Can Bugs ever be useful?

The answer is YES if you get a good BOUNTY for catching those “BUGS”.

Introduction to BUGS

A software bug is an error, mistake, defect, or fault in a computer program or application that causes it to deviate from expected results, behave in unintended ways, or crash altogether. To be precise, it is any behavior or result that a program or system experiences but was not designed to.

Are BUGS Harmful?

BUGS don’t cause much trouble until and unless some Hacker gets to catch them. Once the flaw in our software is open to hackers, they can exploit our resources and cause disturbance in the proper functioning of the application.

But why become a Hacker?? Sometimes people do things out of fun, in need, or when commanded. Hackers ask bribery to fix the loopholes they create due to the presence of those Bugs, or sometimes they are asked to dive deep into the company’s program to make it vulnerable to attacks.

Getting Rid of BUGS!

Don’t you think bugs must be removed from our program or system for us to gets desired results? That’s where “DeBugging” comes into the picture and plays a major role. The act of removing these bugs or errors from computer software is called debugging. Maintaining distance from Bugs is a hand-in-hand walk of the companies who develop products and the reporters who help them identify the bugs and get rid of them.

SDLC: Software Development Life Cycle

SDLC is a process that is followed within a software organization for a software project. It consists of a detailed plan explaining how to develop, maintain, replace and enhance specific software or application. The life cycle defines a methodology for improving the overall development process and the quality of software.

Fidelity to the SDLC magnifies development pace and minimizes project risks and costs associated with alternative methods of production.

BUG Reporting

Bug Reporting is an ethical and worldly acceptable way to identify anomalies in a product. A bug report is a specific report that emphasizes what is wrong and needs fixing with software or on a website. The report lists reasons, or seen errors, to point out exactly what is wrong, and also includes a request and/or details for how to address each issue/bug.

What’s in it for us?

Learning about the ethical ways of making a good software/application or helping in making it Bug-Free, isn’t of our use until we get some profit out of it. That’s where BUG BOUNTY comes in. A bug bounty program is a contract offered by many organizations, websites, and software developers by which reporters can receive recognition and compensation(mainly monetary) for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

BUG BOUNTY mains consists of monetary rewards provided by the companies to the individuals who Hunt the Hackers. This is the reason why Bug Identifiers are called Bug Bounty Hunters.

How to Become a BUG Hunter?

The first question that comes to our mind when we think about becoming a Bug Hunter is: Do we need to have some specific qualification or skill-set?

The answer is NO. You just need to find a good helper of yours who can guide you all the way through to catch the Bugs and report them to the legit company.

Let me introduce to you a very good product that can be your partner in the no-crime step and help you become a Bug Bounty Hunter.

BeVigil By CloudSEK

BeVigil is the world’s first Security Search Engine launched by CloudSEK. With BeVigil, security researchers and individual users can check the risk rating of an app, the list of permissions it requests, and potential vulnerability sources. It works to ensure that an app is not malicious.

Guide to use BeVigil

1. Open bevigil.com

BeVigil helps us recognize the bugs in various apps.

2. Search any app

Search for different apps that you think are vulnerable to attacks. All the apps also have a security rating written beside them portraying how secure they are. If you can’t find the app you want to search you can also upload its apk file to the BeVigil site.

3. Explore the Vulnerable Sections

Easiest sections first — Strings and Assets sections. Here you can find different vulnerable sections with descriptions and Severity tags that whether they cause a Low effect, Medium effect, or High Effect. You can also see the rule which indicates that bugs in these files are related to which domain.

You can also jump into other sections and see how much effect do these loopholes create on the app. There is also an option to share the report or download it.

4. Find the BUGS

BeVigil scans the code and check if any potential data is leaking or not. So, Dive into each section and see if there are any chances of any potential data leaking. The Strings section deals with data like Google APIs, passwords, or any private information. The Assets section mainly focuses on the URLs and Emails leaking information.

As an example, I have taken an app where you can see google_places_api_key is being revealed which is private information and should not be known to outside users.

Now first of all we need to know that the data which is being revealed is already secured by the company or needs attention. So you need to search how the revealed data can cause trouble to the app and the company. If it is a genuine issue then you have to take a further step and report it.

Here, if we search about the google_places_api_key which was revealed, it didn’t leak any information. The information that we get here is available to every user, even if we don't use the key. So, once you think that bugs are there in the app, go and search about it that whether it creates any impact or not. If the answer is yes then go to the next step.

5. Make a BUG Report

As discussed earlier, Bug Reports aren’t useful until and unless they get the Bugs fixed. A Bug Report must be Reproducible and Specific.

A Bug Report must include the following points:

1. SUMMARY — Summary makes the report searchable and uniquely identifiable.
2. OVERVIEW/DESCRIPTION —Description of a bug report is used to explain the bug to the developer, including points such as Why this is a bug, Any relevant link or interpretation of test failures, or any information on other implementations which show vulnerability.
3. STEPS TO REPRODUCE — Until and unless the developer knows how to recreate the bug in his system, he can’t fix it. So, that's why reproducible steps are important.
4. TEST RESULTS — Show how the bug is vulnerable to the software and if you know any solutions for it, then mention that too.

Hurray, We’ve done our work!

We are all set to go! Now we need to send the Bug Report to the authorized person or company and in return for a legitimate bug report, we get our bounty.

There are multiple BUG BOUNTY PROGRAMS that are featured and promote a Bug-Free Society. If you want to know more about these Programs you can go ahead and check this out: Bug Bounty Programs

If you want to dive deep into what Bug Hunting is go ahead and check out this course which is completely free:

Hacker101 for Hackers

That’s all!! Remember being a Bug Hunter can be a challenging task but it is worth it!

All the Best and Happy Reporting!

BugéDex

Most of the information that I shared was imparted by Sir Syed Shahrukh Ahmad, Ma’am Sai Ahladini Tripathy, and Sir Sudipta Pandit at the BugéDex workshop conducted by the Computer Society of India-VIT.

If you are an app user and install new apps frequently, then the BeVigil site can be a powerful tool for you to know where any of your data is being exposed to the outer world or not.