Question

Twenty or even ten years ago, hackers like me were arrested for trying to do good. Today, we are being hired by some of the world’s most powerful organizations.

如今，我们这样的黑客被世界上一些最有权力的组织雇用；而在二十年甚至十年前，我们试图做好事还会被逮捕。

If you’re still considering whether or not you are late to the bug bounty train, know that you’re coming aboard at one of the most exciting times in the industry’s history. This community is growing faster than ever before, as governments are beginning to require that companies host vulnerability disclosure programs, Fortune 500 companies are building such policies in droves, and the applications for hacker-powered security are expanding every day. The value of a human eye will forever be vital in defending against evolving threats, and the world is recognizing us as the people to provide it.

如果你仍在考虑是否已经错过了漏洞赏金的列车，那么你要知道的是，你正在一个行业历史上最激动人心的时期加入进来。这个社区正在以前所未有的速度增长，随着政府开始要求公司建立漏洞披露计划，财富 500 强公司正在纷纷制定这样的政策，而基于黑客的安全应用场景也在不断扩大。人眼的价值将永远在防御不断演变的威胁中起着至关重要的作用，世界正在认识到我们是提供这种服务的人。

The beautiful thing about the bug bounty world is that, unlike your typical nine-to-five job or consultancy gig, it allows you to participate from wherever you want, whenever you want, and on whatever type of asset you like! All you need is a decent internet connection, a nice coffee (or your choice of beverage), some curiosity, and a passion for breaking things. And not only does it give you the freedom to work on your own schedule, but the threats are evolving faster than the speed of innovation, providing ample opportunities to learn, build your skills, and become an expert in a new area.

漏洞赏金的美妙之处在于，与你通常的九点到五点的工作或咨询差异较大，它让你在任何你想要的时间、任何你想参加的资产上参与其中！你只需要一个良好的互联网连接、一杯美味的咖啡（或你选择的饮料）、一些好奇心和对挑战的激情。不仅给你自由的工作时间表，而且威胁的演变速度比创新的速度更快，为学习、提高技能和成为新领域专家提供了丰富的机会。

If you are interested in gaining real-world hacking experience, the bug bounty marketplace makes that possible by providing an endless number of targets owned by giant companies such as Facebook, Google, or Apple! I’m not saying that it is an easy task to find a vulnerability in these companies; nevertheless, bug bounty programs deliver the platform on which to hunt, and the bug bounty community pushes you to learn more about new vulnerability types, grow your skill set, and keep trying even when it gets tough. Unlike most labs and Capture the Flags (CTFs), bug bounty programs do not have solutions or a guaranteed vulnerability to exploit. Instead, you’ll always ask yourself whether or not some feature is vulnerable, or if it can force the application or its functionalities to do things it’s not supposed to. This uncertainty can be daunting, but it makes the thrill of finding a bug so much sweeter.

如果你对获取真实的黑客经验感兴趣，那么漏洞赏金市场提供了一个无数的目标，这些目标是由像 Facebook、Google 或 Apple 这样的大公司所拥有的！我并不是说在这些公司中找到漏洞是一件容易的事情，然而，漏洞赏金计划提供了一个寻找漏洞的平台，漏洞赏金社区会推动你学习更多的新漏洞类型，增强你的技能，即使遇到困难也要继续尝试。与大多数实验室和 Capture the Flags (CTFs) 不同，漏洞赏金计划没有解决方案或保证可利用的漏洞。相反，你总是会问自己是否某个功能存在漏洞，或者它是否可以迫使应用程序或其功能执行不应该执行的操作。这种不确定性可能令人望而却步，但是它使发现漏洞的乐趣倍感甜蜜。

In this book, Vickie explores a variety of different vulnerability types to advance your understanding of web application hacking. She covers the skills that will make you a successful bug bounty hunter, including step-by-step analyses on how to pick the right program for you, perform proper reconnaissance, and write strong reports. She provides explanations for attacks like cross-site scripting, SQL injection, template injection, and almost any other you need in your toolkit to be successful. Later on, she takes you beyond the basics of web applications and introduces topics such as code review, API hacking, automating your workflow, and fuzzing.

在这本书中，维基探讨了各种不同的漏洞类型，以提高您对网络应用程序攻击的理解。她涵盖了会使您成为一个成功的漏洞赏金猎人所需的技能，包括逐步分析如何选择适合您的程序、进行适当的侦查和撰写强有力的报告。她解释了像跨站脚本、SQL 注入、模板注入等攻击，以及您需要的几乎任何其他攻击来让您成功。随后，她将带领您超越 Web 应用程序的基础知识，介绍代码审查、API 攻击、自动化工作流程和模糊测试等主题。

For anyone willing to put in the work, Bug Bounty Bootcamp gives you the foundation you need to make it in bug bounties.

对于任何愿意付出努力的人来说，漏洞赏金训练营为您提供了在漏洞赏金中取得成功所需的基础。

—Ben Sadeghipour

-本·萨德吉普尔

Hacker, Content Creator, and
Head of Hacker Education at HackerOne

黑客、内容创作者、HackerOne 黑客教育主管