Open in app

Sign in

Write

Sign in

Bug Bounty Beginner’s Roadmap

Mr. Saaho
5 min readJun 20, 2023

--

Hi! I’m Abhishek Kumar Sahu. I am writing this for everyone to contribute to guiding young and enthusiastic minds to start their career in bug bounties. More content will be added regularly. Keep following. So let’s get started!

NOTE: The bug bounty landscape has changed in the last few years. The issues we used to find quickly a year ago would not be easy now. Automation is being used rigorously and most of the “low-hanging fruits” are being duplicated if you are out of luck. If you want to start doing bug bounty, you will have to be determined to be consistent and focused, as the competition is very high.

Introduction-

What is a bug?

  • Security bug or vulnerability is “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.

What is Bug Bounty?

  • A bug bounty or bug bounty program is IT jargon for a reward or bounty program given for finding and reporting a bug in a particular software product. Many IT companies offer bug bounties to drive product improvement and get more interaction from end users or clients. Companies that operate bug bounty programs may get hundreds of bug reports, including security bugs and security vulnerabilities, and many who report those bugs stand to receive awards.

What is the Reward?

  • There are all types of rewards based on the severity of the issue and the cost to fix. They may range from real money (most prevalent) to premium subscriptions (Prime/Netflix), discount coupons (for e-commerce of shopping sites), gift vouchers, and swags (apparel, badges, customized stationery, etc.). Money may range from 50$ to 50,000$ and even more.

What to learn?

Technical-

Computer Fundamentals

Computer Networking

Operating Systems

Command Line-

Windows:

Linux:

Programming-

C:

Python:

JavaScript:

PHP:

Where to learn from?

Books-

Writeups-

Blogs and Articles-

Forums-

Official Websites-

YouTube Channels-

English:

Hindi:

Join Twitter Today!

World-class security researchers and bug bounty hunters are on Twitter. Where are you? Join Twitter now and get daily updates on new issues, vulnerabilities, zero days, and exploits, and join people sharing their methodologies, resources, notes, and experiences in the cybersecurity world!

PRACTICE! PRACTICE! and PRACTICE!

CTF-

Online Labs-

Offline Labs-

Bug Bounty Platforms

Crowdsourcing-

Individual Programs-

Bug Bounty Report Format

Title-

  • The first impression is the last impression, the security engineer looks at the title first and he should be able to identify the issue.
  • Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line.
  • Include the Impact of the issue in the title if possible.

Description-

  • This component provides details of the vulnerability, you can explain the vulnerability here, and write about the paths, endpoints, and error messages you got while testing. You can also attach HTTP requests and vulnerable source code.

Steps to Reproduce-

  • Write the stepwise process to recreate the bug. It is important for an app owner to be able to verify what you’ve found and understand the scenario.
  • You must write each step clearly in order to demonstrate the issue. that helps security engineers to triage fast.

Proof of Concept-

  • This component is the visual of the whole work. You can record a demonstration video or attach screenshots.

Impact-

  • Write about the real-life impact, How an attacker can take advantage if he/she successfully exploits the vulnerability.
  • What type of possible damages could be done? (avoid writing about the theoretical impact)
  • Should align with the business objective of the organization

Sample Report-

Some additional Tips

  1. Don’t do bug bounty as a full-time in the beginning (although I suggest don’t do it full-time at any point). There is no guarantee to get bugs every other day, there is no stability. Always keep multiple sources of income (bug bounty not being the primary).
  2. Stay updated, learning should never stop. Join Twitter, follow good people, and maintain the curiosity to learn something new every day. Read writeups, and blogs and keep expanding your knowledge.
  3. Always see bug bounty as a medium to enhance your skills. Money will come only after you have the skills. Take money as a motivation only.
  4. Don’t be dependent on automation. You can’t expect a tool to generate money for you. Automation is everywhere. The key to success in Bug Bounty is to be unique. Build your own methodology, learn from others, and apply it on your own.
  5. Always try to escalate the severity of the bug, Keep a broader mindset. An RCE always has a higher impact than an arbitrary file upload.
  6. It’s not necessary that a vulnerability will be rewarded based on the industry-defined standard impact. The asset owners rate the issue with a risk rating, often calculated as impact * likelihood (exploitability). For example, an SQL Injection by default has a Critical impact, but if the application is accessible only inside the organization VPN and doesn’t contain any user data/PII in the database, the likelihood of the exploitation is reduced, and so does the risk.
  7. Stay connected to the community. Learn and contribute. There is always someone better than you in something. don’t miss an opportunity to network. Join forums, go to conferences and hacking events, meet people, and learn from their experiences.
  8. Always be helpful.
Bug Bounty
Bug Bounty Tips
Bug Bounty Writeup
Ethical Hacking
Cybersecurity

--

--

Mr. Saaho

Written by Mr. Saaho

638 Followers

A NEET aspirant who drops his father’s dream to become an Ethical Hacker and Pursue his entire Education Abroad.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams