Getting started in bugbounties

  So you've begun learning how to hack, but now you want to apply this knowledge and get started in bugbounties. This guide will take you through understanding what bugbounties are, what to expect and how to start straight away from the comfort of your own home!

What exactly is a BugBounty program? — and understanding why you want to start doing bugbounties

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.

Pretty clear right? Companies setup a bugbounty program and supply information as to what they want researchers to poke at, and if the researchers find a valid vulnerability, you can report it to them and hope to receive a reward in return. Companies can choose to either reward you points on bugbounty platforms, swag, or even money.

BugBounties are a great way for companies to work with talented researchers from across the world but before starting bugbounties you need to learn the difference between different types of programs and then ask yourself "why do I want to do bugbounties". Do you plan on doing this full time or just on the side?

Getting a clear view as to why you want to start bugbounties will help you achieve your goals a lot quicker and become the creator of your own success. Why are we recommending this? Because bugbounties are growing at a rate of 143% year after year according to reports and companies are using them for a variety of different reasons, and researchers are also participating for a variety of different reasons.

Different types of programs

Finding bugbounty programs

There are lots of BugBounty platforms out there and we suggest bookmarking which contains a list of platforms, maintained by Gwendal Le Coguic.

For those not wanting to participate on bugbounty platforms, we suggest using Google to find companies with bugbounty programs. Using seach terms such as " vulnerability disclosure program", "[email protected]", " bugbounty program" and "report security vulnerability" can help you discover companies prepared to work with researchers away from platforms.

Failing that you can always check if Security.txt exists on the given domain.

Finding your first bug

So you've learnt to hack via challenges, you know what a bugbounty program is and understand about different types available. You're ready to get stuck in, but sadly one thing we can't advise you on is which program to look at. One big hurdle people struggle to overcome is finding a program to spend their time on and sadly this is something out of most peoples control, especially if you are new and don't have access to as many programs as others.

But.. there is something we can advise on: hacking, and using your hacking knowledge to finding your first bug. Below are some tips and things you can try to help you in discovering your first bug.

Final Remarks

All of the content on this site has been community-created and has been designed to help you not only have easy access to tutorials & writeups from researchers of the world, but to then apply the knowledge shared straight away on recreated real-world bugbounty situations. From there use your skills on bugbounty programs. We believe a hacker creates his own story and everyone has their own way of discovering vulnerabilities. Not every case can be, "try this, do that", and we hope from challenges that hackers can begin writing their own story.