How to Get Started into Bug Bounty
Hello guys,
After an abundance of requests and questions on topics cognates to Bug Bounty like how to commence, how to beat duplicates, what to do after reading a few books, how to make great reports. I am here with my incipient Updated Blog and answering all of such questions.
I am commencing from fundamental as prerequisites to tips and labs along with report inditing skills. I have additionally included some of my personally recommend tips and how to inscribe great reports. Hope you all like it.
 |
What is Bug Bounty?
If you will search in google and google will say
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
In short hacker tag with white collar to earn money
What to study?
- Internet, HTTP, TCP/IP
- Networking
- Command-line
- Linux
- Web technologies, java-script, PHP, java
- At least 1 programming language (Python/C/JAVA/Ruby..)
- Owasp top 10
Choose Your Path:
- Web Pentesting
- Android Application Pentesting
- iOS Application Pentesting
Books:
For Web:
- Web app hackers handbook
- Web hacking 101
- Mastering modern web pen testing
- Bug Bounty Playbook
- Real-World Bug Hunting
- OWASP Testing Guid
YouTube Channels:English
- [+]Nahamsec
https://youtube.com/c/Nahamsec
- [+]STÖK
Hackers gonna hack creators GONNA CREATE Support my work: Join me on Patreon! https://www.patreon.com/stokfredrik…
https://youtube.com/c/STOKfredrik
- [+]Zseano
Hey i’m Sean aka @zseano. I am a self-taught hacker & also programmer. I run a website called BugBountyHunter.com which…
https://youtube.com/c/zseano
- [+]Hackersploit
https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q
- [+]Cyber Mentor
I’m a hacker by trade, but this channel will contain various lessons and even off-topic stuff from time to time.
https://youtube.com/c/TheCyberMentor
- [+]InsiderPhD
PhD (Def&Sec) Student investigating Insider Threats using Natural Language Processing at Cranfield University. BSc in…
https://youtube.com/c/InsiderPhD
- [+]Farah Hawa
Farah Hawa
Hi! Welcome to my channel. Join me as I learn new things everyday and share useful resources as I move along in my…
https://youtube.com/c/FarahHawa
- [+]codingo
Instructional videos on Information Security, and bug bounties by a top 20 bug hunter, ex penetration tester and now…
https://youtube.com/c/codingo
- [+]The XSS rat
The XSS rat
Hello everyone! I’m a full time dad and part time bug bounty hunter. My day job is mostly QA/QC but my heart is at…
https://youtube.com/c/TheXSSrat
- [+]Cristi Vlad
Cybersecurity Analyst | OSCP
Disclaimer: If you engage in penetration…
https://youtube.com/c/CristiVladZ
- [+]Hakluke
hakluke
Dad, husband, computer hacker, life hacker, growth fanatic.
https://youtube.com/c/hakluke
- [+]Hacking Simplified
Hacking Simplified
Wanted to learn about hacking and cybersecurity? You’re at the right place.
https://youtube.com/channel/UCARsgS1stRbRgh99E63Q3ng
- [+]Bugcrowd
Learn more about security, testers, and the bug bounty through Bugcrowd’s official YouTube Channel. Bugcrowd provides…
https://youtube.com/c/Bugcrowd
- [+]Hackerone
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities…
www.youtube.com
- [+]Hacksplained
Hacksplained
Hacksplained = Hacking Explained! Hacksplained is here for you to give you practical guidance on hacking in order to…
www.youtube.com
- [+]RougeSMG
Let’s get Hackin’👨💻
https://youtube.com/c/RogueSMG
- [+]Bitten Tech
This is Ansh Bhawnani from India. I’m an aspiring learner of ethical hacking and technology and try to share whatever I…
https://youtube.com/c/BittenTech
- [+]Technical Navigator
Technical Navigator
Hey guys welcome to “Technical Navigator” my name is Nitesh Singh. I am a RHCSA ,Certified Ethical Hacker (CEH), Web…
https://youtube.com/c/TechnicalNavigator
- [+]Spin The Hack
https://youtube.com/c/SpinTheHack
Write-ups, Articles, Blogs:
- [+]Intigriti Bug Bytes
bugbytes Archives — Intigriti
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem…
blog.intigriti.com
- [+]Medium (infosec writeups)
InfoSec Write-ups
A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub…
medium.com
- [+]HackerOne Hack activity
hackerone.com
- [+]Pentesterland
pentester.land
- [+]Security Workbook on Application Security
Security Workbook on Application Security
Here’s a small collection of resources on Application Security, This work is still in progress, will be completed soon…
info.ninadmathpati.com
- [+]HowToHunt
KathanP19/HowToHunt
Some Tutorials and Things to Do while Hunting Particular Vulnerability. Note: You Can Help Me Complete This List By…
github.com
Resources to Learn
Testing Labs:
- bWAPP
- Webgoat
- PortSwigger Academy
Tools:
- Burpsuite
- Nmap
- dirt buster
- Sqlmap
- Netcat
- OwaspZap
- Ffuf
- Project Discovery
Types of Bug Bounty program:
- Only Hall of Fame
- Hall of Fame With Certificate of Appreciation
- HoF with Swags / only Swags
- Hall of Fame with Bounty
- Only Bounty
- Bug Bounty Program:
- Open For Signup
- Hackerone
- Bugcrowd
- hackenproof
- Bugbountyjp
- Intigriti
- Open Bug Bounty
Report Writing/Bug Submission:
- Create a descriptive report.
- Follow responsible disclosure policy.
- Create POC and steps to reproduce
- Sample format of the report:
- Vulnerability Name
- Vulnerability Description
- Vulnerable URL
- Payload
- Steps to Reproduce
- Impact
- Mitigation
Vulnerabilities Priorities:
P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports.
P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger.
P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.
Looking for more programs using Google Dorks
inurl:”bug bounty” and intext:”€” and inurl:/security
intext:bounty inurl:/security
intext:”BugBounty” and intext:”BTC” and intext:”reward“
intext:”BugBounty” and inurl:”/bounty” and intext:”reward
Words of wisdom:
- PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
- Do not expect someone will spoon feed you everything.
- Confidence
- Not always for bounty
- Learn a lot.
- Won’t find at the beginning, don’t lose hope
- Stay focused
- Depend on yourself
- Stay updated with InfoSec world