NOVEL WEB Chapter 108: Identifying the target
Before starting any penetration test or ethical hacking operation, the first step on what he is going to do is define the scope and objective.
He needed to clearly identify what he was testing, whether it was a web application, network, mobile app, or API.
It was also critical to understand what was off-limits, in order to avoid legal or ethical violations.
So the first step was to identify his target, and this is what he found.
These were some of the largest platforms in his world, each one operated by a major company or corporate entity.
YouTube, this remains a global powerhouse in video content, reaching over 2.3 billion unique monthly users. Though its official market valuation is undisclosed, analysts estimate it contributes over $500 billion to Alphabet's global ecosystem.
Then there was SocialHub, the platform he had already planned to target. It was the world's dominant social network, effectively replacing what Facebook once was on this alternate Earth.
With over 6 billion downloads and a staggering market valuation of 2 trillion dollars, SocialHub was integrated into nearly every modern system, from messaging to digital identity.
EchoRoom, is a real-time voice discussion platform, often used for political debates and community townhalls. It shows 1.1 billion daily active users and is currently valued at $27.9 billion.
Gramlight, is a photo-centric social platform thriving across Southeast and Eastern Nations. With 1.4 billion active users and a fast-growing ecosystem, its market cap stands at $16.2 billion.
Reddit, supports 1.7 billion contributors worldwide. Its unique token-based system makes its valuation fluctuate, currently hovering around $9.3 billion.
Then X, with 430 million monthly active users, X continues to shape public discourse. Though its official valuation is confidential, experts believe it surpasses $90 billion in total brand worth.
Next is LinkedIn, a global hub for professionals has expanded rapidly with the larger population. It now boasts over 520 million registered users and a valuation of approximately $41.7 billion.
Next is Instagram, which is acquired by SocialHub in 2012 for what would now be considered a $2 billion, Instagram thrives with over 380 million monthly active users, integrated into the SocialHub Suite.
Lastly is LinkWave which seems to be a tumblr alternative for bloggers, artists, and storytellers.
LinkWave has surged past 740 million active users with a market valuation of $3.5 billion, particularly popular among virtual content creators.
This was what he had found out about their user data based on the latest figures and their market valuation up to this month.
Since he needed money to buy his dream, he planned to act the moment he got paid.
That was why he chose to go after the company with the most money and the ability to pay him immediately without unnecessary delays or complications.
So he chose SocialHub, as it had the highest number of users and was the largest market valuation among all the platforms.
Just based on value alone, SocialHub stood at the top of the foodchain.
With that in mind, he decided to search for a work related to it, one that could bring in real money.
...
[SOCIALHUB BOUNTY BOARD]
Official Vulnerability Disclosure Program
"Help us secure the world's largest platform."
Overview: SocialHub welcomes security researchers to test and report vulnerabilities in our core products. Each valid submission will be rewarded based on the severity and impact of the discovered issue.
Rewards are paid per vulnerability and scaled based on risk.
Scope: (NOTE: The scope after the dash is the Author's explanation)
SocialHub Web App - The main website version you use on browsers.
SocialHub Android & iOS – The official mobile apps for phones and tablets.
SocialHub Messaging & Notification System – The chat, inbox, alerts, and push notifications system.
SocialHub Identity & Login Services – Everything related to account login, sign-up, password reset, and authentication.
SocialHub API v3 & v4 – The backend connections used by apps and services to communicate with SocialHub.
SocialHub Graph & Data Export Engine – The part that handles friend networks, followers, connections, and exporting user data.
The Rules of Engagement are as follows:
Avoid attacking real users or accounts, refrain from using automated scanners or denial-of-service tools, ensure you only test against your own test accounts, and always respect our rate limits and throttling protections.
...
He then scrolled through the SocialHub Bounty Portal. Each listed bug came with a price tag, turning the entire page into a real-world market where security flaws were treated as currency.
Then what he saw is that a simple reflected XSS could earn enough to buy anything from phones, clothes, and more.
But something serious like an account takeover through expired token chaining? That alone starts at fifty thousand dollars, minimum.
The severity level of vulnerabilities varied along with their reward ranges, as shown clearly on the screen in front of him.
Low-severity issues like UI redress attacks, such as clickjacking, and open redirects offered rewards between $100 and 500$
Medium-severity issues, including reflected XSS and improper authentication redirects, are rewarded between $500 and $3,000.
High-severity vulnerabilities, like stored XSS and IDOR (involving unauthorized access to another user's data), can earn rewards between $3,000 and $10,000.
Finally, critical vulnerabilities, such as account takeovers, remote code execution (RCE), or bypassing multi-factor authentication (MFA), command rewards from $10,000 up to $75,000 or more.
...
You might wonder why a company as massive as this still runs public bug bounty programs, even with their own team of developers?
There is one simple reason for that. It is because internal security teams, even the elite ones, cannot catch everything.
That is why big companies often employ a variety of in-house security professionals to safeguard their systems and data.
These include Security Engineers, Application Security (AppSec) Engineers, Penetration Testers, Red Team Specialists, and Software Engineers with a secure coding focus.
These experts are responsible for reviewing, testing, and auditing code before release, ensuring robustness and reducing vulnerabilities.
Additionally, they utilize automated scanners, fuzzers, and code analyzers to identify and address security issues early in the development process.
But even with robust security teams, how can bugs slip through?
The simple answer is that these platforms have massive codebases, often spanning millions of lines, making it nearly impossible to catch every flaw.
Frequent and fast feature releases focus on speed, often at the cost of deep bug checks.
On top of that, complex integrations like APIs, plugins, OAuth, and mobile apps all expand the system's risk surface.
Lastly, hackers approach problems with a creative mindset, thinking in ways that developers often do not anticipate.
This is the biggest reason why bug bounty programs exist.
Companies like Meta, Microsoft, Apple, TikTok, Twitter, Uber, and Google allow ethical hackers to test their systems, offering substantial rewards for any vulnerabilities they find and report.
This strategy builds a crowdsourced security network without needing to grow their internal teams.
It is not even uncommon for individual hackers to earn more than 500,000 dollars from discovering critical bugs on a single platform.
Since he had already set up a safe environment which is EIDOLUX.
He had already ensured that there is no real identity exposure by relying on fake accounts, burner emails, and multiple proxy chains.
But it wasn't enough.
...
Author's Note:
Reading all that, yeah, it sounds like easy money being a hacker or a programmer. But in reality, it is absolutely not.
It's brain-draining, nerve-wrecking, and filled with endless hours of trial, error, and deep frustration.
Even I can only build basic games or a simple calculator, which is the bottom of the ladder :(
...
1st: Special thanks to 'Essos👑' – the GOAT of the month, for both the rewarding gifts and golden tickets! Much love, brotha!
2nd: Big thanks to 'Pat_funding👑' for the unwavering support since the very start of my journey and for the golden tickets and gifts!
3rd: Special shoutout to 'Devon1234👑' – The same GOAT of this month, for all the amazing gifts! You're absolutely RAD!