George Mack just released a new essay called High Agency. I had seen him on the Chris Williamson podcast before, but he went deeper down the rabbit hole and released this nice essay about it. Shout out to archangel for the recommendation to read it.
In bug bounty, high agency is a super powerful weapon. Bug bounty is mostly about finding vulnerabilities, but high agency can be a force multiplier for your performance.
High Agency Recon
-
Ask for More Scope: Sometimes you might be able to get access to more scope than the initial scope provided. Reach out to program owners and ask if there are additional areas you can explore. More scope means more opportunities.
-
Request Additional Credentials: Oftentimes, having more access can lead to discovering more bugs. Politely ask if you can get additional credentials to other systems when you get the chance.
-
Read the docs: Most hunters are not reading the docs. But if you do, you’ll have a huge advantage.
High Agency Reporting
-
Tactful Pushback: If you receive a lower payout than expected, calmly ask for clarification on the severity. Understanding their perspective can help you make a case for a higher reward or at least feel less upset about the payout. If you believe your finding deserves more, present additional evidence or comparisons to similar bugs that received higher payouts. Be respectful but firm.
-
High Quality Reports: If you write a report that clearly demonstrates the impact and include remediation steps, you’ll be much more likely to get a higher payout.
-
Seek Feedback: On your first few submitted reports, ask for feedback on how you can improve your reports in the future.
High Agency Networking
-
Collaborate: I believe that every bug hunter should be sending 5 times more leads/ideas to other hackers than they currently do. Bug bounty isn’t zero-sum. Your leads will often NOT result in bounties. But if you share many of your leads, you’ll find that you get more total bounties as a result.
-
Ask for +1s: Don’t hesitate to ask your hacker friends for +1s to events.
-
Request Invites from Program Owners: If there’s a live hacking event being held by a company you hack on a lot, reach out to the program owners in one of your reports. Express your interest and ask if they can extend an invitation.
Wrapping Up
High agency in bug bounty is about influencing outcomes to your favor. It’s about asking the right questions, seeking opportunities, and gently pushing back when necessary. Hopefully this essay inspires you to be a bit higher agency in your hacking.
- Joseph
Sign up for my email list to know when I post more content like this. I also post my thoughts on Twitter/X.