Question

Most bug bounty platforms distinguish between public and private programs.

大部分漏洞赏金平台区分公开和私人项目。

Public programs are those that are open to all; anyone can hack and submit bugs to these programs, as long as they abide by the laws and the bug bounty program’s policies.

公共计划是对所有人开放的；只要遵守法律和漏洞赏金计划的政策，任何人都可以黑入并提交漏洞。

On the other hand, private programs are open to only invited hackers. For these, companies ask hackers with a certain level of experience and a proven track record to attack the company and submit bugs to it. Private programs are a lot less competitive than public ones because of the limited number of hackers participating. Therefore, it’s much easier to find bugs in them. Private programs also often have a much faster response time, because they receive fewer reports on average.

另一方面，私人计划仅向被邀请的黑客开放。对于这些私人计划，公司会邀请具有一定经验和已证明攻击该公司并提交错误的黑客。由于参与黑客的数量有限，私人计划的竞争要少得多。因此，在私人计划中更容易找到错误。私人计划通常也有更快的响应时间，因为它们平均接收到更少的错误报告。

Participating in private programs can be extremely advantageous. But how do you get invited to one? Figure 1-1 shows a private invitation notification on the HackerOne platform.

参与私人计划可以非常有利。但是如何获得邀请呢？图 1-1 显示了 HackerOne 平台上的私人邀请通知。

Figure 1-1 : A private invitation notification on the HackerOne platform. When you hack on a bug bounty platform, you can often get invites to the private programs of different companies.

图 1-1：HackerOne 平台上的私人邀请通知。当你在一个漏洞赏金平台上进行攻击时，你经常会收到来自不同公司私人计划的邀请。

Companies send private invites to hackers who have proven their abilities in some way, so getting invites to private programs isn’t difficult once you’ve found a couple of bugs. Different bug bounty platforms will have different algorithms to determine who gets the invites, but here are some tips to help you get there.

公司会向已经证明其能力的黑客发送私人邀请，因此一旦你发现了几个漏洞，获得私人计划的邀请并不困难。不同的漏洞赏金平台将有不同的算法来确定谁会获得邀请，但以下是一些提示，可帮助您实现该目标。

First, submit a few bugs to public programs. To get private invites, you often need to gain a certain number of reputation points on a platform, and the only way to begin earning these is to submit valid bugs to public programs. You should also focus on submitting high-impact vulnerabilities. These vulnerabilities will often reward you with higher reputation points and help you get private invites faster. In each of the chapters in Part II of this book, I make suggestions for how you can escalate the issues you discover to craft the highest-impact attacks. On some bug bounty platforms, like HackerOne, you can also get private invites by completing tutorials or solving Capture the Flag (CTF) challenges.

首先，要提交一些针对公共程序的漏洞。要获得私人邀请，通常需要在平台上获得一定数量的声望点数，而开始获得这些点数的唯一方式就是提交有效的公共程序漏洞。你还应该专注于提交高影响漏洞。这些漏洞通常会奖励你更高的声望点数，并帮助你更快地获得私人邀请。在本书第二部分的每一章中，我都提出建议，让你能够升级你发现的问题，从而制定最高影响的攻击方法。在一些漏洞赏金平台上，比如 HackerOne，你还可以通过完成教程或解决 Capture the Flag（CTF）挑战来获得私人邀请。

Next, don’t spam. Submitting nonissues often causes a decrease in reputation points. Most bug bounty platforms limit private invites to hackers with points above a certain threshold.

接下来，禁止垃圾邮件。经常提交非问题会导致声誉点数下降。大多数漏洞赏金平台将私人邀请限制在具有一定门槛分数以上的黑客。

Finally, be polite and courteous when communicating with security teams. Being rude or abusive to security teams will probably get you banned from the program and prevent you from getting private invites from other companies.

在与安全团队交流时，请最终保持礼貌和谦恭。对安全团队粗鲁或滥用者将有可能导致您被禁止参加计划，并阻止您获得其他公司的私人邀请。