avatarGraham Zemel

Summary

The article provides a curated list of lesser-known vulnerability disclosure programs (VDPs) that offer competitive rewards with less competition for bug bounty hunters.

Abstract

The cybersecurity industry relies heavily on bug bounties, with substantial rewards paid annually to ethical hackers. However, the popularity of these programs often leads to high competition. The article addresses this by highlighting smaller, less competitive VDPs that still offer substantial rewards. It introduces BugCrowd's Community List, Project Discovery Chaos, and FireBounty as platforms where newer bug hunters can find programs with fewer participants. These platforms are praised for their up-to-date information, user-friendly filters, and comprehensive listings. Additionally, the article suggests using a GitHub repository of Google Dorks to discover companies with VDPs that may not be widely known. The author encourages readers to explore these resources and consider joining Medium through their referral link for full access to their content.

Opinions

  • The author believes that smaller VDPs are a great solution for new bug hunters to minimize competition while still receiving great rewards.
  • BugCrowd's Community List is commended for being consistently updated and offering a variety of programs with helpful filters to tailor the search for specific types of VDPs.
  • Project Discovery Chaos is highlighted for its frequent updates, extensive list of programs, and useful recon data from DNS datasets.
  • FireBounty is noted for its large size, forum-like design, and the ability for users to publish their own VDPs, making it a valuable resource for both hunters and developers.
  • The author recommends learning Google Dorking as a method to find companies with VDPs that are not listed on mainstream platforms.
  • The article suggests that readers can support the author by joining Medium through their referral link, indicating a preference for readers to engage with their content on that platform.

The Best Vulnerability Disclosure Programs (Less Competitive Bounties)

TL;DR- There’s a ton of programs for bug bounties and vulnerability disclosure, but they’re usually filled with competition because they’re so popular. Here are a few programs that minimize the competition and still provide great rewards.

Bug bounties are critical in the cybersecurity industry, and millions are paid out every year to the white-hat hackers who contribute. That being said, how can someone, especially a new bug hunter, find these bounties when there are hundreds of thousands of hackers competing to find similar ones? Finding a smaller VDP (vulnerability disclosure program) is a great solution, here’s a few of my favorites.

BugCrowd Community List →

This is hosted on BugCrowd which is a VDP itself, but it also provides a ton of great smaller programs on it’s page as well. It’s always up to date, and contains plenty of programs for smaller bug hunters to choose from and minimize the competition aspect.

It’s also got some helpful filters in order to view specific types of programs that you’d like to participate in. Filters like bug bounty eligible, Hall of Fame’s, and safe harbors will show you some of the best VDPs to get involved with at the moment.

Project Discovery Chaos →

This is a really interesting site that showcases some great programs and domains that aren’t usually shown on the bigger VDPs. They’re updated every few hours or so, and the list is fairly large. It’s easy to pick out specific kinds of programs, and I’m a big fan of this site because of it’s simplicity and functionality.

It’s got a bunch of links to help developers access different aspects of VDPs, and it even curates the recon data from DNS datasets for better insights.

FireBounty →

Lesser known but still very valid, FireBounty is a great site to learn about bug hunting and actually take part in VDPs. It’s a much bigger site than the others listed, and it follows more of a forum-looking app design. You can actually publish your own VDPs here as well, which is handy if you’re also a developer.

Tons of features, filters, and it’s fairly easy to use. Their web crawlers access VDPs on a list of other websites, and you can manually input your own. There’s roughly 15,000 users on this site, rather than the hundreds of thousands on something like HackerOne.

Bonus →

Here’s a list of some great google dorks for sites that may not have VDPs, but are vulnerable to some decent bounties. I suggest learning the syntax of Google a bit for the purpose of dorking, which is a valid hacking method.

Thanks for reading up on some great VDPs. I hope you found one that works for you, and if you found this post interesting feel free to give some claps. Check out The Gray Area for more computer science and cybersecurity related posts. If you’re not already a member and you’d like to access all my posts (and everyone else’s on Medium), sign up using my referral link

Thanks!

Bug Bounty
Bug Bounty Tips
Hacking
Cybersecurity
Vulnerability Management
Recommended from ReadMedium
avatarcoffinxp
Find XSS Vulnerabilities in Just 2 Minutes

Hello everyone! Today I will show you my XSS finding technique in a very simple and effective way. This is my second article on Medium, I…

3 min read
avatarAkash Ghosh
Misconfigurations That Paid Me Big: How I Exploited Them (And How You Can Stop Me)

4 min read
avatarCybersec with Hemmars
My Bug Bounty Hunting Methodology

"Every bug starts with a question: 'What if?'"

5 min read
avatarH4cker-Nafeed
This Is How I Bypassed The Most Critical Security Check!

Look at How a Hacker Can Think Outside the Box!

4 min read
avatarr00t
Hunting Hidden Gems: Bug Bounties in the Code of JavaScript

Hello everyone! It hasn’t been long since I published my last write-up, so let’s dive straight into the topic. How did I discover a P3…

2 min read
avatarThexssrat
Bug Bounty Methodology Checklist for Web Applications (B2B Apps)

General checklist for bug bounties

3 min read