How to Get Started into Bug Bounty | Complete Beginner Guide

Hello guys, After a lot of requests and questions on topics related to Bug Bounty like how to start, how to beat duplicates, what to do after reading a few books, how to make great reports. I am here with my new Updated Blog and answering all of such questions. I am starting from basic as prerequisites to tips and labs along with report writing skills. I have also included some of my personally recommend tips and how to write great reports. Hope you all like it.

What is Bug Bounty?

If you go to Google Baba & Search What is Bug Bounty you will get :

A reward offered to a person who identifies an error or vulnerability in a computer program or system Identification and reporting of bugs and vulnerability in a responsible way.

What to study?

• Internet, HTTP, TCP/IP
• Networking
• Command-line
• Linux
• Web technologies, java-script, PHP, java
• At least 1 programming language (Python/C/JAVA/Ruby..)
• Owasp top 10

Choose your path:

• Web Pentesting
• Android Application Pentesting
• IOS Application Pentesting

Books:

For Web:

• Web app hackers handbook
• Web hacking 101
• Mastering modern web pen testing
• Bug Bounty Playbook
• Real-World Bug Hunting
• OWASP Testing Guide.

For Mobile:

• Mobile application hacker’s handbook

YouTube Channels: English

[+]Nahamsec

Nahamsec

[+]STÖK

STÖK

[+]zseano

zseano

[+]Hackersploit

https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q

[+]Cyber Mentor

The Cyber Mentor

[+]InsiderPhD

InsiderPhD

[+]Farah Hawa

Farah Hawa

[+]codingo

codingo

[+]The XSS rat

The XSS rat

[+]Cristi Vlad

Cristi Vlad

[+]Hakluke

hakluke

[+]Hacking Simplified

Hacking Simplified

[+]Bugcrowd

Bugcrowd

[+]Hackerone

HackerOne

[+]Hacksplained

Hacksplained

[+]RougeSMG

RogueSMG

YouTube Channels: Hindi

[+]Bitten tech

Bitten Tech

[+]Technical Navigator

Technical Navigator

Follow these guys on Twitter

[+]nahamsec

https://twitter.com/NahamSec

[+]Jasson Haddix

https://twitter.com/jhaddix

[+]zseano

https://twitter.com/zseano

[+]TomNomNom

https://twitter.com/TomNomNom

[+]stokfredrik

https://twitter.com/stokfredrik

[+]Jensec

https://twitter.com/_jensec

[+]cybermentor

https://twitter.com/thecybermentor

[+]Harsh Jaiswal

https://twitter.com/rootxharsh

[+]Rahul Maini

https://twitter.com/iamnoooob

[+]aditya Shende

https://twitter.com/adityashende17

[+]Harsh Bothra

https://twitter.com/harshbothra_

Write-ups, Articles, Blogs:

[+]Intigriti Bug Bytes

bugbytes Archives — Intigriti

[+]Medium (infosec writeups)

InfoSec Write-ups

[+]HackerOne Hack activity

HackerOne

[+]Pentesterland

Home

[+]Security Workbook on Application Security

Security Workbook on Application Security

[+]HowToHunt

KathanP19/HowToHunt

Practice:

Practice like you’ve never won, Perform like you’ve never lost. !

Resources to Learn:

Testing Labs:

• bWAPP
• Webgoat
• PortSwigger Academy

Web Security Academy: Free Online Training from PortSwigger

• Pentester Lab

PentesterLab: Learn Web Penetration Testing: The Right Way

• BugBountyHunter

Learn about web application vulnerabilities and how to find them on bug bounty programs |…

• pentester academy

Pentester Academy: Learn Pentesting Online

• TryHackme

TryHackMe | Cyber Security Training

• Hack the box

Hack The Box :: Penetration Testing Labs

Tools:

• Burpsuite
• Nmap
• dirt buster
• Sqlmap
• Netcat
• OwaspZap
• Ffuf
• Project Discovery

Types of Bug Bounty program:

• Only Hall of Fame
• Hall of Fame With Certificate of Appreciation
• HoF with Swags / only Swags
• Hall of Fame with Bounty
• Only Bounty

Bug Bounty Platform

Bug Bounty Program:

• Open For Signup
• Hackerone
• Bugcrowd
• hackenproof
• Bugbountyjp
• Intigriti
• Open Bug Bounty

Invite based Platforms:

• Synack
• Yogosha

Points To Remember

Choose wisely (Initially, don’t think about bounties)

Select a bug for the hunt

Exhaustive search

Not straight forward always

Report Writing/Bug Submission:

• Create a descriptive report.
• Follow responsible disclosure policy.
• Create POC and steps to reproduce

Sample format of the report:

• Vulnerability Name
• Vulnerability Description
• Vulnerable URL
• Payload
• Steps to Reproduce
• Impact
• Mitigation

Vulnerabilities Priorities:

• P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
• P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports.
• P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
• P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger.
• P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.

Looking for more programs using Google Dorks

• inurl:”bug bounty” and intext:”€” and inurl:/security
• intext:bounty inurl:/security
• intext:”BugBounty” and intext:”BTC” and intext:”reward“
• intext:”BugBounty” and inurl:”/bounty” and intext:”reward

Words of wisdom:

• PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
• Do not expect someone will spoon feed you everything.
• Confidence
• Not always for bounty
• Learn a lot.
• Won’t find at the beginning, don’t lose hope
• Stay focused
• Depend on yourself
• Stay updated with InfoSec world

Thanks, everyone for reading:)

Happy Hacking ;)

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

impratikdabhi

Website:- https://www.pratikdabhi.com/

Instagram:- https://www.instagram.com/i.m.pratikdabhi

Twitter:- https://twitter.com/impratikdabhi

Youtube:- https://www.youtube.com/impratikdabhi