Almost a month has passed, so it is time to update how is the challenge going.
Honestly, it is not going so great. I was doubting if I should even share my progress. However, I decided to be transparent as I realized that any outcome is still an outcome.
I spent a total of 15 hours hunting.
This is a little bit less than I was hoping to spend. But the first obstacle I faced was the lack of motivation as soon as I started the challenge. The main reason is that doing this after a 9-5 job is hard psychologically. Especially when you are not finding anything, and you feel like you are wasting your “rest time”.
However, I am not giving up yet, and hope it will get better soon. But for now let’s see what I’ve tried during the first challenge hours.
Choosing My First Target
I’ve already mentioned in my previous article that I am going to hunt on Intigriti platform. The first step, and the most important step was to choose a target.
This is a program of the Canada Post, that has no payouts for the accepted vulnerabilities.
I had a few criteria for choosing the company I was going to hunt for:
No payouts – I wanted a program that has no monetary rewards. There are normally less security researchers working on the program without payouts.
Number of the exposed systems – I wanted the program to have more than a few systems available. This way the attack surface would be bigger and there would be more chances of finding a bug.
Previous submissions – I wanted the program to have potential. If a program has just a few submissions accepted, it means that either the systems are very secure, or they are really picky about the vulnerabilities and reject most of the submissions.
Newest submission in the last few days – I wanted to be sure that the program is still active, and the vulnerabilities are being found.
And the program of Canada’s Post seems to meet all of my criteria:
It pays no bounties.
Has three domains (I’ve also checked the subdomains, and all the domains have plenty of them), and 2 Android, and 2 iOS applications.
At the time I was choosing the program, it had more than 140 submissions
Last submission was 4 days ago.
Also a few other programs caught my eyes: Tomorrowland, Nestle, Red Bull, Bpost.
However, I’ve decided to start with one at the time.
Things, That I’ve Already Done
I performed subdomain enumeration as the first thing when I just started. For this purpose I used Sublist3r, Amass, and Subdomain Finder to make a list of available subdomains.
Subdomains of the three targets that were in scope:
*.purolator.com
*.postescanada-canadapost.ca
*.canadapost-postescanada.ca
I’ve also tried the brute-force module of the Sublist3r, however, strangely during the process the internet connection had disappeared for every device connected to the same network. My guess is that DNS servers that are set in my router settings (I am using DNS servers of the ISP) have some kind of protection for DNS brute force. The internet connection was restored soon after the brute-force attack was canceled.
Each of the tools provided different results. In total I found over 100 active subdomains.
Some of the subdomains had resulted in the timeout, some of them required logging in with Okta SSO, others were there for displaying the status of one or another application, and the others were public web applications.
I used Notion.io for making the notes of found subdomains. This is how my notes looks like:
Firstly I checked if the identified subdomains responded. If so, I’ve checked them and made short notes about what the subdomain is about.
Then I decided what I should do next. If I found a custom business website on the subdomain (ex. Parcel sending website), I tested it with Burp Suite and checked for the vulnerabilities, such as XSS, SQL injection.
If I identified that a product or a software component was on the subdomain (ex. Okta SSO login, default Red Hat Enterprise Linux Test Page), I’ve tried to identify version and check for the known CVEs.
For the custom websites I’ve also tried directory brute force, inspected the cookies and headers.
What Are the Results?
There are some vulnerabilities that I’ve found, but according to the program rules, these are out of scope.
I found out that one of the applications leaks technical information in case of the server error.
And another vulnerability that I’ve found, might be treated as a sensitive information leakage. There is a status page that shows utilization of the specific systems. This could help the malicious hackers to execute the DDoS attacks as it shows how the system reacts to increased load. Normally such a page should be accessible to the system owners only.
I might still submit them, for learning purposes, just to see how the communication goes, but these are unlikely to be accepted.
While I would normally include them in the penetration testing report, it seems that the rules are stricter while hunting in the assets of bug bounty programs.
But again, I’ve only spent 15 hours working on the program, and part of the time was spent choosing the program. I might still be able to find bugs on this one. Also, I’ve written an article about the problem I faced when I ran Burp Suite with my antivirus software enabled. This can be considered as a small milestone of the challenge.
What’s Next?
It looks that the approach I am currently using, is not very effective with the systems faced in the bug bounty platforms. Typical approach helps to find the vulnerabilities in typical systems, but not in the systems that are battle-tested.
