Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.
In this article, I’m going to cover the DOs and DON’Ts when starting in Bug Bounty. As the title hints, this article is aimed for beginners who’re just venturing into this field.
When it comes to bug bounties, you would mostly start with web application hacking to earn $$$$. Given that you’re starting with web application hacking, it is highly expected from you to know the basics of how web application and internet functions to make the most out of your hacking journey. Of course, you can just use payloads crafted by others and just spray them on all parameters but that’s not going to do any good in the long-term let alone short. If you ask me where I can learn the basics, I would shamelessly ask you to visit my blog where I have covered almost everything you need to know before getting started. Checkout the basics here.
Now that you know the basics, you need to have a wider understanding of how everything connects together. Loosely speaking, it is actually okay if you just know OWASP Top 10 and choose an easy to hunt vulnerability like IDOR or Auth Vulnerabilities. But if you just look for one type of vulnerability you might miss out on others that still exist. Ideally, it is best to develop a hacker mindset and question the platform you’re hunting. If there’s a profile picture upload functionality, ask yourself what’s going to happen if I upload anything else but a picture. Ask yourself if others can see my profile picture despite the visibility being set to private. Basically, ask yourself a lot of questions and experiment a lot. This way, you’ll develop a mindset on the entire application you’re testing which will definitely help you in the long run.
Okay, now that we got all knowledge required, we need to understand what platform can be chosen to hunt. When starting, I was under the impression that a small scope program would not have a lot of people testing and that I can find bugs. But that’s a big misconception. If you wish to know how to choose a proper program to hunt, click here.
Do not ever report a finding from scanner without verifying and proving an impact. Copy pasting scanner texts will irritate the triager and is definitely not something you’d get away with.
Do not spray and pray rather spray at the prey. What I mean to say is, don’t just blindly do things because anything can be vulnerable. It is true, anything can be vulnerable but if you choose your prey (ie. a weak spot such as a oddly named parameter, a seemingly insecure endpoint etc.) and hunt on it, then your chances to get that first bounty is huge,
Do not expect reward for every report that you submit. I have this mindset where I assume that 99%, this report is going to be a duplicate and I won’t make anything. This is a counter-intuitive process to make me hack more and not just sit and wait for the triage to respond on my report status.
I have been creating content related to Cybersecurity / Bug Bounty Hunting for a while now. Although not necessary, it would mean the world to me if you decide to support me by buying me a book here. This would not just help me but also the community as I will be able to create more quality content the more I read.