Since I changed my LinkedIn status from “Not looking” to “Actively looking”, I have been getting interview calls from various places. One thing that I have been asked almost in every interview was if I participate in any bug bounty programs and my answer was always ‘no’ and I was told to participate to show off my skills.
It is not that I do not like bug bounty hunting, it’s just that I never participated in them and never had the time to do so but I decided to give it a try just to build up my profile. So, I sat down one day and decided to go with Nokia for no particular reason.
It was a Friday night when I started finding bugs in Nokia and kept on doing it for the entire night. I came across several low level issues but I wanted to find something good which I can report and eventually I did find around 4 bugs from which 2 were reported as duplicate.
Response From Nokia Security Team
But the other 2 of them were not duplicates and were accepted by Nokia Security Team. I will not disclose the bugs because what is the point of “Responsible Disclosure” then.
While I do not think that it is a waste of time or resources, I would highly recommend the interviewers to not make “Bug Bounties” a scale to measure skill because I believe that anyone with enough time on their hand can find vulnerabilities and get their names listed in hall of fame.
Special thanks to the Nokia security team.