Question

You’ve poured hours into looking for vulnerabilities and haven’t found a single one. Or you keep submitting reports that get marked informative, N/A, or duplicate.

你花费了数小时寻找漏洞，但一个都没有找到。或者你持续提交报告，但它们被标记为信息性、不适用或重复。

You’ve followed all the rules. You’ve used all the tools. What’s going wrong? What secrets are the leaderboard hackers hiding from you? In this section, I’ll discuss the mistakes that prevent you from succeeding in bug bounties, and how you can improve.

你已经遵循了所有规则，使用了所有工具。为什么会出错？排行榜黑客隐藏了什么秘密让你无法成功？在本节中，我将讨论阻止您在漏洞赏金任务中取得成功的错误以及您可以如何改进。

Why You’re Not Finding Bugs

If you spend a lot of time in bug bounties and still have trouble finding bugs, here are some possible reasons.

如果你花费了大量时间在漏洞赏金活动上，仍然很难找到漏洞，以下是可能的原因。

You Participate in the Wrong Programs

You might have been targeting the wrong programs all along. Bug bounty programs aren’t created equally, and picking the right one is essential. Some programs delay fixing bugs because they lack the resources to deal with reports. Some programs downplay the severity of vulnerabilities to avoid paying hackers. Finally, other programs restrict their scope to a small subset of their assets. They run bug bounty programs to gain positive publicity and don’t intend to actually fix vulnerabilities. Avoid these programs to save yourself the headache.

你可能一直把目标对准了错误的计划。漏洞奖励计划并不一样，选择正确的计划至关重要。某些计划因缺乏处理报告的资源而延迟解决漏洞；一些计划淡化漏洞的严重性以避免支付黑客；最后，其他计划仅针对其资产的一小部分范围运行漏洞奖励计划，以获得正面公众评价，实际上并不打算修复漏洞。避免这些计划以避免麻烦。

You can identify these programs by reading publicly disclosed reports, analyzing program statistics on bug bounty platforms, or by talking with other hackers. A program’s stats listed on bug bounty platforms provide a lot of information on how well a program is executed. Avoid programs with long response times and programs with low average bounties. Pick targets carefully, and prioritize companies that invest in their bug bounty programs.

你可以通过阅读公开的报告、分析漏洞赏金平台上的程序统计数据或与其他黑客交流来识别这些程序。漏洞赏金平台上列出的程序统计数据提供了有关程序执行情况的大量信息。避免长时间响应或平均赏金低的程序。谨慎选择目标，并优先考虑投资于漏洞赏金计划的公司。

You Don’t Stick to a Program

How long should you target a program? If your answer is a few hours or days, that’s the reason you’re not finding anything. Jumping from program to program is another mistake beginners often make.

你要持续关注一个计划多长时间？如果你的答案是几个小时或几天，那就是你找不到成果的原因。初学者经常犯的另一个错误是频繁跳换计划。

Every bug bounty program has countless bug bounty hunters hacking it. Differentiate yourself from the competition, or risk not finding anything! You can differentiate yourself in two ways: dig deep or search wide. For example, dig deep into a single functionality of an application to search for complex bugs. Or discover and hack the lesser-known assets of the company.

每个漏洞赏金计划都有无数的漏洞赏金猎人在攻击它。与竞争对手有所区别，否则会冒着找不到任何东西的风险！你可以通过两种方式区别自己：深入挖掘或广泛搜索。例如，深入挖掘应用程序的单个功能以寻找复杂漏洞。或者发现和攻击公司的较少知名的资产。

Doing these things well takes time. Don’t expect to find bugs right away when you’re starting fresh on a program. And don’t quit a program if you can’t find bugs on the first day.

做这些事情需要时间。不要期望在刚开始编程时立即发现错误。而且，如果你不能在第一天找到错误，也不要放弃一个程序。

You Don’t Recon

Jumping into big public programs without performing reconnaissance is another way to fail at bug bounties. Effective recon, which we discuss in Chapter 5 , helps you discover new attack surfaces: new subdomains, new endpoints, and new functionality.

不进行侦察就跳入大型公共项目是在漏洞赏金上失败的另一种方式。有效的侦察，我们在第 5 章中讨论，帮助你发现新的攻击面：新的子域、新的端点和新的功能。

Spending time on recon gives you an incredible advantage over other hackers, because you’ll be the first to notice the bugs on all obscure assets you discover, giving you better chances of finding bugs that aren’t duplicates.

