Jan 25, 2023 / By Securium solutions
In this blog, I will be explaining step by step about getting started in Bug bounty. First I should explain to you the term Bug Bounty. Bug Bounty is not a technical word.
The technical word is Pentesting where we have to find vulnerabilities and report to our target. Pentesting can be done on different types of targets like Websites, Blockchains, APIs, etc.
So, bug bounty is a combination of two words bug and bounty. Bug stands for vulnerability that we find and that we report. Bounty stands for the reward we get. It may be the hall of fame, Swags, Money, etc.
Now I should tell you how to start learning Bug Bounty. In this blog, I will be explaining Bug Bounty for websites. I am assuming that if you are starting Bug Bounty then you may know about networking, Linux, and basic Ethical Hacking.
If you have learned them then you will not get problems during learning Bug Bounty. First, you need to learn to work on a website. How did websites work? What are requests and Response methods?
You can learn it by exploring it on google and youtube. Or you can work on a website, It will be the best.
Then you need to learn Burpsuite which is one of the most important tools for bug bounty or web Pentesting. Every hacker uses burpsuite to intercept and forge requests and responses of the traffic sent and received between client and server. You can learn Burpsuite from youtube. There are many tutorials for that.
Now you can start learning about vulnerabilities.
First, learn all vulnerabilities from OWASP’s top 10.
You can do all Portswigger labs which will help you to learn with a practical scenario.
Portswigger has created many labs and we can utilize them for free.
Try to make habit of reading articles and HackerOne reports daily. Both of them will help you to get new methods daily. You can get HackerOne reports after creating an account on HackerOne, go to hackitivity. You will get many reports there or you can search for vulnerability name HackerOne reports on google itself.
Now you are ready to start doing bug bounty.
But in starting don’t go for companies that give cash money as bounties. Because many hackers have already hunted over it.
So, you can start with the program which gives a hall of fame as a reward.
Hall of fame is a type of reward that a company gives as a reward. The company mentions the hacker’s name in the list of security researchers on its website. Hall of fame enhances resumes and Linkedin profiles which helps us to get a job.
Try to collect some hall of fames
You can find programs by searching “responsible disclosure hall of fame” on google.
After getting some hall of fames now you can start hunting on websites that give swags as a reward. Swags are also types of reward which is given by the company.
Swags maybe T-shirts, hoodies, bottles, etc. Like if we report a valid vulnerability to Redbull then they reward us with a tray of Redbull.
It will also excite you as you will be getting swags. You can find those programs by searching
“inurl : / responsible-disclosure/ swag” on google.
Now you have got many experiences, now you can start hunting for a company that gives cash rewards.
You can search that programs by using many dorks like “inurl /bug bounty”.
Get some rewards from there.
And when you realize that you are now you have got good skills in bug bounty.
Now you can start hunting on Hackerone and Bugcrowd.
Author
Sourabh Kumar
Securium Solution Cyber Security Intern
