safe harbor but do not offer monetary rewards. They typically offer recognition or reputation points and are a good starting point for new researchers building their track record.

Question 4

Which of the following is typically OUT OF SCOPE for most bug bounty programs?

A) Stored Cross-Site Scripting (XSS) B) SQL Injection C) Denial of Service (DoS) testing D) Server-Side Request Forgery (SSRF)

Answer: C Most bug bounty programs explicitly prohibit denial-of-service testing because it can disrupt services for real users. Programs want researchers to find vulnerabilities, not cause outages.

Question 5

What tool would you use for subdomain enumeration during bug bounty reconnaissance?

A) Metasploit B) Subfinder C) Burp Suite Repeater D) Hashcat

Answer: B Subfinder is a passive subdomain enumeration tool that discovers subdomains using OSINT sources like certificate transparency logs, DNS databases, and search engines. It is a core tool in bug bounty reconnaissance workflows.

Question 6

What is the purpose of using httpx in a bug bounty recon workflow?

A) To exploit HTTP-based vulnerabilities B) To probe discovered subdomains for live HTTP/HTTPS services and gather metadata C) To perform SQL injection attacks D) To crack HTTP Basic authentication

Answer: B httpx is used to probe discovered subdomains to determine which ones are hosting live web services. It provides information such as status codes, page titles, technologies detected, and content length, helping researchers prioritize targets.

Question 7

What is vulnerability chaining in the context of bug bounty hunting?

A) Finding the same vulnerability across multiple applications B) Combining multiple lower-severity vulnerabilities into a higher-impact attack chain C) Submitting multiple reports for the same vulnerability D) Using automated tools to find vulnerabilities in sequence

Answer: B Vulnerability chaining involves combining multiple findings -- each potentially low-severity on its own -- into a complete attack chain that demonstrates a higher-severity impact. For example, chaining an open redirect with an OAuth misconfiguration to achieve account takeover.

Question 8

Which bug report element is most important for ensuring the vulnerability can be validated by the triage team?

A) Remediation recommendations B) CVSS score calculation C) Detailed, numbered steps to reproduce D) Impact assessment

Answer: C Clear, numbered reproduction steps are the most critical element. If the triage team cannot reproduce the vulnerability, the report will likely be closed as "Not Applicable" or "Needs More Information," regardless of how well-written the rest of the report is.

Question 9

What is a subdomain takeover vulnerability?

A) Gaining admin access to a subdomain's hosting panel B) Hijacking DNS for a domain by compromising the registrar C) Claiming a service that a dangling DNS record points to, allowing control over the subdomain's content D) Brute-forcing subdomain names to find hidden services

Answer: C Subdomain takeover occurs when a subdomain's DNS record (typically a CNAME) points to a service that has been deprovisioned. An attacker can claim the service (e.g., create an S3 bucket with the name the CNAME points to) and serve arbitrary content on the subdomain.

Question 10

What is the recommended approach when your bug bounty report is marked as a duplicate?

A) Publicly disclose the vulnerability to pressure the company B) Submit the same report to a different platform C) Accept it gracefully and optionally ask when the original was reported to improve your timing D) Demand that the company pay both researchers

Answer: C Duplicates are a normal part of bug bounty hunting. The professional approach is to accept the outcome gracefully. You may politely ask when the original report was submitted to help calibrate your research speed for future hunting.

Question 11

In SSRF exploitation, what is the significance of the IP address 169.254.169.254?

A) It is the standard loopback address for testing B) It is the cloud provider metadata service endpoint that can expose IAM credentials and instance configuration C) It is a reserved address for DNS resolution D) It is the default gateway for container networking

Answer: B The IP address 169.254.169.254 is the cloud metadata service endpoint used by AWS, GCP, Azure, and other cloud providers. Accessing it via SSRF can expose sensitive information including IAM role credentials, instance identity tokens, and configuration data.

Question 12

What is a race condition in the context of web application security?

A) A competition between security researchers to find the same vulnerability first B) A vulnerability where concurrent requests can exploit timing windows in application logic C) A type of denial-of-service attack that overwhelms server processing D) A vulnerability in time-based authentication tokens

Answer: B Race conditions occur when application logic does not properly handle concurrent requests. An attacker can exploit timing windows to perform actions multiple times (e.g., redeeming a coupon code more than once) or bypass validation checks.

Question 13

What is the purpose of Google dorking in bug bounty hunting?

A) To exploit Google's own vulnerabilities B) To find exposed sensitive information, credentials, or internal assets indexed by search engines C) To speed up Google search results D) To block Google from indexing your findings

Answer: B Google dorking (using advanced search operators) helps researchers find exposed sensitive files, credentials, internal documentation, and other information that organizations may have inadvertently made accessible via search engines.

Question 14

According to the chapter, what is the most common mistake that gets bug bounty reports rejected?

A) Submitting too many reports at once B) Using automated tools C) Insufficient detail and missing steps to reproduce D) Requesting too high a bounty amount

Answer: C Insufficient detail is the most common reason for report rejection. Reports that lack clear reproduction steps, specific URLs, or supporting evidence cannot be validated by triage teams and are frequently closed as incomplete.

Question 15

What does BOLA stand for in the OWASP API Security Top 10?

A) Broken Object Level Authorization B) Broken Online Login Authentication C) Basic Object Listing Attack D) Buffer Overflow Lateral Access

Answer: A BOLA (Broken Object Level Authorization) is the top API security risk according to OWASP. It occurs when an API does not properly verify that the requesting user has authorization to access the specific object they are requesting, enabling IDOR-style attacks.

Question 16

What should you do if you accidentally access a large volume of sensitive user data during bug bounty testing?

A) Download it all as proof of concept B) Continue testing to assess the full scope C) Stop immediately, report the exposure, and delete any local copies of the data D) Contact the users to warn them

Answer: C If you accidentally access sensitive data, stop testing immediately. Report the exposure to the program and delete any local copies of the data. The goal is to demonstrate the vulnerability exists, not to collect actual user data.

Question 17

What is the advantage of live hacking events (LHEs) compared to regular bug bounty programs?

A) They have no scope limitations B) They typically offer higher payouts, direct interaction with program teams, networking, and intensive collaboration C) They allow testing of internal networks D) Reports from LHEs are never marked as duplicates

Answer: B Live hacking events bring selected researchers together (in-person or virtually) for intensive, short-duration hacking sessions. They typically offer higher bounty multipliers, direct access to program security teams, networking opportunities, and a collaborative atmosphere.

Question 18

Which of the following is NOT a recommended practice for full-time bug bounty hunters?

A) Tracking time and earnings to calculate hourly rate B) Building a 6-month financial buffer before going full-time C) Specializing in a single vulnerability type exclusively D) Diversifying income sources beyond bug bounties

Answer: C While specialization is valuable, focusing exclusively on a single vulnerability type is overly narrow. Effective hunters develop deep expertise in 2-3 vulnerability types while maintaining broad enough skills to recognize opportunities across different categories. The chapter recommends specialization as a strategy, but not extreme single-type exclusivity.