How to Be Bug Bounty Hunters And started with Bug Bounty

How to Get Started into Bug Bounty

Hello guys,

          After an abundance of requests and questions on topics cognates to Bug Bounty like how to commence, how to beat duplicates, what to do after reading a few books, how to make great reports. I am here with my incipient Updated Blog and answering all of such questions. 

      I am commencing from fundamental as prerequisites to tips and labs along with report inditing skills. I have additionally included some of my personally recommend tips and how to inscribe great reports. Hope you all like it.

What is Bug Bounty? 

If you will search in google and google will say

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

 In short hacker tag with white collar to earn money

What to study?

• Internet, HTTP, TCP/IP
• Networking
• Command-line
• Linux
• Web technologies, java-script, PHP, java
• At least 1 programming language (Python/C/JAVA/Ruby..)
• Owasp top 10

Choose Your Path:

• Web Pentesting
• Android Application Pentesting
• iOS Application Pentesting

Books:

For Web:

• Web app hackers handbook
• Web hacking 101
• Mastering modern web pen testing
• Bug Bounty Playbook
• Real-World Bug Hunting
• OWASP Testing Guid

YouTube Channels:English

• [+]Nahamsec

Nahamsec creates educational hacking videos for anyone with an interest in web application hacking with a focus on bug…

https://youtube.com/c/Nahamsec

• [+]STÖK

Hackers gonna hack creators GONNA CREATE Support my work: Join me on Patreon! https://www.patreon.com/stokfredrik…

https://youtube.com/c/STOKfredrik

• [+]Zseano

Hey i’m Sean aka @zseano. I am a self-taught hacker & also programmer. I run a website called BugBountyHunter.com which…

https://youtube.com/c/zseano

• [+]Hackersploit

https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q

• [+]Cyber Mentor

I’m a hacker by trade, but this channel will contain various lessons and even off-topic stuff from time to time.

https://youtube.com/c/TheCyberMentor

• [+]InsiderPhD

PhD (Def&Sec) Student investigating Insider Threats using Natural Language Processing at Cranfield University. BSc in…

https://youtube.com/c/InsiderPhD

• [+]Farah Hawa

Farah Hawa

Hi! Welcome to my channel. Join me as I learn new things everyday and share useful resources as I move along in my…

https://youtube.com/c/FarahHawa

• [+]codingo

Instructional videos on Information Security, and bug bounties by a top 20 bug hunter, ex penetration tester and now…

https://youtube.com/c/codingo

• [+]The XSS rat

The XSS rat

Hello everyone! I’m a full time dad and part time bug bounty hunter. My day job is mostly QA/QC but my heart is at…

https://youtube.com/c/TheXSSrat

• [+]Cristi Vlad

Cybersecurity Analyst | OSCP 

Disclaimer: If you engage in penetration…

https://youtube.com/c/CristiVladZ

• [+]Hakluke

hakluke

Dad, husband, computer hacker, life hacker, growth fanatic.

HTTPS://youtube.com/c/hakluke

• [+]Hacking Simplified

Hacking Simplified

Wanted to learn about hacking and cybersecurity? You’re at the right place.

https://youtube.com/channel/UCARsgS1stRbRgh99E63Q3ng

• [+]Bugcrowd

Learn more about security, testers, and the bug bounty through Bugcrowd’s official YouTube Channel. Bugcrowd provides…

https://youtube.com/c/Bugcrowd

• [+]Hackerone

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities…

www.youtube.com

• [+]Hacksplained

Hacksplained

Hacksplained = Hacking Explained! Hacksplained is here for you to give you practical guidance on hacking in order to…

www.youtube.com

• [+]RougeSMG

Let’s get Hackin’👨‍💻

https://youtube.com/c/RogueSMG

YouTube Channels:Hindi

• [+]Bitten Tech

This is Ansh Bhawnani from India. I’m an aspiring learner of ethical hacking and technology and try to share whatever I…

https://youtube.com/c/BittenTech

• [+]Technical Navigator

Technical Navigator

Hey guys welcome to “Technical Navigator” my name is Nitesh Singh. I am a RHCSA ,Certified Ethical Hacker (CEH), Web…

https://youtube.com/c/TechnicalNavigator

• [+]Spin The Hack

https://youtube.com/c/SpinTheHack

Write-ups, Articles, Blogs:

• [+]Intigriti Bug Bytes

bugbytes Archives — Intigriti

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem…

blog.intigriti.com

• [+]Medium (infosec writeups)

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub…

medium.com

• [+]HackerOne Hack activity

hackerone.com

• [+]Pentesterland

pentester.land

• [+]Security Workbook on Application Security

Security Workbook on Application Security

Here’s a small collection of resources on Application Security, This work is still in progress, will be completed soon…

info.ninadmathpati.com

• [+]HowToHunt

KathanP19/HowToHunt

Some Tutorials and Things to Do while Hunting Particular Vulnerability. Note: You Can Help Me Complete This List By…

github.com

Resources to Learn

Testing Labs:

• bWAPP
• Webgoat
• PortSwigger Academy

Tools:

• Burpsuite
• Nmap
• dirt buster
• Sqlmap
• Netcat
• OwaspZap
• Ffuf
• Project Discovery

Types of Bug Bounty program:

• Only Hall of Fame
• Hall of Fame With Certificate of Appreciation
• HoF with Swags / only Swags
• Hall of Fame with Bounty
• Only Bounty
• Bug Bounty Program:
• Open For Signup
• Hackerone
• Bugcrowd
• hackenproof
• Bugbountyjp
• Intigriti
• Open Bug Bounty

Report Writing/Bug Submission:

1. Create a descriptive report.
2. Follow responsible disclosure policy.
3. Create POC and steps to reproduce
4. Sample format of the report:
5. Vulnerability Name
6. Vulnerability Description
7. Vulnerable URL
8. Payload
9. Steps to Reproduce
10. Impact
11. Mitigation

Vulnerabilities Priorities:

P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.

P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports.

P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger.

P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger.

P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.

Looking for more programs using Google Dorks

inurl:”bug bounty” and intext:”€” and inurl:/security

intext:bounty inurl:/security

intext:”BugBounty” and intext:”BTC” and intext:”reward“

intext:”BugBounty” and inurl:”/bounty” and intext:”reward

Words of wisdom:

• PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
• Do not expect someone will spoon feed you everything.
• Confidence
• Not always for bounty
• Learn a lot.
• Won’t find at the beginning, don’t lose hope
• Stay focused
• Depend on yourself
• Stay updated with InfoSec world 

Thanks 😊