So yes, I've started a bug bounty. This bug bounty will likely be the only one I can write about for my original work, and that's about what I expected anyways. I've heard from many web application penetration testers (including the one I heard speak at the conference) say that they typically spend weeks, if not months on their bug bounties. I am working with one within the constraints of a single week, and with both college/scholarship applications and semester benchmark exams breathing down my neck. To say that I'm feeling a little overwhelmed right now would be a severe understatement.Â
On the subject of the actual bug bounty, I've run through a number of the initial steps I outlined on my personal checklist. I've nmapped the server, found out what OS it's running, searched for robots.txt, mapped out every possible point of interest that takes user input (within scope, of course), and have tried directory traversal via the URL. As expected, directory traversal is completely protected against. I wont be getting into the real meat of things until this afternoon and onwards. We'll see how it all pans out. What is certain, though, is that I will have a lot to submit when Friday rolls around and this is all due.Â