Next I am going to check what type of vulnerabilities are being found in bug bounty programs. There are many public HackerOne reports, so it will help.I am also going to continue with the same scope, dig deeper, and check for these vulnerabilities (I am guessing it will be IDORs, XSS injections in complicated places).
Also, I will try to dig deeper, especially with the custom applications.
Bug bounty is one of the hot topics nowadays. If you are actively following cybersecurity people on social networks (especially Twitter), you had probably noticed this. Once in a while you could see that one or another person found high severity vulnerability, and was rewarded with a significant bug bounty.
On the other hand, this is pretty rare. Many people are participating, but only a few are succeeding.
So how perspective are the bug bounties? Is it just a way to kill your time, without earning anything or is it a legit way to make living?
I guess it is something in between. At least that’s my opinion. But for the curiosity and for the learning purposes, I’ve decided to try it myself.
That’s why I am starting 160 hours bug bounty challenge.
This is an introductory blog post explaining my motivation and goals. I will update my progress periodically, and you could expect the next article after about a week or two. In my next post, I will talk about the targets I’ve worked with and what strategies I’ve used.
Why?
I’ve had this idea for a while.
There is a popular opinion that by participating in bug bounties you are free to decide how much you work, and when you work. Even though I have a very realistic view of the bug bounties and I understand that only a few makes a living from it (compared to the many of those that are trying), I’ve wanted to check if this is true.
I am not dreaming of becoming a full time bug bounty hunter, as it has some drawbacks, that I am not amazed with (I’ve explained them in my other article). But of course, earning some pocket money would not hurt.
The reason why I am really going to do this, is to become a better penetration tester and to grow my skills.
So, I will be dedicating part of my free time searching for the bugs.
I probably spend more time than needed planning and strategizing how I am going to execute this. Now looking back it would be wiser just to jump into bug bounties.
Anyway, this is what I want to achieve:
Understand the potential RoI bug bountying with my current skill set (time spent vs money earned)
Learn a lot. As I can work on anything I want, I can choose the targets where I will learn the most.
Have a bugs found under my name that I could add to my portfolio. Being employed at the company, I can‘t disclose my accomplishments to the public (because of the NDA). But having publicly disclosed vulnerabilities would benefit my career in the future as I will be able to add it to my portfolio.
Give back to the community by documenting my journey on my blog. I would be happy if my journey will inspire at least one person to start participating in bug bounties.
Some other things that I want to emphasize:
Financial goals: I have none. By setting financial goals I would put myself under unnecessary stress. This would have negative impact for my productivity, and I would potentially miss possibility to learn from interesting targets („this one does not pay that much, I should not pay attention to the program“).
Challenge duration: 160h. This number is not based on anything specific. But I believe that in order to see some results you need to spend some time on the craft. After some time, ex. after 160 hours, you can draw conclusion. The 160h equals to working for a whole month full-time (8 hours a day, 20 days a month). So, it is interesting to investigate what can be achieved in a month.
When I am going to hunt: “at night”. Well maybe not literally. I am aware about the burnout possibility when doing this after my 9-5 job. So, I will try to spend at most couple of hours each working day, and will hack for a little longer during the weekends.
Platform: Intigriti. While there are many different platforms out there, I‘ve decided to start on the Intigriti. Even though I am not very familiar with it, I like the platform. I also expect there to be less competition, compared to the HackerOne or other bigger players.
My Strategy
I am going to spend some time on one program, try all the things I know and can, then move to another one after a while (after 5h, 20h, 40h, etc. This really depends on the size of the target).
What I mean by “trying everything I know”:
Using open source recon tools and scanners
Checking for IDORs, and other OWASP vulnerabilities
Using OWASP checklists and assessing functionality manually
Executing other relevant to the target security checks
…
Nothing too fancy.
I could go with one of the approaches:
Choose one type of vulnerability and and look for it on different targets that are in scope of the vulnerability disclosure programs.
Choose a target and thoroughly look for different types of vulnerabilities
As for this project I am heavily focused on learning, I will be focusing on testing different targets. So I will do my best with my current skills and knowledge. Of course, reading vulnerability disclosure reports will be a part of the journey, but I will try to spend as much time hands on as possible.
As an example – if I‘ve found that the target is using Oracle database, I wont‘ spend days after days reading everything about Oracle databases configuration, I will rather check if the software is up-to-date, if not, what are the vulnerabilities and how it can be exploited.
My Background
I’ve started my career 3 years ago, when I was still at the university (I had finished IT studies at the Vilnius University). I got a job at the company creating custom software. At the beginning of my career I was working part time as a QA, but at the same time I was learning penetration testing.
So, right now I have almost 3 years of experience working as a penetration tester, and I am working with different clients of our company. During my career I’ve mostly performed penetration tests for web applications. However, once in a while I have to perform internal penetration testing.
I am not a superstar pentester, and during the day to day testing I often rely on commercial tools (so, my manual pentesting skills are not on a high level), but I am not a newbie also. I still have so much to learn, and I consider my knowledge average at most.
Why Making a Full Time Living From Bug Bounties Is Not My Goal
First of all, I find it highly unrealistic that I will be able to earn the same while bug bounty hunting, as I am earning being employed as a 9-5 penetration tester. There aren‘t many people doing bug bounties full time instead of the traditional 9-5.
I would be happy to disprove this. But in order to earn while doing bug bounties full time you have to constantly deliver. And if you are a 9-5 worker you get paid for the hours. So, it means you are also being paid for participation in the useless meetings and working with the dull documentation.
Also, the beginning of participating in bug bountying is hard. There is a lot to learn and there is a lot of competition. Even if I‘ve managed to find vulnerabilities, I have to be faster than the other to get paid.
And of course, cost of living in Lithuania where I am based is not very low. It is not that high like in the western countries, but far higher than in some countries, such as Pakistan, or India, where you could potentially make better money from bug bounties than 9-5 job at a local IT company.
Another reason why I am not thinking about going full-time on bug bounties, is that I want to keep it fun. And the easiest way to start hating your hobby, is to do it full time.
Even though I will not be looking at financial numbers while doing this, I expect this to pay it off in the long term. I will be building skillset and creating a track record of bug bounties. With the solid knowledge that I can prove I will be able to progress my career. Certificates, blogs, bug bounties – everything helps you to stand out from the competition. I strongly advice you to be working on your side projects if you want to progress your career.
Part Time Bug Bounties vs Full Time Bug Bounties
Let‘s start from the advantages of spending your whole time on bug bounties:
You learn at a fast pace. As you can choose what vulnerability disclosure programs to work on, you can learn dozen of things along the way. You can test different systems having various tech stacks, use different testing tools, methodologies.
Disadvantages of the full time bug bounty hunting:
If you are thinking of doing this instead of a „normal“ 9-5 to job, you are facing an unstable income. This can be pretty stressful as you do not know if your effort will get rewarded. You might not find anything after spending a month on a target, or your findings might be rejected as duplicates.
Chance of burning out. This is a serious problem not only for the cybersecurity professionals, but for the other professions too. However, cybersecurity specialists are often facing the chance to burn out. If you spend day after a day searching for the vulnerabilities, which is a pretty technical job, you might soon face the consequences.
What are the advantages of doing bug bounty hunting part time:
If you are doing this on your free time, you are not restricted to anything and you can have an open and well rested mind. Bug bounty hunting for 2 hours each day might be beneficial compared to the grind of 8h+. You might be more creative and have better ideas during the splitted sessions on different days. Different things, such as your mood and level of energy are a huge success factors. And while you are sitting on the same task for a prolonged period of time, being creative might be harder. On the other hand, if you are digging to find one specific vulnerability, focused and undisturbed time might be better instead of 4 separate sessions.
Final Words
As this is public challenge, I am going to periodically release updates. I have not decided how frequently I am going to share my progress, but I will try to write every 20-40 hours spend on bug bountying (of course, if anything major happens, more frequently).
I am also not sure how long the journey would take. But I believe it will take at least a few months, as the 160h is not a calendar time, but the actual time spent working. So, maybe some weeks I will not feel like doing it, and will spend only 10 hours. But some other weeks I might dedicate more time on this.
What I promise you, is that I will not step back and I will finish the challenge.
According to the NVD database, over 6000 vulnerabilities were published in Q2 of 2022. This is a really astonishing number considered that these are only the vulnerabilities with CVE assigned. There were plenty vulnerabilities found in the custom software that does not receive such ID. The rate the vulnerabilities are being found is not slowing down. That’s why ethical hackers that are searching for security flaws, are in high demand. And one of the ways how to bring together ethical hackers and companies that wants their systems to be tested, is the bug bounty platforms. So, today we are going to talk about the best bug bounty hunting platforms.
Why security researchers are participating in the bug bounties?
People are participating in bug bounties for many reasons. Some of them wants to quit the corporate job and be in control of when they work and how much they work. Others wants to learn. And for the others, this looks like an easy way to get rich. While this is definitely not a “get rich quick” method, a dedicated person can truly earn from this either by doing it full time or part time.
What Is the Purpose of the Bug Bounty Hunting Platforms?
Bug bounty platform is a place where various bug bounty programs are listed. The platform usually acts as bridge that brings companies that wants their systems to be tested, with ethical hackers, that wants to test the systems for a reward or recognition.
In a way, bug bounty platform is a man-in-the-middle.
Think of a bug bounty platform as a notice-board. Various companies had declared about their bug bounty programs and everyone could come and see what are those companies. Each of the postings has rules of engagement, targets in scope, and minimal and maximum payouts for the bounties.
Everyone can see this information (if the bug bounty program is public), and participate. Some of the benefits of such platforms is that you can use them to report vulnerabilities. After submitting a report, representative of the company to which you submitted vulnerability, will be able to review it, and accept or reject it.
Benefits of a bug bounty platform for security researchers:
Listings of various vulnerability disclosure programs (VDP) in one place
Rankings – you can easily compare how you stand with other platform users
Reports of publicly disclosed vulnerabilities. This is beneficial to understand how report of specific vulnerability should look like, and to learn in general.
Legal protection – you can participate in the programs legally without worrying about the consequences for doing the right thing.
Benefits of a bug bounty platform for companies:
Exposes targets to a high number of penetration testers. This results in found vulnerabilities before it is exploited by malicious hackers
The platform removes some of the administrative burden and assists assessing the findings that hackers had submitted reports
Promotes the vulnerability disclose program to security researchers. The users are already there and they are working on different programs
How Popular Is the Bug Bounty Hunting?
It all started in the mid-90s when the Netscape created the first bug bounty program ever. At the time the bounty of 500 dollars was declared for the bugs. The same amount of money as a prize remained standard until 2010, when the Google started offering 1337 dollars for the higher severity vulnerabilities. Soon after that, bug bounties started gaining traction and potential payouts started to grow. And there we are – right now, Apple offers for up to 1 million dollars for the critical vulnerabilities.
38 863 bugs were reported in 2020, and in 2021 this number increased by 10% – up to 42 805 bugs.
Money is also there. According to the same report, on average you can earn 3000 dollars for a critical vulnerability. This is 20% increase from the average amount in 2020.
So – are the bug bounties worth it?
It is for many different reasons:
First of all, it’s a great way to learn.
Secondly, this is rewarding financially (however you will unlikely get rich, especially if you are just starting).
Thirdly, the community is awesome. There are so many great people you can learn from.
How to Choose a Bug Bounty Hunting Platform?
In order to have the answer, you must answer yourself a simple question – what is your goal?
Is your main goal is to learn?
Then the biggest bug bounty platforms, such as HackerOne, or Bugcrowd has many participating companies with big scopes. However, you can learn from any program, so you don‘t have to fixate on one platform. A good way to become good at hunting, is to read reports of other security researchers. HackerOne disclosed vulnerabilities comes handy in this matter.
Do you want to make the internet a better place?
If you want to make the public software safer, search for the vulnerabilities in open source. Open bug bounty is a project for the purpose.
Are you interested in blockchain bug bounties?
For this purpose there are dedicated bug bounty platforms. One of them is the Immunefi.
Are you a seasoned professional looking for the extra money?
Choose a private bug bounty programs where the competition is lower. While getting into the private bug bounty program is harder, the rewards might be better, and, usually, there is less competition. However, as the top notch talents are participating in the private programs, don‘t expect it to be easier to find vulnerabilities compared to the public programs.
These were just an examples, you can still learn, earn, and make the internet a safer place, while working on any bug bounty hunting platform.
And how do you choose a bug bounty program from a platform?
There is no correct answer.
If you are a beginner, and want to learn, you should not restrict yourself. You might pick one program, and then switch to another. A good idea would be to choose a program with many disclosed reports. In this way you can spend some time testing, and when you are familiar with the application you are testing, might check the reports and analyze if you’ve managed to find such vulnerability on your own.
But if you want to earn some extra money, you should look for the programs that have the least number of researchers. The reason for this is that the well established programs have many people searching for the bugs, and they probably have found many of them. So, there might be less vulnerabilities left. But of course you should also check the payouts for the disclosures, and how many of the reports resulted in the payouts.
Best Bug Bounty Platforms
The main criteria that determine the worth of the bug bounty hunting platform are the number of organizations on the platform and the number of participating users.
The more different companies trust the platform to implement their bug bounty program, the easier it is for the bug bounty hunter to choose what they want to work on.
And the large number of registered people shows that the platform is popular among searchers and is reliable. Choosing the platform might be difficult at first. If you are a beginner, just get started on one, try the other ones, and decide which one you like the most.
Another important thing to understand about the bug bounty platforms, is that there are private and public programs. In order to be invited to the private programs you will have to earn your name. But more on this later.
These are the best bug bounty platforms.
HackerOne
HackerOne is probably the most popular bug bounty platform. Founded in 2012, and based in San Francisco, California, HackerOne received funding in Series A, B, C, D, and E rounds. In the last funding round, Series E, HackerOne raised 49 000 000 USD. Being one of the pioneers of bug bounty platforms, HackerOne is one of the biggest names in the industry.
Some facts about the HackerOne:
Over 1 million security researchers on the platform
More than 294 000 vulnerabilities resolved through the system
1 000 companies are working with the HackerOne (although not all of them have vulnerability disclosure programs on the platform)
Over 100 000 000 $ in paid bounties (as of May 2020)
Has many public reports that is a great source of learning
Bugcrowd is another bug bounty platform that is a huge name in the bug bounty industry. Founded in 2011, it is one of the first, and one of the largest platforms. Company was founded in Sydney, Australia, but right now they have different offices across the world with the HQ in San Francisco.
Various companies trusts Bugcrowd for hosting theirs vulnerability disclosure programs, and Bugcrowd also offers penetration testing services, and attack surface management.
Currently Bugcrowd has over 1400 bug bounty programs.
Intigriti
Intigriti is another popular bug bounty platform. It claims to be the most popular platform in Europe, and it has many European companies as their clients. Founded in Belgium in 2016, the company has made its name in the community. Intigriti is active with its blog – they have the Bug Bytes – periodical infosec news, and they are also actively engaging with the audience on Twitter.
While the Intigriti has less bug bounty hunters than the big guys, such as HackerOne, right now there are:
About 400 active bug bounty programs
About 50 000 security researchers
Over 5 million in bounties were paid
Intigriti had secured over 21 million in Series B funding in 2022 April, and is growing year after year.
YesWeHack
YesWeHack is another bug bounty platform founded in Europe – it is headquartered in Paris, France. The company has offices in France, Singapore, Switzerland, Germany.
Platform has 30+ different bug bounty programs.
While this is not the biggest platform out here, the company is gaining traction. In 2019 YesWeHack raised 4 million euros in Series A funding round. And in the 2021, platform had raised 16 million euros in Series B funding round.
Synack
Synack is a bug bounty platform you won’t get that easily on. Created in 2013 by former NSA agents Jay Kaplan and Mark Kuhr, Synack provides various cybersecurity services for the biggest companies. Synack also has private bug bounty programs for the security researchers, however in order to participate in them, you must prove yourself and apply for the seat in Synack Red Team.
One of the biggest advantages of the Synack, is that you can additionally get paid for other things than found bugs. Checklist work is also rewarded.
As the Synack takes care of the triage process, and pays the bounties themselves to the security researchers, the process is stable and consistent.
Openbugbounty
While you won’t become rich by participating in the Openbugbounty bug bounties, you have the chance to make internet a little bit safer place. Openbugbounty is a community-driven platform that connects security researchers that found the vulnerability in any website, with the website owners.
By the help of platform, over 1 259 000 disclosures were submitted, and over 905 000 of vulnerabilities were fixed.
Almost 1 600 bug bounty programs are on the platform, and over 3 165 websites can be tested.
To the date, the platform attracted over 28 000 security researchers.
Hackenproof
If you are interested in Web 3.0 bug bounties, Hackenproof is a platform to go. The platform is dedicated entirely to the bounties of the crypto projects. The platform is created by Hacken – company that was founded in Kyiv, Ukraine in 2017, and since then it is delivering cybersecurity services with strong focus on blockchain security.
Currently there are 37 bug bounty programs on the platform. And the total reward pool for the bounties is over 553 000 USD. Programs had received over 5700 reports.
Immunefi
Immunefi is another bug bounty platform that is dedicated for Web 3.0 bug bounty programs. Founded at the end of 2020, Immunefi offers some of the biggest bug bounties in the industry.
Bug bounty programs of the Immunefi has payouts up to 10 000 000 USD.
In total, over 40 000 000 USD in bounties were paid out. And there is still over 132 000 000 USD potential bounties left.
As the Web 3.0 is an industry where a hack could cause tremendous financial losses, found vulnerabilities had averted over 20 billion USD hack damages.
If you are smart contract auditor, this is the platform you will find many smart contract bug bounties.
Does the Bug Bounty Experience „Counts“ as the Work Experience?
While there are some positions where formal education and certificates is a must, people with experience are more valuable than fresh graduates. And if you have bug bounty experience, you can prove that you are capable of finding underlying security issues.
Unfortunately, not every HR understands what are the bug bounties and how much of a gem is a person that has a track record of vulnerabilities found in bug bounties.
As the term ‘bug bounties’ might not mean anything for some people, when applying for jobs you must formulate the fact that you have experience in bounties, accordingly. Example:
Last 6 months I’ve spend searching for vulnerabilities in systems of companies in various industries (some of the companies: Google, Facebook, Yahoo). I’ve managed to find critical vulnerabilities, that, in total, were rewarded 15 000$.
This definitely explains more than the plain fact that you’ve participated in bountying.
How Hard Is to Earn Living by Being a Full Time Bug Bounty Hunter?
What is worth considering, is the experience you already have. If you do not have much IT experience, jumping directly to the bug bounties and expecting making a full time, is just not very smart.
The applications that are on the programs are „battle tested“. Internal security teams had already performed penetration tests before exposing targets to the public. So it is way harder to find vulnerability in such application.
If you did not have enough experience with penetration testing, you should keep your expectations low. Of course, you might get paid, but have to be extremely lucky, but in most of the cases this will not pay off financially. Keep in mind that many people are searching for the bugs on the same target. Some of the most popular bug bounty programs even have thousands of security researchers searching for the bugs.
Be aware of the burn out.
If you are a full time bug bounty hunter, you can easily burn out. And the reason for this is that the job is pretty technical. Also hackers have the mindset of not giving up and trying harder. But if you know how to keep the work-life balance, you will be fine. It is crucial to understand that life is more than bugs.
Another thing to consider before switching to full time bug bounty hunter, is that you will be working alone. Of course, the community is pretty supportive, and you can always talk with like-minded people on Twitter. But the fact is that you won‘t be working in a team, and you won‘t be communicating with people during your work (only when explaining your findings). If you are an extrovert that likes communicating, you might miss it sooner or later. Social isolation is a serious risk.
While bug bountying is a form of living, if you love hunting for vulnerabilities, you might consider becoming a penetration tester. Here I’ve written an article about penetration testing as a career.
Private vs Public Bug Bounty Programs
The main difference between private and public bug bounty programs, is that private ones are available for a smaller set of security researchers.
In order to be invited to the private bug bounty hunting programs, you must recommend yourself. And the best way to do so, is to have a track record of disclosed vulnerabilities.
By participating in bounties and having different vulnerabilities disclosed, you will receive an invitation. For example, if you are hunting on Hackerone and building your profile there, if you are successful enough, you will receive messages with invitations to the private programs.
The reason why these programs are private, is that the participating companies do not want to expose everything to public. Even though more testers would participate if the program was public, it also does provide more risk. Especially if it is a critical system for the company.
Final Words
At the end it really does not matter what platform you choose. As long as you are hunting for the security bugs, you are progressing in your career. You can pick one or another platform from the list of best bug bounty platforms, gets yourself familiar with it, and if you want to to test another one, feel free to switch. After all these are just platforms. The most important thing is the enrolled companies. And some of the companies might be participating on different platforms.
Login