在侦察上花费时间能让你比其他黑客拥有巨大的优势，因为你会第一个注意到你发现的所有模糊资产上的漏洞，从而更有机会发现不重复的漏洞。

You Go for Only Low-Hanging Fruit

Another mistake that beginners often make is to rely on vulnerability scanners. Companies routinely scan and audit their applications, and other bug bounty hunters often do the same, so this approach won’t give you good results.

初学者经常犯的另一个错误是依赖漏洞扫描器。公司定期扫描和审计他们的应用程序，其他漏洞赏金猎人通常也会这样做，因此这种方法不会给你带来好结果。

Also, avoid looking for only the obvious bug types. Simplistic bugs on big targets have probably already been found. Many bug bounty programs were private before companies opened them to the public. This means a few experienced hackers will have already reported the easiest-to-find bugs. For example, many hackers will likely have already tested for a stored-XSS vulnerability on a forum’s comment field.

此外，避免只寻找显而易见的漏洞类型。大型目标上的简单漏洞可能已经被发现了。许多赏金计划在公司向公众开放之前是私人的。这意味着一些经验丰富的黑客已经报告了最容易发现的漏洞。例如，许多黑客可能已经测试了论坛评论字段的存储 XSS 漏洞。

This isn’t to say that you shouldn’t look for low-hanging fruit at all. Just don’t get discouraged if you don’t find anything that way. Instead, strive to gain a deeper understanding of the application’s underlying architecture and logic. From there, you can develop a unique testing methodology that will result in more unique and valuable bugs.

这并不是说你不应该寻找低 hanging fruit。只是不要因此而感到沮丧。相反，努力获得对应用程序底层架构与逻辑的深入理解。从那里开始，你可以开发出独特的测试方法，从而得到更多独特且有价值的漏洞。

You Don’t Get into Private Programs

It becomes much easier to find bugs after you start hacking on private programs. Many successful hackers say that most of their findings come from private programs. Private programs are a lot less crowded than public ones, so you’ll have less competition, and less competition usually means more easy finds and fewer duplicates.

开始黑客攻击私人计划后，发现漏洞变得更容易。许多成功的黑客表示，他们找到的大部分漏洞都来自私人计划。私人计划不像公共计划那样拥挤，因此您将有较少的竞争，而较少的竞争通常意味着更容易找到漏洞，减少了重复。

Why Your Reports Get Dismissed

As mentioned, three types of reports won’t result in a bounty: N/As, informatives, and duplicates. In this section, I’ll talk about what you can do to reduce these disappointments.

如上所述，三种类型的报告不会产生赏金：N/A、信息报告和重复报告。在本节中，我将谈论降低这些失望的方法。

Reducing the number of invalid reports benefits everyone. It will not only save you time and effort, but also save the security team the staff hours dedicated to processing these reports. Here are some reasons your reports keep getting dismissed.

减少无效报告数量对所有人都有益，这不仅可以节省你的时间和精力，还可以为安全团队节省处理这些报告所需要的人力资源。以下是你的报告被驳回的原因：

You Don’t Read the Bounty Policy

One of the most common reasons reports get marked as N/A is that they’re out of scope. A program’s policy page often has a section labeled Scope that tells you which of the company’s assets you’re allowed to hack. Most of the time, the policy page also lists vulnerabilities and assets that are out of scope , meaning you’re not allowed to report about them.

报告被标记为 N/A 的最常见原因之一是超出了范围。一个程序的政策页面通常有一个标记“范围”的部分，告诉你可以黑掉公司资产的哪些部分。大多数情况下，这个政策页面也列出了漏洞和资产，这些漏洞和资产是超出范围的，也就是说，你不可以报告它们。

The best way to prevent submitting N/As is to read the bounty policy carefully and repeatedly. Which vulnerability types are out of scope? And which of the organization’s assets? Respect these boundaries, and don’t submit bugs that are out of scope.

预防提交 N/As 的最佳方法是认真而重复地阅读赏金政策。哪些漏洞类型不在范围内？哪些是组织的资产？尊重这些边界，不要提交超出范围的漏洞。

If you do accidentally find a critical issue that is out of scope, report it if you think it’s something that the organization has to know about! You might not get rewarded, but you can still contribute to the company’s security.

如果您无意中发现了一个超出范围的关键问题，如果您认为这是组织必须知道的事情，请报告它！您可能不会得到奖励，但仍然可以为公司的安全做出贡献。

You Don’t Put Yourself in the Organization’s Shoes

Informative reports are much harder to prevent than N/As. Most of the time, you’ll get informative ratings because the company doesn’t care about the issue you’re reporting.

