In 2024, How to start Bug Bounty $$$$ Hunting?

  • Most of the assets are on the web. Thus, understanding web technology is essential. It will keep you ahead of the table and help in your better understanding of the game. It really helps to learn languages like JavaScript. Once you understand the basics fundamentals of web flow (front-end, back-end, database), you can learn out how to break it!
  • Your weapon is your machine! Learn OS ,Be a pro in the CLI. It’s critical to your journey. Most of the kids in this era already understood this information. Nevertheless, it should be mentioned.
  • Learn the fundamentals: OWASP Top 10, CWE, 0day CVD, CVE, and their differences.
  • Learn out more about CWEs and where they can be visible through research. For instance, you investigate into the related bug in CWE-79: Cross-site Scripting, where it can be reproduced, and why it occurs (main cause). As a developer, you can consider how this is possible at the code level (as you learned at the beginning). You will then know how to prevent this.
  • Increase your focus to OWASP-TOP-10 vulnerabilities (Android, Web, API, etc.). And investigate into those bugs’ most recent CVEs. Once you have done this and been familiarising with the industry , you can slowly move on to practice.
  • Skill Assessment: Practice in labs such as PentesterLab, Secure Code, Portswigger, etc. to sharpen your skills. When you’re having trouble overcoming these challenges, read the relevant blogs. Use a keyword and google it. Study up and pwn the challenge later. Every day, read blogs and write daily (it will only take a little time). Check out blogs about bug bounty subscriptions.
  • ⦁ Watch videos of:
Rana Khalil
John Hammond
Bug Bounty Reports Explained
rs0n_liveIntigriti etc.

They have outstanding contents.

  • Learn out more about VDP (Vulnerability Disclosure Programs), Private, and Public BB Programs and understand how they work. It’s up to you to start hunting in a less competitive environment; starting with VDP is usually advised.
  • ⦁ Don’t forget that companies like Apple, Meta, Google etc. have their reporting endpoints.
  • How to Get Away from Duplicate: Built Your Process. You can use public resources to learn & apply, but make some modify what you learned from the public. It’ll take time;, you must try to more harder and continue to be consistency over time.
  • Important: You can share the resources and knowledge, Don’t share your methods. (Sharing is caring, but spoonfeeding isn’t. Hopefully, you understand.
  • Kindly leave any “toxic community” that is destroying your mental health; you don’t need to carry criticism of charlatans and idiots. Share the contents and only stay inside the healthy circle.

Let’s grow and learn together.

error: Content is protected !!