Bug bounty hunting is a career many are dreaming of. Working on different systems, finding critical bugs, and getting paid tens of thousands of dollars for it, is a part of the dream. However, in the reality everything is x1000 times harder than it sounds. Before becoming proficient with it, you must spend hours and hours of learning and working without finding anything significant. You must also be an expert of vulnerabilities, and security testing methodologies. Today we are going to talk about one of the relevant topics – do you need to use VPN for bug bounty hunting.
Why Should One Want to Use VPN While Bug Bounty Hunting?
The are some logic reasons behind the idea of hiding your IP while bug bounty hunting:
- You might want to remain totally anonymous. This one comes from the nature of the ethical hackers. Even though bug bounty programs do allow you to hack assets in scope, at first you might feel uneasy when hacking asset of a multimillion-dollar company from your own IP address. You do want to become anonymous, especially when you tend to end on the gray zone of the hacking.
- You want your employee do not find about it. Usually the AUP (acceptable use policy) of many companies says that the computers should not be used for other reasons other than work. And there are solid reasons behind this – from a corporate point of view, company resources should be used for making money for the company. At the same time, employee who uses computer for personal needs, might create additional risk for the company data. You might want to use VPN to prevent your employer to see what you are doing on your work machine.
- Hiding your activity from the ISP. Usually, internet provider does not care what are you doing on the internet. Unless you start doing malicious activity, such as controlling massive DDoS attack, and you attract various institutions attention. You might want to hide the fact from your ISP provider, but you find it totally fine if your name is on the hall of fame of one or another bug bounty platform. And this is really understandable, you might have your own reasons for this.
When it comes to staying completely anonymous, it is really a hard task to do. One small mistake and you can be traced down. If you are doing something shady, you will always be on edge. Attract attention of the NSA or FBI, and you are done.
When it comes to using the hardware the employee gave you, the situation might vary case by case. Some of the employees might even allow using it for your personal needs. And the others are really strict about it. Corporate laptop usually has different agents for productivity monitoring, data loss protection, remote management of the device. So, using the VPN won’t solve the problem. Another thing to consider, is if you are using the company’s equipment for your own commercial use, this might be the company’s property. A simple example to this is a TV show Silicon Valley.
[Spoiler Alert] Richard, the engineer of the Hooli company, had created a revolutionary algorithm while working at this big company. Even though he used his own laptop, and he did this during his free time, he had made a mistake of using the corporate laptop for a few times. As a result, he had faced a lawsuit, that claimed the algorithm being the property of Hooli.
If you had agreed on very similar conditions when getting hired at your company (and there is a chance you did), in theory, the company might claim for some of the profit you earned while bug bounty hunting with corporate computer.
And when it comes to the ISP, it is believed that the ISP provider does not see the encrypted traffic. Only the fact that you had connected to the VPN. I tend to believe this, but again, being a little bit paranoid will only help.
Of course, there might be other reasons why you might want to use VPN for bug bounties. Maybe you use black hat methods to make the internet safer at the same time filling your own pockets. In this case you surely want to remain unknown.
By knowing the reasons, let’s talk if using the VPN for a casual bug bounty hunter is worth it.
Should You Use VPN as a Bug Bounty Hunter?
Now as we have a point of view advocating to use VPN while working on bug bounties, we can try to answer to this question rationally.
In short, you don’t have to use VPN for bug bounty hunting.
Even though the previously mentioned reasons, in my opinion, are legit for someone to be worried about not using VPN while ethical hacking, the biggest reasons behind this question is the legal consequences.
And if you are following the rules of a bug bounty program (different programs allow performing different actions on different targets), there is no reason you should be worried about the testing you make.
If you are an ethical hacker, and you follow to the rules of one (for example, CEH Code of Ethics), you won’t make any harm intentionally.
Let’s say you found a SQL injection. If you had used automatic tools, such as SQLMap, I know for a fact that it won’t drop the database (at least with the default scan configuration). And if you’ve managed to find it with our own payloads, they will unlikely contain any malicious queries. By looking for the SQLi you followed the bug bounty program rules, so you should not be worried about anything.
However, even if you’ve managed to cause a harm to the systems you are testing, it might be the organizations behind the program, fault. They had to prepare before launching a public program. So, you are unlikely to face any charges if you are following the rules and are working according to the ethical hacker’s codecs.
And even if the company will want to take any actions against you, this will not be accepted well by the cyber security community.
If you are doing everything according to the rules, using a VPN is not necessary.
In fact, there might even be some disadvantages of using it:
- The VPN IP might be blacklisted by the system you are testing, security controls. Usually, you won’t get a dedicated VPN when using one or another provider. Many users might be connected to that server at the same time. If traffic flooding was performed from that IP, you might potentially won’t be able to access the system you want. And controls, such as reCAPTCHA, might also complicate the testing.
But one advantage could not be disputed:
- Load balancer might redirect you to different server. Imagine you are working from Europe. And you connect to the VPN of a server sitting in the Argentina. Now the website you are working on, has a load balancer, that sees you are in the Argentina. He naturally forwards you to the server of Argentina. While in reality the servers should be identical, in some rare cases some debug or other files might be left on the server. In some cases you might want to be redirected to that specific server, so the VPN might come handy.
As you can see, in most of the cases VPN is unnecessary for bug bounty hunting, it might introduce you some inconveniences. But if you have a solid reason to use it, and you are sure that it would benefit your bug bounty hunting, fell free to use it.
What VPN Should You Use for Ethical Hacking to Stay Anonymous?
Using a VPN has many practical reasons. And if you still want to use the VPN not necessarily for the bug hunting, we can talk about the best options.
When it comes to the VPN providers, there are dozens of the big players. And while some of them have the no log policy, others, especially the smaller ones, are not that strict about this.
As an ethical hacker you should choose a VPN provider that respects your privacy.
I personally recommend NordVPN as it is one of the biggest VPN providers in the world and has some great advantages.
- It provides higher speed compared to the competitors
- Really great price which is even lower when going for a multi-year plan
- Has no log policy – this is especially important as your activity was not saved
This was mentioned a few times on this article, but in summary it might be stated once again:
If you are following the rules of bug bounty programs, and you are working according to the unwritten rules of the ethical hackers, you should not be worried about using your own IP. In fact, the companies having the bug bounty hunting programs wants you to be identifiable by one or another way.
But as using the VPN has some other benefits, you are free to use it. Just have in mind, that you might some limitations, for example, get reCAPTCHA more often.
Highly passionate about cyber security (penetration testing, bug bounty hunting, cybersecurity in general), and blogging. I am experienced in vulnerability assessments, penetration testing, various security audits, had worked with various clients, most of them were in finance sector.
CompTIA Security+, CEH, CEH Practical, CEH Master, and OSCP certified.