What is bug bounty?
Identification and reporting of bugs and vulns in a responsible way. All depends on interest and hardwork, not on degree, age, branch, college, etc.
What to study?
- Internet, HTTP, TCP/IP
- Networking
- Command line
- Linux
- Web technologies, javascript, php, java
- At least 1 programming language (Python/C/JAVA/Ruby..)
Choose your path (imp)
- Web pentesting
- Mobile pentesting
Resources
Desktop apps Resources
Books For web
- Web app hackers handbook
- Web hacking 101
- Hacker’s playbook 1,2,3
- Hacking art of exploitation
- Mastering modern web pen testing
- OWASP Testing guide
For mobile
- Mobile application hacker’s handbook
YouTube channels
- Hacking
- Live Overflow
- Hackersploit
- Bugcrowd
- Hak5
- Hackerone
- Programming
- thenewboston
- codeacademy
Writeups, Articles, blog
- Medium (infosec writeups)
- Hackerone public reports
- owasp.org
- Portswigger
- Reddit (Netsec)
- DEFCON conference videos
- Forums
Practice (imp)
Tools
- Burpsuite
- nmap
- dirbuster
- sublist3r
- Netcat
Testing labs
- DVWA
- bWAPP
- Vulnhub
- Metasploitable
- CTF365
- Hack the box
Start!
Select a platform
- Hackerone
- Bugcrowd
- Open bug bounty
- Zerocopter
- Antihack
- Synack (private)
Choose wisely (first not for bounty)
- Select a bug for hunt
- Exhaustive search
- Not straightforward always REPORT:
- Create a descriptive report
- Follow responsible disclosure
- Create POC and steps to reproduce
Words of wisdom
- PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
- Do not expect someone will spoon feed you everything.
- Confidence
- Not always for bounty
- Learn a lot
- Won’t find at the beginning, don’t lose hope
- Stay focused
- Depend on yourself
- Stay updated with infosec world