信息性报告比无法适用（N/As）更难以预防。大多数情况下，你会收到信息性评级，因为公司并不关心你正在报告的问题。

Imagine yourself as a security engineer. If you’re busy safeguarding millions of users’ data every day, would you care about an open redirect that can be used only for phishing? Although it’s a valid security flaw, you probably wouldn’t. You have other responsibilities to tend to, so fixing a low-severity bug is at the bottom of your to-do list. If the security team does not have the extra staff to deal with these reports, they will sometimes ignore it and mark it as informative.

想象自己是一名安全工程师。如果你每天都忙于保护数百万用户的数据，你会在意一个只能用于钓鱼的开放式重定向吗？虽然这是一个有效的安全漏洞，但你可能不会太在意。你有其他的责任要处理，因此修复一个低严重性的错误将会被放在你的待办事项清单的最底部。如果安全团队没有额外的人手来处理这些报告，他们有时会忽视它并将其标记为信息性内容。

I’ve found that the most helpful way to reduce informatives is to put myself in the organization’s shoes. Learn about the organization so you can identify its product, the data it’s protecting, and the parts of its application that are the most important. Once you know the business’s priorities, you can go after the vulnerabilities that the security team cares about.

我发现最有效地减少信息泄露的方法是将自己置于组织的立场。了解组织，以便确定其产品、所保护的数据以及最重要的应用程序部分。一旦你了解了企业的优先事项，你就可以攻击安全团队关心的漏洞。

And remember, different companies have different priorities. An informative report to one organization could be a critical one to another. Like the dating site versus job search site example mentioned earlier in this chapter, everything is relative. Sometimes, it’s difficult to figure out how important a bug will be to an organization. Some issues I’ve reported as critical ended up being informative. And some vulnerabilities I classified as low impact were rewarded as critical issues.

请记住，不同的公司有不同的优先事项。对于一家组织而言，一份信息性的报告可能是至关重要的，而对于另一家公司则可能不那么重要。就像本章早些时候提到的相亲网站和求职网站的例子一样，一切都是相对的。有时候，很难确定一个漏洞对一个组织的重要性。我报告过的一些问题被认为很重要，最终却只是信息性的。有些我认为影响不大的漏洞却被认为是严重问题，并得到了奖励。

This is where trial and error can pay off. Every time the security team classifies your report as informative, take note for future reference. The next time you find a bug, ask yourself: did this company care about issues like this in the past? Learn what each company cares about, and tailor your hacking efforts to suit their business priorities. You’ll eventually develop an intuition about what kinds of bugs deliver the most impact.

这就是试错法能够得到回报的地方。每当安全团队将您的报告分类为信息性时，请记下以备将来参考。下一次发现缺陷时，请问自己：这家公司过去是否关心过这样的问题？了解每家公司所关心的事项，并根据它们的业务重点调整您的黑客攻击策略。最终，您会对哪些类型的漏洞产生最大影响产生直觉。

You Don’t Chain Bugs

You might also be getting informatives because you always report the first minor bug you find.

因为你总是报告第一个小错误，所以你可能也会收到一些信息。

But minor bugs classified as informative can become big issues if you learn to chain them. When you find a low-severity bug that might get dismissed, don’t report it immediately. Try to use it in future bug chains instead. For example, instead of reporting an open redirect, use it in a server-side request forgery (SSRF) attack!

但是被分类为信息性的小型错误，在你学会如何链接它们后可能会变成大问题。当您发现一个可能会被忽略的低严重性错误时，请不要立即报告它。尝试将其用于将来的错误链中。例如，不要报告一个开放重定向漏洞，而是在服务器端请求伪造(SSRF) 攻击中使用它！

You Write Bad Reports

Another mistake beginners often make is that they fail to communicate the bug’s impact in their report. Even when a vulnerability is impactful, if you can’t communicate its implications to the security team, they’ll dismiss the report.

初学者经常犯的另一个错误是未能在报告中表达漏洞的影响。即使漏洞很严重，如果您不能向安全团队清晰地传达其影响，他们将忽略报告。

What About Duplicates?

Unfortunately, sometimes you can’t avoid duplicates. But you could lower your chances of getting duplicates by hunting on programs with large scopes, hacking on private programs, performing recon extensively, and developing your unique hunting methodology.

不幸的是，有时候你无法避免重复。但是，通过在范围较大的程序上进行寻找、在私有程序上进行黑客攻击、广泛地进行侦察和开发自己独特的寻找方法，你可以降低重复的几率。