What is Bug Bounty

What is bug bounty?

Identification and reporting of bugs and vulns in a responsible way. All depends on interest and hardwork, not on degree, age, branch, college, etc.

What to study?

• Internet, HTTP, TCP/IP
• Networking
• Command line
• Linux
• Web technologies, javascript, php, java
• At least 1 programming language (Python/C/JAVA/Ruby..)

Choose your path (imp)

• Web pentesting
• Mobile pentesting

Resources

Desktop apps Resources

Books For web

• Web app hackers handbook
• Web hacking 101
• Hacker’s playbook 1,2,3
• Hacking art of exploitation
• Mastering modern web pen testing
• OWASP Testing guide

For mobile

• Mobile application hacker’s handbook

YouTube channels

• Hacking
• Live Overflow
• Hackersploit
• Bugcrowd
• Hak5
• Hackerone
• Programming
• thenewboston
• codeacademy

Writeups, Articles, blog

• Medium (infosec writeups)
• Hackerone public reports
• owasp.org
• Portswigger
• Reddit (Netsec)
• DEFCON conference videos
• Forums

Practice (imp)

Tools

• Burpsuite
• nmap
• dirbuster
• sublist3r
• Netcat

Testing labs

• DVWA
• bWAPP
• Vulnhub
• Metasploitable
• CTF365
• Hack the box

Start!

Select a platform

• Hackerone
• Bugcrowd
• Open bug bounty
• Zerocopter
• Antihack
• Synack (private)

Choose wisely (first not for bounty)

• Select a bug for hunt
• Exhaustive search
• Not straightforward always REPORT:
• Create a descriptive report
• Follow responsible disclosure
• Create POC and steps to reproduce

Words of wisdom

• PATIENCE IS THE KEY, takes years to master, don’t fall for overnight success
• Do not expect someone will spoon feed you everything.
• Confidence
• Not always for bounty
• Learn a lot
• Won’t find at the beginning, don’t lose hope
• Stay focused
• Depend on yourself
• Stay updated with infosec world