Work as a team to pool your skills, find more vulnerabilities and share bounties
Hunters can collaborate on a report to dig deeper, extend the impact of found vulnerabilities and share rewards accordingly.
Hunter collaboration in a nutshell:
- Ask for help and collab on a specific program
- Hunt as a team
- Invite up to 5 hunters as collaborators
- Define bounty values for each collaborator (i.e. what share of the bounty will one get)
- Share rewards
- Collaboration on private programs is only possible if all hunters are already invited on said program (see details below)
How does hunter collaboration work on a private program?
Collaboration on private programs works pretty much the same as collaboration on public program, except that only those who are also invited on the program may join.
When looking for collaborators on a private program you shall not disclose the program's name publicly - it is not public information.
Use the Collaboration ID instead to find your peers!
Here is a simple use-case to make it clear:
Context : Hun73r has been going round in circles on a given program. Hun73r has a lead on something intriguing but he would need an extra-pair of eyes to confirm and dig.
What to do ? - First, let’s see if the program accepts Hunter Collaboration
The above pictogram indicates that the collaboration is allowed and enabled on this program - good news!
Let’s find some help now, but how ? Hun73r needs a way to ask for help on this specific program without disclosing its name to anyone who’s not participating.
Each private program with hunter collab enabled has a unique ‘Collaboration ID’ that you can directly share on twitter (or anywhere else) to ask for help.
For one to verify if he’s invited on the same program and answer the call, two options :
- Click on the URL https://yeswehack.com/programs/{Collaboration-ID} > If redirected to program’s page - you’re in!
- Search for the Collaboration-ID in the program list while authenticated > If there’s a result - it’s a match!
It’s one thing to know that you could work together, but keep in mind that one shall seek mutual consent before sending collaboration invites ;)
Now let’s say that Hun73r has found a collaborator, and thanks to their combined skills, they found the hidden gem: time to report.
Hun73r is famous for his top-quality reports, he will compile the findings for the team, then invite his collaborator to share reward.
Once the report filed and submitted, Hun73r will find a ‘COLLABORATORS’ menu at the top right of the screen where he could manage the group (invites, bounty values, etc.)
When managing collaborators, it’s possible to have an immediate estimation of each hunter’s share, depending on the bounty values and number of invitees.
Hunter who submitted the report is the only one who can manage invitations and, eventually, revoke invited collaborators.
A few things to note about collaborators management:
- 5 invites per report only - and each invite counts, even if the invite was never accepted or sent to a non-eligible user (i.e. not invited on the program)
- Collaborator invites and bounty value modifications are not retroactive
- Conclusion : spellcheck usernames, invite your collaborators as soon as possible and make sure they accept the invite before the report is triaged!
End of story : Hun73r’s SQL injection has been accepted and fairly rewarded
To avoid decimals, collaborators rewards are rounded down to the lower integer and the remaining €/$ are granted to the hunter who submitted the report.
Tell me more about bounty sharing :
/ Hunter1 - Bounty value = 10
/ Hunter2 - Bounty value = 5
/ Total Reward = 2000€
/ Reward Hunter1 = Bounty value1 / (Bounty value1 + Bounty value2) * Total Reward
/ Reward Hunter2 = Bounty value2 / (Bounty value1 + Bounty value2) * Total Reward
In this case, Hunter1 will get 1333,34€ and Hunter2 will receive 666,67€ (screenshot above)
If you want to retrieve the reports on which you collaborated, go to your ‘Reports’ menu and search for ‘Collaborative Reports’ in the dropdown list