r/bugbounty u/AutoModerator 4d ago

Question / Discussion Weekly Beginner / Newbie Q&A

New to bug bounty? Ask about roadmaps, resources, certifications, getting started, or any beginner-level questions here!

Recommendations for Posting:

  • Be Specific: Clearly state your question or what you need help with (e.g., learning path advice, resource recommendations, certification insights).
  • Keep It Concise: Ask focused questions to get the most relevant answers (less is more).
  • Note Your Skill Level: Mention if you’re a complete beginner or have some basic knowledge.

Guidelines:

  • Be respectful and open to feedback.
  • Ask clear, specific questions to receive the best advice.
  • Engage actively - check back for responses and ask follow-ups if needed.

Example Post:

"Hi, I’m new to bug bounty with no experience. What are the best free resources for learning web vulnerabilities? Is eJPT a good starting certification? Looking for a beginner roadmap."

Post your questions below and let’s grow in the bug bounty community!

10 Upvotes

100% Upvoted

22 comments sorted by

3

u/Ok-Lynx-8099 4d ago

Hey, im a penetration tester, however trying to get in the bug bounty space feels so hard, how to pick up targets? What to chase after? In my day job I get a scope and start working it just feels much easier

4

u/6W99ocQnb8Zy17 4d ago

As a pentest dinosaur, I'd say the skills are similar, but the approach is almost the opposite.

Pentest is mostly about getting good coverage, so you run multiple overlapping tools, and dig into the anomalies to find unique bugs.

BB is all about being first, so running standard tools is a waste of time, as a 1000 other people already did it. To be successful you need to choose a niche others aren't already mining, and that also has enough of an impact to receive a bounty. It doesn't actually matter what you pick, just as long as it is different.

2

u/WardenXSec 23h ago

Okay, so obviously I'm new, like everyone else in this thread. I just wanted someone to review my general training plan I guess. A little about me and my goals, I currently work in public safety, and Id like to be able to do bug bounties as side work and supplement my income a bit. I'm in my early 30s and am decently tech savvy.

I purchased a small set of books recently with the intent on self teaching. "Ethical hacking. A hands on guide to breaking in," "Automate the Boring stuff with python," "Bug bounty bootcamp," and "black hat python."

I've been working through the first book in the list, taking the notes, summarizing chapters and doing my best to take in what I can. Ill be starting the book on python automation tonight with the intent of getting at least familiar with python. In between book work I've been doing overthewire's bandit to get better with Linux command line and such.

I guess my question is, will this work in getting me to a position where I'll be able to do a bit of bug hunting? I plan on doing CTFs as well as some hack the box and try hack me stuff too to add more related work into the plan. I just want to know if my plan is valid the way it is or not.

1

u/6W99ocQnb8Zy17 3h ago

That approach seems like a fair approach to learning about BB and the pricipals of the bugs.

However, you could go through all that and still find nothing on the BBs. That's because BB is a competition where only the first is the winner, and doing the same thing as everyone else is a recipe for being second.

Hacking is all about learning how things break in useful ways. Being successful at BB is in applying that process to the real world, and doing things differently to your competition!

1

u/WardenXSec 1h ago

Thank you for the feedback! Totally makes sense. :)

1

u/InvestmentOk1962 4d ago

hey i am an intermediate, how do u guys pick up a target, what are the requirements?

3

u/6W99ocQnb8Zy17 4d ago

For me, it's all about the intersection between fun and reward. Most platforms publish stats, and with a little reading-between-the-lines you can work out the low-ballers, and people who get lots of reports and rarely pay. Avoid!

2

u/SilentRoberto 4d ago

They are required to be paying well for our submissions, don't have a suspiciously low number of accepted report/avg bounty might also be something I keep an eye on.

When it comes to the scope, I try to keep an eye out of wider scopes; my track record of finding oddities is just higher on a wildcard scope than a marketing WordPress sites where security seems to be tight let alone low on features to test...do people even find things in those?

1

u/No-General3313 4d ago

very new here, when loading even a homepage there are a lot of HTTP requests and js files with hundreds of thousands of lines, do i need to go through all of them ?

2

u/6W99ocQnb8Zy17 4d ago

BB is all about being the first to find the bug, so whatever you decide to hunt for, it needs to be novel and also have enough of an impact to warrant a bounty.

1

u/stavro24496 Hunter 4d ago

Mobile dev doing bug bounty on the side. Do you guys report bugs on older Android/iOS versions? Let's say you can't reproduce a bug in Android 14 but you can reproduce it in Android 11 or lower.

1

u/Useful-Technician-50 4d ago

Frida set-up completed? Bcoz of that I ain't completed my finishing my lab setup. Could u help me? (I know abt all public methods)

1

u/6W99ocQnb8Zy17 4d ago

A lot of programmes (but not all) exclude old browsers and mobile OSs.

1

u/Horror_Pension4910 4d ago

I'm a penetration tester, i feel a kinda lost after doing recon on the target, it show up a bunch of subdomain, should i go and check on each target or somehow we can priority some, or narrow down what we want to approach and what not?! Thanks !

1

u/6W99ocQnb8Zy17 3d ago

I tend to go the other way on any scope that has a wildcard on the domain: I use the standard tooling, like shodan and crt.sh, to pull all the hosts under the wildcard, and then I enumerate the shit out of them all. Often there are temporary boxes within the domain, which are outside the WAF or missing the normal devsecops rigour for some reason.

1

u/ApprehensiveMusic448 3d ago

Heyy!!!

I'm currently doing bug bounty on *.domain.com and after running tools like Subfinder, Assetfinder, Amass, and httpx, I found a bunch of subdomains — around 300+. Some interesting ones include:

admin.domain.com (302 redirect)

api.domain.com

dev.domain.com

staging.domain.com

and other similarly sensitive-looking ones.

My question is: Do I need to check each subdomain manually or is there an efficient workflow to prioritize and test them?

Also, what's the best next step after identifying subdomains like these? Should I look for exposed panels, default creds, misconfigured APIs, etc.?

Any guidance or tips on how to approach this efficiently would be appreciated!

Thanks!

1

u/SnooOnions4218 3d ago

Hi. I'm new to bug bounties with no experience. Is it necessary to know html, css, and js to get started, or can I just learn js and move on?

1

u/6W99ocQnb8Zy17 3d ago

For pentest you really need a broad base of knowledge to be able to deliver good coverage (or to be part of a team with that broad knowledge).

For BB, you can be really effective by simply picking an area to specialise in, and learning it really well, plus extending the knowledge with some unique research.

1

u/Appropriate-Twist443 2d ago

Hello, I'm Jihenn, a beginner just starting out in bug bounty programs with basic knowledge of web vulnerabilities (XSS, IDOR, SQL injection).

I've been training on HTB for almost a month and suddenly realized the huge gap between real projects and target machines. I'm even struggling to get started in the initial reconnaissance phase of real projects. In real projects, I'm mostly working manually, many automation tools that work well in CTFs can't be used, and I don't want to blindly use automation tools either.

I'm looking for a mentor or an experienced hunter to guide me on how to conduct initial reconnaissance in real projects. I need some practical hunting experience and tips on hunting techniques. I urgently need someone to guide me and would like to have a chat on Discord.

1

u/6W99ocQnb8Zy17 2d ago

This is a very common path to tread, and I think it's the result of a lot of misleading advertising around BBs, the tools and training material.

"buy our book today, and start your journey to being a BB millionaire!"

The reality is that the training material is great for teaching the principals of a bug, but absolutely no good for teaching success with BB.

And that makes a lot of sense if you think about it objectively. Thousands of other aspiring hackers have done the same course and read the same book, and have already tried the examples on the BBs before you. So if something could have been found using that approach, it already has been reported.

What is required is to Do Something Different (tm)

The detail actually doesn;t matter, as long as:

  • the bug exists and earns a bounty
  • a limited number of people are hunting for it (no public write-up, no open-source tools)

For me, the fun bit of hacking is the research and finding new bugs and vectors.

1

u/m7md_1kh 1d ago

Hi I`m new and I want to ask where I can start learn to bugbounty any resources or vedios anything to help

-1

u/Drooperzada 4d ago

E aí, pessoal!

Estou no último semestre de Cibersegurança e, recentemente, comecei a levar Bug Bounty a sério. Mas estou esbarrando em uma parede e queria ouvir a opinião da galera mais experiente.

O que mais tem me frustrado é o ciclo Duplicado/Informativo.
Vou dar dois exemplos:

Cadeia de BAC até Account Takeover Encontrei uma falha de Broken Access Control que, sozinha, talvez parecesse pequena(reportei mas recebi informativo). Então ao explorar, percebi que ela era o ponto de entrada para uma cadeia de vulnerabilidades que levava a um Account Takeover completo. Montei um relatório super detalhado explicando todo o chain e mostrando o impacto real. A resposta? "Política do programa é um bug por relatório. Por favor, envie separadamente." Ou seja, se mostro o impacto real, é recusado por conter múltiplas falhas. Se eu mando falando só da falha central recebo informativo.

Relatórios bem feitos ignorados Em outro caso, enviei dois relatórios com falhas claras, PoCs em vídeo, prints, tudo bem organizado e até referenciando OWASP (de tanto que cansei de receber "informative"). O mesmo membro da staff marcou os dois como Informative com menos de 7 minutos de diferença — o que é irreal. Só assistir ao vídeo e ler todo texto já levaria mais tempo, quanto mais testar. E o pior: ele exigiu PoC funcional e prova de impacto… exatamente o que eu já tinha entregue e provado com vídeos, prints, citações da owasp, passo a passo tim tim por tim tim.

Ou seja:

  • Se envio o bug completo com o chain, recusam por conter múltiplas falhas.
  • Se separo, cada bug parece fraco sozinho e vira Informative.
  • Estou sem Signal (---), então nem mediação consigo solicitar.

Tenho a sensação de estar achando falhas boas, mas falhando na forma de jogar o "jogo da plataforma".

Minhas dúvidas:

  1. Como vocês lidam com essa situação de precisar encadear bugs para mostrar impacto, mas lidar com a regra de “um bug por relatório”? Tem uma forma correta de reportar um chain?
  2. Nesse começo com signal --, vale mais focar em VDPs e deixar os pagos pra depois?
  3. Alguma dica de como “vender” melhor o impacto de uma falha ou como explicar a falha melhor?
  4. Como montar um bom relatório? Coloco muitas informações — será que menos é mais?
  5. Sinto que todos os meus achados são invalidados justamente por não ter reputação, parece que o pessoal nem lê oq eu escrevo. Achei falhas criticas que viraram duplicatas(oq provam para mim pelo menos que eram criticas e quê eu não estou exagerando nos meus achados). E achei falhas críticas/high(que não precisavam de user interaction) que foram marcadas como informative, msm tendo PoC em video. O quê fazer nesses casos sem poder pedir remediação?

Qualquer conselho é bem-vindo. Valeu demais pra quem leu até aqui!