Bug Bounty Village @ c0c0n (Virtual Mode)

18 - 19 September 2020 Online
Due to COVID-19 situation and for the care of our community people we will be going virtual at c0c0n 2020

About Bug Bounty Village

BUG BOUNTY Village is a platform for bug bounty researchers and Infosec professionals to come and share their experiences, knowledge, and research work. It's an apt place to learn bug bounty, report writing, teach, and learn from others. With a series of talks/training/tools. We want to bring this fun platform to everyone this year again at c0c0n 2020 virtual mode(online).

Event Starts In:


Sean Poris
Director, Product Security
Verizon Media
Read more →
Harsh Bothra
Cyber Security Analyst
Detox Technologies
Read more →
Parveen Yadav
Security Researcher
Read more →
Narendra Kumar
Security Analyst
Read more →
Prerak Mittal
Read more →
Ankit Giri
Read more →
Jay Turla
Manager, Security Operations
Read more →
Prasoon Gupta
Application Security Engineer
Read more →


Abhinav Mishra
Read more →
Bhavuk Jain
Bug Bounty Hunter
Read more →
Nikhil Srivastava
Bug Bounty Hunter
Read more →
Ryan Rutan
Director of Community
Synack Red Team
Read more →


10:45 - 11:30

Bug Bounty from Paranoids

Join Sean as he discusses the journey Verizon Media took to merge multiple bug bounty programs into one of the top bug bounty programs in the world. In this talk you'll learn some best practices for getting a bug bounty program started, how to build a strong relationship between bug bounty and engineering, and how bug bounty fits into the strategic fabric of Verizon Media's security team, The Paranoids. He'll talk about how he helps Verizon Media embrace bug bounty, the value of live hacking events, the future of bug bounty, and an interesting bug bounty feedback loop called the bug bounty lifecycle.

10:00 - 13:00


CTF in collaboration with Security Innovation

13:00 - 14:00

Lunch Break

Web Application hacking with WebZGround

A self contained training environment WebZGround is a Custom VM designed to help Students/bug bounty hunters/Web Application security enthusiasts/ /Penetration Testers/newcomers to learn and practise web application security concepts on a bunch of vulnerable lab apps locally.it also contains required tools for penetration testing of web applications

16:00 - 16:30


16:30 - 17:30

Web Application hacking with WebZGround Continued

09:00 - 09:45

Panel Discussion

Bug Bounty

11:00 - 11:45

Broken Cryptography & Account Takeover

Applications still utilize weak cryptography generation methodologies which may lead to severe risk. In the world of Application Security, looking for all possible points to enumerate and find out how secrets, token and encryption is happening always gives an edge. Broken & Weak Cryptography canlead severe impact and account takeover is one of them. Account takeovers involves gaining a persistence access to the victim account impacting CIA completely. However, Both Broken Cryptography and Account Takeover are not just limited to a few attack vectors.

11:45 - 12:30

My top 3 findings in bug Bounty journey | Aiming for high impact issues

Interesting veryulnerabilities, their way of finding, impact and remediation What is the thought process to find such bug How is it different from day to day reported input validation and other such vulnerabilities How to plan, target and approach vulnerabilities Difference between pentest and bug Bounty

12:30 - 13:15

Preparing for a Car Hacking Program or Bug Bash

Car hacking programs, responsible disclosures and bug bashes are hot in this era of bug bounty hunting thanks to the initiative of car companies and hackers in the automotive industry. In this talk, we will focus on my experience of handling or being a part in triaging bugs related to automotive security and car hacking specifically on how security researchers prepare mentally and physically for a bash. Or how to have a win-win situation. This talk will help aspiring car hackers or probably car hackers I have already met on what to focus and expect when there is a car hacking event. What do we usually look or expect from researchers? Yes that hopefully will be answered. This is kind of a prequel to the speaker's talk entitled "Automotive Security Bugs".

13:15 - 14:00

Lunch Break

14:00 - 14:45

Automation in Bug Bounties to Work Smarter

Getting started with security research and bug bounties would be greatly complimented, if one knows some scripting/programming language to deal with everyday tasks to save time and work more efficiently. Through this talk, I aim to help beginners to get comfortable with one of the most praised scripting languages among the security researchers, i.e. python. Using this knowledge one can get started with their own custom automation scripts to have their own arsenal rather than relying on external toolkits and spending time on getting comfortable with someone else's methodologies.

14:45 - 15:30

Automate your Recon with ReconNote

I will be explaining about how to use bash to automate the recon process from basics one liner to gathering major assets of the target for attack surface. It will include Enumerating subdomains , resolving for alive hosts, port scanning, screenshots, extracting Js files, path fuzzing , using nuclei and then creating the bash script using those one liners to create your full automated web recon script. I will then Introduce my “ReconNote” Web framework which i have created using nodeJs/bootstrap for Web application recon and using the tool to map your attack surface and how to gain good insights by using this Web Recon Framework.

Day 3 Agenda Coming Soon...


We will be organising an interesting CTF in collaboration with Security Innovation to play and explore different challenges, learn while having fun and get some awesome prizes All players have fun with exciting prizes to be won! Cash prizes of Rs.10,000 for 1st place, ₹8,000 for 2nd, and ₹5,000 for 3rd Swag boxes & giveaways to the Top 10 participants Certificates to all participants who score