In early 2022 Hack The Box (HTB) released their first certification - the Certified Bug Bounty Hunter. They claim that "certification holders will possess technical competency in the bug bounty hunting and web application penetration testing domains at an intermediate level".

No - you don't need a certification to be bug bounty hunter, so the certification is essentially for junior web application penetration testers or web developers who want to understand the web penetration testing domains up to an intermediate level.

Since I was already familiar with HTB, I decided to give it a shot and started the pathway a few months ago. At this time, there was little information about the certification online, although it appears to be picking up in popularity recently - so I decided to share my experience with the exam with the hopes that it could answer a question someone may have about the process.

The Course Content:​

HTB estimates that completing the course contents will take around 144 hours. If you're very committed to it, you could complete the content within a month but this will only hurt you when you take the exam if you're rushing through it. I would recommend 2-3 months if you're able to dedicate time to the content, or a little longer if you're planning to just pick away at it or are completely new to web apps.

The course covers the following content:

The course material is completely text based, combined with many practical tasks. I'm a big fan of how they presented the material, but I know text-based content isn't for everyone - so keep that in mind.

The Exam:​

Once you complete the course content and obtain all the flags in the exercise machines, you'll be able to activate an exam voucher.

Once you activate your voucher, a letter of engagement will be provided which will outline the requirements to pass. You will have 7 days to complete the exam.

To pass the exam you must:

1. Obtain enough points (by submitting found flags on the exam lab’s page - the number of points required to pass will be shared only upon starting the exam).
2. Submit a commercial-grade report which includes the identified vulnerabilities and remediation advice (a template is provided once the exam is started). This is evaluated against quality requirements.

You should receive the results within 20 business days. If you fail, that's fine, because the exam voucher includes a free retake.

5 Exam Tips:​

1. The exam is different to the course labs. The exam simulates multiple real-world applications and to obtain a flag, you'll need to think outside the box and chain multiple vulnerabilities together. Going into the exam - I did not expect to be chaining vulnerabilities together, so I had to quickly adapt my mindset and think outside the box in order to obtain them. Once I understood this, I started to obtain them. The exam is therefore not easy, but it is fair.
2. Have an in-depth understanding on how the covered vulnerabilities work, as well as how to manually exploit them. Pointing a readily available tool at the web app and expecting RCE in return likely won't work. You'll need to manually poke the application and understand it's responses in order to discover vulnerabilities. And again, may need to chain multiple vulnerabilities together.
3. Everything you need to pass is covered in the provided material. However, don't expect to just run an exploit tool or copy and paste a payload. Again, you'll need to think outside the box and chain multiple techniques together in order to pass.
4. Enumerate, enumerate, enumerate. And when you gain a foot hold, enumerate even more!
5. Approach the exam methodically (ensure you make a methodology while studying the content!) and take your time. You have 7 days after all (14 if you include the free retake). If you feel stuck, take a break to clear your head and give it another go. It was more then once that I got stuck on a section for hours, only to take a break and solve it within a few minutes of sitting back down.

Would I Recommend it?​

The course - 100%! And especially if you're a student. The $8 USD/month price is incredible value for such a high quality course. If you're not a student, the pricing gets a bit more complicated as they use "cubes" to unlock modules. The entire course costs 1410 cubes. Which can be purchased for about $110 USD (as you gain some cubes along the way while obtaining the flags). There are also monthly/yearly subscriptions available which may benefit you more. Either way, I'd still highly recommend the course for those that want to understand web-app penetration testing. Also keep in mind that by completing the CBBH course, you'll already be almost 1/3 through the HTB CPTS course!

The exam - well, it depends. The certification isn't as recognised as other web-app penetration testing certifications so this makes it more difficult to recommend. The decision of calling it "Bug Bounty" and not "Junior Web-App Penetration Tester" also raises the question of "why have a bug bounty certification?". At the price of $210 USD (about $375 AUD with taxes), I find it hard to recommend for everyone at this stage. But if you're like me and wanted to get it to practice a little, to test your skill level before moving onto other, more advanced certifications - then go for it! I did greatly enjoy the exam after all and am looking forward to trying other HTB certs in the future :)