What do We Need to Know to do bug bounty?

This is all about sharing what I learn…

  1. ***What is bug bounty?***Identification and reporting of bugs and vulns in a responsible way. It all depends on interest and hard work, not on degree, age, branch, college, etc…
  2. What to study : Internet,HTTP, TCP/IP Networking Command-line Linux Web technologies, Javascript, PHP, JAVA, ASP, etc…At least 1 programming language(Python/C/JAVA/Ruby..)
  3. Choose your path Web app, Mobile app, Desktop apps, Networking
  4. BOOKS : Web application hacker’s handbook, Mobile application hacker’s handbook, Hacker’s playbook 1,2,3, Hacking art of exploitation, Mastering modern web pen-testing, OWASP Testing guide.
  5. Learning Channel for programming : Thenewboston, Codeacademy, EDX, Learntocode with Lynda.
  6. Learning Channel for Hacking : BugCrowd, HackerOne, LiveOverflow, Hackersploit, Thexssrat, INSIDERPHD, John Hammond, Nahamsec, STOK And So on…
  7. Writeups, Articles, BlogsMedium (infosec writeups), HackerOne public reports, owasp.org, Portswigger.com, Reddit(Netsec), DEFCON Conference Videos, BlackHat Conference Videos, etc…
  8. Practice — Tools Burpsuite, Nmap, Dirsearch/GoBuster, assertfinder, httprobe, meg, fff, ffuf, aquatone/eyewitness, Netcat, masscan, Anslookup
  9. Practice — Labs DVWAb, WAPP, Vulnhub.com, Hack the box, Portswigger.com, tryhackme.com
  10. Start selecting platform HackerOne, BugCrowd, Open bug bounty, Zerocopter, Antihack, Synack(private),intigriti.com, digivante.com
  11. Report:Create a descriptive report Follow responsible disclosure Create POC and Steps to reproduce

“TIP: Choose wisely (first not for bounty), Select a bug for the hunt, Exhaustive search, Not straightforward always…”

An independent information security researcher and consultant https://yasiransari.me