According to Aditi, both companies Facebook and Microsoft had a remote code execution (RCE) bug, which is relatively new and is currently not being paid much attention to.
Aditi also explained that these are such bugs that help hackers to get easy access to internal systems and the official information they hold. According to her, it is not easy spotting bugs, and that ethical hackers have to stay on top of their game about new bugs, so they can report about them and still be eligible for their payouts. However, Aditi also emphasises gaining more knowledge and learning about ethical hacking first, rather than focussing on just making money.
The 20-year-old ethical hacker also talked about the RCE bug spotted in Facebook and Microsoft and explained that the developers wrote the code directly when they should have the first download a Node Package Manager which is a subsidiary of GitHub where anybody can access the codes from these companies as they are open-sourced. “Developers should write codes only after they have the NPM,” she says.
Talking about the RCE bug spotted at Microsoft, she said they only fixed the bug which I spotted two months back. They have not fixed all of them. Not only this the tech giant took two months to respond as they were checking if anybody had downloaded its insecure version. Aditi suggested that before even starting to find a bug, people should ask the support team of that company if they are hosting a bounty program, and if that company confirms about such a program, bounty hunters should go ahead.
Aditi is a self-taught bounty hunter and has been into ethical hacking for the past two years. According to her, there are plenty of resources available on Twitter, Google, and HackerOne for aspiring bounty hunters. Bug bounty hunters are mostly certified cybersecurity professionals or security researchers who crawl the web and scan the systems for bugs or flaws through which hackers can sneak in and alert the companies. If they are successful, they are rewarded with cash.