How to get started with Bug Bounty

Friends, this month Otus launches recruitment for a new course – “Application Security”. In anticipation of the start of the course, we have traditionally prepared a translation of useful material for you.

How to start practicing Bug Bounty? This question is very common, and I continue to receive it in messages day by day. I can not answer every message, so I decided to write an article and send all newcomers to read it.

I have been doing Bug Bounty for five years now. However, there are many things that I don’t know, and I myself am not an expert, so please do not consider this article as advice from an expert. I’ll just share what I have achieved over the past 5 years, improving my skills every day.


I saw a lot of people in the Bug Bounty community saying, “I'm not a techie, so I am not very good at Bug Bounty.”

In fact, it is a misconception that only someone from the computer sphere can be a good specialist in Bug Bounty. If you are familiar with computer science, this will certainly help, but it is not necessary, you can fully learn the basics yourself. However, if you do not have a technical background, you should only deal with bug bounty if you are more interested in learning about information security rather than making money.

By education, I belong to the field of mechanical engineering, but I was interested in information security from the school bench, however, I went to get education in mechanical engineering on the advice of my family, but I always focused on information security.

I can tell a lot of stories about how people from the non-technical sphere achieve success in the field of information security and bug bounty.

However, all of them had common qualities, namely “interest” and a willingness to engage in “hard work”.

If you think you will succeed in one night, a week, or a month, this is not what you should do. There is a lot of competition in bug bounty, because a good “bug hunt” can take a whole year. You should constantly continue learning, share experiences, and practice. You should be pursued by curiosity, you should strive to learn something new and explore this area on your own. Now there is a very large amount of free educational content.

Do not pay people who say they will make you a specialist in bug bounty in one night. Most of them are scammers.

Below are the things you need to know before you get started with information security.

No one can tell you everything about this area, study is a long way that you must go alone, using the help of other people.

“Don't expect everyone to bring you on a plate with a blue border.”

How to ask questions?

When asking someone a technical question, do it with all responsibility.
You should not ask questions like: “Here is the end point, could you get around the XSS filter for me?”

You should ask questions essentially – that’s all.
And do not expect people to be able to answer your question in a few minutes. They will answer as soon as they have free time, or they may not answer you at all because of their busy schedule or for some other reason. Respectfully consult consultations – do not ping who is not necessary.

How to find answers to all your questions?

Well, I did it before, doing now and will do in the future. I use Google. (you can use other search engines: P)

Basic technical skills for a beginner

I assume that you have a basic understanding of how everything works on the Internet. There are many things you need to learn, but I can’t list them all here. I will list only a few important topics, and you will learn the rest yourself.

HTTP Protocol – TCP / IP Model
Linux – Command Prompt
Web Application Technologies
Basic networking skills

Get the basic skills of HTML, PHP, Javascript – This is only the beginning, because the list will never end, and it depends on your personal interests. You somehow form an interest in accordance with your needs.

It is also very important to get an idea of ​​the various types of vulnerabilities as quickly as possible. To do this, I added the "Web Application Security Fundamentals" section.

Path selection

Choosing the right path in the field of bug bounty is very important, and it will completely depend on your interests, but many guys choose to start with web applications for themselves, and I myself think that this path is the easiest.

  1. Web application security testing.
  2. Mobile application security testing.

However, do not limit yourself to these two points. I repeat, this is a matter of interest.

Web Application Security Basics
OWASP TOP-10 2010
OWASP TOP-10 2013
OWASP TOP-10 for 2017

Start in 2010 to understand what vulnerabilities were in the top that year, track what happened to them in 2017. You realize this by studying them and practicing.

OWASP V4 Testing Guide

You do not need to learn this testing guide and immediately go to work, you need to start working on living (legal) goals, because this is the only way to improve your skills.

Mobile Application Security Testing

Once you get more experience, you can freely switch between areas that you like more.

