Tuesday, 11 May 2021

Abbreviations and terminologies used in Bug hunting

Abbreviations and terminologies used in Bug Bounty


1. Bug bounty -  Also called a vulnerability rewards program (VRP) or vulnerability disclosure program (VDP) is a reward given for reporting a security vulnerability.

2. Bug bounty program - Individuals or companies that reward security researchers for reporting security vulnerabilities in their products or any other digital services.

3. Enumeration - Enumeration is nothing but the information that you have gathered from a particular target.

4. POC - (proof of concept), A brief explanation of a vulnerability via test, screenshot, and video.

5. Target - Setting up a particular domain or task for finding the vulnerability.

6. Duplicate - Already reported vulnerability by someone else before for the same target.

7. Scope - Organizations will assign/decide, where a researcher is allowed to test and what type of testing is permitted.

8. Full disclosure - When the entire report is publicly disclosed. Bug bounty hunters will usually request public disclosure of their report once the vulnerability issue has been resolved on the particular company or organization.

9. Partial disclosure - When a report is publicly disclosed, but certain details are manipulated.

10. BAC - (Broken access control), when an application does not restrict user permissions for some access to administrative functionality. This may include viewing of unauthorized content and they lead to application takeover.

11. CVE - (Common vulnerability exposure), is a system of publicly known as cybersecurity vulnerabilities mostly found on openly released software.

12. CVSS - (Common vulnerability scoring system), is a free and open industry standard for valuing the hardness of security vulnerabilities.

13. CSRF - (Cross-site request forgery), Also known as one-click attack, CSRF bug is a type of malicious exploit of a website where unofficial commands are transmitted from a user that the web application support.

14. CWE - (Common weakness enumeration), There are currently over 600 categories covering from buffer overflows, cross-site scripting, to insecure random numbers.

15. CVSS - (Common vulnerability scoring system), CVSS is a free and open industry standard for evaluating the severity of security vulnerabilities. CVSS attempts to assign scores to vulnerabilities, enabling responders to prioritize responses and resources according to the severity.  

16. XSS - (Cross-site scripting), Commonly found in web applications, XSS enables attackers to inject client-side scripts into web pages viewed by other users.

17. CSS - (Crowdsourced security), CSS is an established security approach wherein plenty of ethical hackers are incentivized to search for and report vulnerabilities in the assets of a given organization, with the full understanding and awareness of the organization in question.

18. Email Spoofing - Email spoofing is the forgery of an email header so that the message seems to have originated from someone or somewhere other than the original source. Email spoofing is a tactic used in phishing and spam attacks because people are more likely to open an email when they think it has been sent by a genuine source. The goal of email spoofing is to get receivers to open, and possibly even respond to, a solicitation.

19. PayoutThe money paid to a researcher or in our term bug hunter, once their vulnerability submission has been validated/approved.

20. Private Programs - Organizations or companies send a request to find bugs to an individual or group of bug hunters or researchers based on their participation and points.

21. Points Points are nothing but awarded for submissions to the researcher or bug hunters for build status and used to measure the leaderboard. the pots will also be used to get more private programs.
Previous Post
Next Post

post written by:

0 Comments: