Bug Bounty Hunting: Complete Guide from Beginner to First Bounty

A comprehensive guide to starting your bug bounty hunting career, covering platforms, methodologies, tools, techniques, and tips for finding your first vulnerability and earning rewards.

11 min read
ibrahimsql
2,021 words

Bug Bounty Hunting: Complete Guide from Beginner to First Bounty#

Bug bounty hunting has become one of the most rewarding career paths in cybersecurity. This comprehensive guide will take you from absolute beginner to finding your first vulnerability and earning your first bounty.

What is Bug Bounty Hunting?#

Bug bounty hunting is the practice of finding and reporting security vulnerabilities in web applications, mobile apps, and systems to companies who reward researchers for their findings.

Why Bug Bounty?#

  • Earn Money: Get paid for finding vulnerabilities
  • Legal Practice: Test real applications with permission
  • Build Skills: Learn by doing on real-world applications
  • Recognition: Build your reputation in the security community
  • Flexible: Work on your own schedule
  • Career Growth: Opens doors to security jobs

Success Stories#

  • Top hunters earn $100K+ annually
  • Google paid $12M+ in bounties
  • Some researchers found critical bugs worth $50K+
  • Many hunters turned into full-time security professionals

Top Bug Bounty Platforms#

1. HackerOne#

Website: https://hackerone.com
Programs: 2000+
Total Paid: $200M+
Best For: All levels

Pros:

  • Largest platform
  • Most programs
  • Great community
  • Excellent support
  • Transparent statistics

Cons:

  • Competitive
  • Some duplicates
  • Response times vary

2. Bugcrowd#

Website: https://bugcrowd.com
Programs: 1000+
Total Paid: $60M+
Best For: Intermediate hunters

Pros:

  • Quality programs
  • Good payouts
  • Professional platform
  • Fast responses

Cons:

  • Fewer public programs
  • More competitive

3. Intigriti#

Website: https://intigriti.com
Programs: 300+
Focus: European companies
Best For: All levels

Pros:

  • Less competitive
  • European focus
  • Good payouts
  • Responsive teams

Cons:

  • Smaller platform
  • Fewer programs

4. YesWeHack#

Website: https://yeswehack.com
Programs: 500+
Focus: European/French companies
Best For: Beginners

Pros:

  • Beginner-friendly
  • Multiple languages
  • Good training
  • Active community

Cons:

  • Smaller payouts
  • Limited English programs

5. Synack#

Website: https://synack.com
Type: Invite-only
Payout: High
Best For: Experienced researchers

Pros:

  • High payouts
  • Quality targets
  • Less competition
  • Professional

Cons:

  • Invite-only
  • Must pass tests
  • Strict rules

Prerequisites and Preparation#

Essential Skills#

1. Web Technologies#

# Must know:
- HTML/CSS/JavaScript
- HTTP/HTTPS protocols
- REST APIs
- JSON/XML
- Cookies and sessions
- Authentication mechanisms

2. Programming Languages#

# Recommended:
- Python (automation, scripting)
- JavaScript (understand web apps)
- PHP (many targets use it)
- SQL (database testing)
- Bash (terminal automation)

3. Security Concepts#

  • OWASP Top 10
  • Common vulnerabilities (XSS, SQLi, CSRF)
  • Authentication and authorization
  • Encryption basics
  • Network fundamentals

Learning Resources#

Free Courses#

# Recommended platforms:
1. PortSwigger Web Security Academy
   - Free comprehensive course
   - Hands-on labs
   - Certificate

2. TryHackMe
   - Guided learning paths
   - Practical labs
   - Bug bounty rooms

3. HackTheBox Academy
   - In-depth modules
   - Real-world scenarios
   - Free and paid content

4. PentesterLab
   - Web penetration testing
   - Bug bounty focused
   - Progressive difficulty

Books#

  • "The Web Application Hacker's Handbook"
  • "Real-World Bug Hunting" by Peter Yaworski
  • "Bug Bounty Bootcamp" by Vickie Li
  • "Web Hacking 101" by Peter Yaworski

YouTube Channels#

  • NahamSec: Bug bounty tips and live hacking
  • STÖK: Interviews and techniques
  • InsiderPhD: Beginner-friendly tutorials
  • LiveOverflow: Deep technical content
  • PwnFunction: Animated security concepts

Essential Tools#

Reconnaissance Tools#

Subdomain Enumeration#

# Subfinder - Fast subdomain discovery
subfinder -d target.com -o subdomains.txt

# Assetfinder - Find domains and subdomains
assetfinder --subs-only target.com

# Amass - Comprehensive enumeration
amass enum -d target.com -o amass_output.txt

# Findomain - Fast and accurate
findomain -t target.com -o

Port Scanning#

# Nmap - Network scanner
nmap -sV -sC target.com

# Masscan - Fast port scanner
masscan -p1-65535 target.com --rate=10000

# Naabu - Fast port scanner
naabu -host target.com -p - -o ports.txt

Directory/File Discovery#

# FFuF - Fast fuzzer
ffuf -u https://target.com/FUZZ -w wordlist.txt

# Gobuster - Directory bruteforcer
gobuster dir -u https://target.com -w wordlist.txt

# Dirsearch - Web path scanner
dirsearch -u https://target.com -e php,html,js

Vulnerability Scanning#

Web Application Scanners#

# Nikto - Web vulnerability scanner
nikto -h https://target.com

# Nuclei - Fast vulnerability scanner
nuclei -u https://target.com -t cves/

# Dalfox - XSS scanner
dalfox url https://target.com/page?param=value

# SQLMap - SQL injection tool
sqlmap -u "https://target.com/page?id=1" --batch

Proxy Tools#

Burp Suite#

# Essential for:
- Intercepting requests
- Modifying parameters
- Repeating requests
- Scanning for vulnerabilities
- Testing authentication

# Key features:
- Proxy
- Repeater
- Intruder
- Scanner (Pro)
- Extensions

OWASP ZAP#

# Free alternative to Burp
- Open-source
- Active scanning
- Passive scanning
- Automated testing
- API support

Automation Scripts#

# Recon automation
# Install multiple tools and run them together

# Example workflow:
subfinder -d target.com | httpx | nuclei -t cves/

Bug Bounty Methodology#

Phase 1: Target Selection#

# Choose programs based on:
1. Scope (what's allowed to test)
2. Reward range ($100-$50,000+)
3. Response time (how fast they triage)
4. Resolution time (how fast they fix)
5. Competition (number of hunters)

# Best for beginners:
- New programs (less competition)
- Wide scope (more attack surface)
- Active programs (responsive teams)

Phase 2: Reconnaissance#

Passive Reconnaissance#

# Gather information without directly interacting

# Google Dorking
site:target.com
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com intitle:"index of"

# Wayback Machine
# Find old versions and endpoints
https://web.archive.org/web/*/target.com

# Certificate Transparency
# Find subdomains via SSL certificates
crt.sh -d target.com

# GitHub Dorking
# Find leaked credentials and secrets
org:targetorg password
org:targetorg api_key
org:targetorg secret

Active Reconnaissance#

# Direct interaction with target

# Subdomain enumeration
subfinder -d target.com

# Port scanning
nmap -sV target.com

# Technology detection
whatweb target.com
wappalyzer (browser extension)

# JavaScript file analysis
# Look for endpoints, API keys
cat app.js | grep -E "(api|key|token|secret|password)"

Phase 3: Vulnerability Discovery#

Common Vulnerability Types#

1. Cross-Site Scripting (XSS)#
// Reflected XSS
https://target.com/search?q=<script>alert(document.domain)</script>

// Stored XSS
Comment: <img src=x onerror=alert(1)>

// DOM-based XSS
# parameter → JavaScriptDOM manipulation

// Bypass filters
<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">
2. SQL Injection#
-- Basic test
' OR '1'='1
" OR "1"="1
' OR 1=1--

-- Union-based
' UNION SELECT NULL,username,password FROM users--

-- Error-based
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT @@version),0x23,FLOOR(RAND()*2))x FROM information_schema.tables GROUP BY x)y)--

-- Blind SQLi
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
3. Cross-Site Request Forgery (CSRF)#
<!-- CSRF PoC -->
<html>
  <body>
    <form action="https://target.com/change-email" method="POST">
      <input type="hidden" name="email" value="attacker@evil.com" />
      <input type="submit" value="Submit" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
4. Insecure Direct Object Reference (IDOR)#
# Accessing other users' data
GET /api/user/123/profile
# Change to:
GET /api/user/124/profile

# Testing for IDOR
# Change IDs, UUIDs, incremental numbers
# Try accessing resources of other users
5. Server-Side Request Forgery (SSRF)#
# Basic SSRF
url=http://localhost:8080/admin
url=http://169.254.169.254/latest/meta-data/

# Bypass filters
url=http://127.1:80/
url=http://[::1]/
url=http://2130706433/ (decimal IP)

Phase 4: Exploitation and Validation#

# Steps for each vulnerability:

1. Reproduce the issue
   - Document exact steps
   - Test multiple times
   - Verify impact

2. Understand the impact
   - What data can be accessed?
   - What actions can be performed?
   - How many users affected?

3. Create Proof of Concept
   - Clear reproduction steps
   - Screenshots/videos
   - Code samples if needed

4. Calculate severity
   - Use CVSS calculator
   - Consider business impact
   - Think like the company

Phase 5: Report Writing#

Perfect Bug Report Structure#

## Summary
Brief description of the vulnerability

## Vulnerability Description
Detailed technical explanation

## Steps to Reproduce
1. Go to https://target.com/page
2. Enter payload: <script>alert(1)</script>
3. Submit form
4. Observe XSS execution

## Proof of Concept
[Screenshots or video]
[Code snippets]
[Request/response examples]

## Impact
- Data breach potential
- Account takeover risk
- Business logic bypass

## Affected URLs
- https://target.com/vulnerable-page
- https://target.com/api/endpoint

## Recommended Fix
- Implement input validation
- Use parameterized queries
- Add CSRF tokens

## References
- OWASP link
- CWE link
- Similar bugs

Tips for Finding Your First Bug#

1. Start Small#

# Don't aim for the biggest companies first
# Start with:
- New programs
- Smaller companies
- Less popular platforms
- Programs with wide scope

2. Focus on One Vulnerability Type#

# Master one vulnerability before moving to others
# Recommended for beginners:
- XSS (easiest to find)
- IDOR (good impact)
- Information disclosure
- CSRF

3. Test Thoroughly#

# Don't just run automated scanners
# Manual testing finds more bugs
# Test edge cases
# Think creatively
# Try unusual inputs

4. Read Disclosed Reports#

# Learn from others
# HackerOne disclosed reports
# Bugcrowd vulnerability database
# Medium articles
# Twitter threads

# Understand:
- How they found it
- What they tested
- How they reported it

5. Be Patient and Persistent#

# First bug might take:
- Days
- Weeks
- Even months

# Don't give up!
# Every hour spent is learning
# Skills compound over time

Common Mistakes to Avoid#

1. Testing Out of Scope#

# Always read the program rules
# Out of scope = no bounty + bad reputation
# Check:
- Allowed domains
- Excluded vulnerabilities
- Testing limitations

2. Low-Quality Reports#

# Bad reports get rejected
# Include:
- Clear steps
- Impact explanation
- Screenshots
- Professional tone

3. Automated Scanner Reports#

# Don't just submit scanner output
# Validate findings manually
# Explain the impact
# Add your analysis

4. Not Reading Previous Reports#

# Avoid duplicates
# Check:
- Disclosed reports
- Common findings
- Known issues

Building Your Reputation#

1. Start with Public Programs#

# More competitive but:
- No invitation needed
- Learn the process
- Build profile
- Get first points

2. Be Professional#

# Always:
- Be respectful
- Follow rules
- Communicate clearly
- Accept decisions gracefully

3. Share Knowledge#

# Write blog posts
# Create tutorials
# Help other hunters
# Share on Twitter
# Contribute to community

4. Track Your Progress#

# Keep records of:
- Reports submitted
- Bounties earned
- Skills learned
- Bugs found per program

Income Expectations#

Beginner (Month 1-6)#

# Realistic expectations:
- First bug: $0-$500
- Monthly: $0-$1,000
- Focus: Learning, not earning

Intermediate (Month 6-12)#

# With experience:
- Average bug: $500-$2,000
- Monthly: $1,000-$5,000
- Better bug quality

Advanced (12+ months)#

# Skilled hunters:
- Average bug: $2,000-$10,000
- Monthly: $5,000-$20,000+
- Critical bugs pay more

Success Checklist#

  • [ ] Complete PortSwigger Academy
  • [ ] Set up bug bounty toolkit
  • [ ] Choose first program
  • [ ] Complete reconnaissance
  • [ ] Find first vulnerability
  • [ ] Write quality report
  • [ ] Submit first report
  • [ ] Handle feedback professionally
  • [ ] Learn from rejections
  • [ ] Find first bounty!

Useful Resources#

Communities#

  • Twitter: Follow #bugbounty, #bugbountytips
  • Discord: Join bug bounty servers
  • Reddit: r/bugbounty
  • Forums: HackerOne community forum

Tools Repositories#

# GitHub repositories:
- Awesome Bug Bounty
- Awesome Web Security
- PayloadsAllTheThings
- SecLists (wordlists)

Blogs to Follow#

  • NahamSec.com
  • PentesterLand.com
  • InfosecWriteups on Medium
  • HackerOne Hacktivity

Conclusion#

Bug bounty hunting is a marathon, not a sprint. Success comes from:

  1. Consistent practice
  2. Continuous learning
  3. Patience and persistence
  4. Community engagement
  5. Professional attitude

Remember: Every expert started as a beginner. Your first bug might be just around the corner!

Ready to start your bug bounty journey? Follow for more tutorials, tips, and security research insights.

Related Posts