OWASP TOP-10 Mobile Application Vulnerabilities

There is one stop to be made on the road to mobile app security:

Mobile Application Security Wikipedia from Aditya agrawal.
Application Security Wikipedia also from Aditya Agrawal

Books that I periodically refer to

  1. Web Application Hacker’s Handbook
  2. Mastering Modern Web Penetration Testing
  3. The Hacker Playbook 1, 2 and 3
  4. The Mobile Application Hacker’s Handbook
  5. Breaking into information security
  6. Web hacking 101

Youtube Channels and Playlists

  1. Ipsec
  2. Liveoverflow
  3. Web development tutorials

Conferences you should watch

Akhil George – created a playlist about bug bounty on Youtube.

How to Shot Web from Jason haddix

Practice! Practice! Practice!

It is very important to be aware of new vulnerabilities. When playing with getting information from the server, follow the information about publicly available exploits to escalate the attack.

You can start working with applications with vulnerabilities.

  1. Hackerone
  2. Bug county notes
  3. Pentesterlab
  4. Hackthebox
  5. Damn Vulnerable Web Application
  6. XSS Game from Google
  7. Vulnhub
  8. Hack me

While doing security testing labs, I wrote several articles on my blog, you can find them below:

  • Basic Android Security Testing lab – 1
  • Basic iOS Apps Security Testing lab – 1
  • Basic Penetration testing lab – 1

Platforms for Bug Bounty – This is a great place where you can test your skills. Do not be discouraged if it does not work out right away, you are still learning and such a reward as experience is much more important.

Bugbounty japan

Twitter hashtags you should follow:


Tools you need to master (* tool)

Burp suite

To get started, practice using the free version of Burp Suite or the community edition to start working on bug bounty programs, and as soon as it starts to work out, be generous and buy the Burp Suite Professional edition. You will not regret it.

Note: Don't use the pirated version of Burp Suite Professional; respect the work the Portswigger team does.

There are many open sources where you can learn more about Burp Suite pro, but they will help you only if you decide to invest a little money in your hobby. I can recommend the following sources:

Online Course From Pranav hivarekar – Burp Suite Mastery
Burp Suite Basics by Akash Mahajan

To help with information gathering and field intelligence, I wrote another article on this topic on my blog.

Bug Bounty and Mental Health

The Bug Bounty area is closely related to stress, so you must take care of your physical and mental health, which is very important. The rest does not matter. My good friend Nathan wrote a great post on this topic.

You should definitely read it.

Blogs worth reading

  • Detectify labs
  • Infosec write-ups
  • Appsecco
  • These aren't the access_tokens you're looking for
  • Geekboy | Security researcher
  • Learn | Think | Hack

There are other cool blogs besides these, I can’t list everything, you yourself can find them as soon as you become interested in this issue.

Watch cool guys on github

Michael henriksen
Michael Skelton
Ben sadeghipour
Tom hudson
Ahmed aboul-ela
Mauro soria
Gianni amato
Jeff foley
Gwendal le coguic

Consider donating them a small portion of your successful bug bounty reward to support their open source projects, or you can help them develop their projects. Of course, this is only if they accept financial support.

Follow active Bug Bounty members on Twitter

Frans rosén
Mathias karlsson
Olivier beg
Jobert abma
Gerben javado
Ben sadeghipour
Yassine aboukir
Patrik Fehrenbach
Santiago lopez
Rahul maini
Bret buerhaus
Harsh jaiswal
Joel margolis
Abdullah hussam
Ron chan
Parth malhotra
Prateek tiwari
Pranav hivarekar
Jigar thakkar
Rishiraj sharma
n a f f y | thought leader
Inti de ceukelaire
Bhavuk jain
Avinash jain
Emad Shanab
Ebrahim hegazy
Yasser ali
Akhil reni
Arbaz hussain

And many other guys, but I also can’t add all.


thanks Prateek tiwari, Rishiraj sharma and Geekboy for helping with the editing of this article!

See you later!

That's all. And we invite everyone to a free webinar on the topic: "(In) application security: hunting for bugs".

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *