🎯 Goal
Master the end-to-end bug bounty workflow: from choosing a target to writing a professional report. Learn reconnaissance, enumeration, exploitation, and responsible disclosure—the exact process used by successful hunters.
🔑 Key Skills to Learn
- Scope & Rules of Engagement: Reading program briefs, respecting out-of-scope assets, safe harbor policies.
- Target Selection & Asset Discovery: Choosing programs, understanding reward structures, finding the right attack surface.
- Passive Reconnaissance: WHOIS, DNS dumpsters, certificate transparency (crt.sh), Shodan, Wayback Machine, GitHub dorking.
- Active Reconnaissance: Subdomain enumeration (Subfinder, Amass), port scanning (Nmap), service fingerprinting, live host detection (httpx, httprobe).
- Technology Fingerprinting: Wappalyzer, BuiltWith, WhatWeb – identify frameworks, CMS, server versions.
- Endpoint Discovery & Fuzzing: Directory and file brute-forcing (Ffuf, Dirsearch), parameter discovery, API endpoint enumeration.
- Vulnerability Testing (Manual First): Apply OWASP Top 10 skills (XSS, SQLi, IDOR, etc.) based on tech stack; confirm findings manually before automating.
- Exploitation & Impact Demonstration: Show real-world impact (read a document, change another user’s data) without causing harm.
- Report Writing: Clear steps to reproduce, impact statements, severity justification, visual proofs (screenshots, PoC code), CVSS scoring basics.
- Continuous Learning & Communication: Follow disclosed reports (HackerOne Hacktivity), engage with the community, stay updated on novel attack techniques.
🛠️ Essential Tools & Technologies
| Tool | Purpose |
|---|---|
| Amass | Deep subdomain enumeration and network mapping. |
| Subfinder | Fast passive subdomain discovery. |
| Httpx | Probe for live web servers, gather technology info. |
| Nuclei | Automated template-based scanning for known vulnerabilities. |
| Ffuf | Directory, file, parameter fuzzing. |
| Burp Suite | Manual manipulation, authentication bypass, advanced exploitation. |
| Waybackurls / Gau | Fetch historical URLs from archive sources. |
| GitDumper | Search for exposed secrets in public repositories. |
| Axiom | Distributed scanning infrastructure (for advanced hunters). |
📖 Free Learning Resources
- HackerOne Hacktivity – Publicly disclosed reports with filters; learn how top hunters think. Link
- Bugcrowd University – Covers methodology, writing reports, and vulnerability classes. Link
- NahamSec’s “Bug Bounty Hunting Methodology” (YouTube) – Walkthroughs of real recon and exploitation. Link
- Jason Haddix’s Bug Hunter’s Methodology Talks – Annual methodology updates (DEFCON, LevelUp). Search "Bug Hunter's Methodology v5" on YouTube.
- PentesterLab – Subscription-based but free exercises for specific bugs (e.g., “File Upload Bypass”). Free tier available
- Project Discovery Blog – Recon and tooling guides (subfinder, nuclei, chaos). Link
- “Breaking into Bug Bounty” by Vickie Li – Free articles on Medium covering methodology, tools, and mind-set. Search “Bug Bounty Hunting for Beginners” on Medium.
- OWASP Testing Guide (v4) – Systematic testing methodology for web apps. Link
🔗 Roadmap Placement
- Prerequisites: Web & Application Security (you know OWASP Top 10, can use Burp), Linux (command line), Networking (HTTP, DNS, ports).
- Directly Leads to: Advanced exploitation (Web Cache Poisoning, Request Smuggling), paid platforms (HackerOne, Bugcrowd, Synack), or full Red Team engagement if combined with internal network skills.
- Next Step: After mastering web bug bounty, extend into Red Teaming / Penetration Testing (Active Directory, lateral movement) or Mobile/API Security for diversification.