Kick Start In Bug Bounties

InfoSec Write-ups – Medium–

Image Credit :

Hello nasty Hackers!

In this Write-up, I am going to share some pro tips which will surely help you, If you just started bug bounty & is unable to find valid bugs.

For this write-up, I’m assuming that you already know the basics of Web Application Hacking & you are already familiar with the term Bug Bounty.

So coming straight to the point, In this write-up I am going to share in total 5 tips for Bug Bounties.

If you follow each step/tip religiously, then i can guarantee, that you will earn your 1st bounty within 1 to 5 months.

Yes! you heard that right … It can take 1 to 5 months or even more to find your 1st valid bug.

So persistence is the Key …

Lets Start !!!

Now! let’s start with our first TIP…

Focus on 1 Vulnerability at a time

Most of the beginners use to do this mistake that, they learn some basics of website hacking,

And then they just start hunting random vulnerabilities on real sites,

They hunt for let’s say XSS for 2 hours , if they fail to find that particular bug (They will fail in beginning), then they simply move to another Vulnerability.

Keep in mind, there are lots of different endpoints where a particular type of vulnerability could exist.

Having basic knowledge about particular vulnerability is not enough.

For example, did you know that there are in total 6 different types of SQL Injection i.e.,

  1. Blind Boolean Based
  2. Union Based
  3. Double Query Based
  4. Time Based
  5. Error Based
  6. Blind Time Based

And did you know that SQL injection is not only possible to some GET based parameter (i.e. php?post=34, asp?id=3, etc)

Following are the SQLi Injection Points:

  1. GET Based SQL Injection
  2. POST Based SQL Injection
  3. COOKIES Based SQL Injection
  4. Header Based SQL Injection

So the point is that, if you think that you have mastered one Vulnerability in just 10–20 mins by watching a single video,

Then you are just fooling yourself

Learn more & more about particular vulnerability, explore different types of exploitation techniques.

Read articles on that particular vulnerability, search like this “SQL Injection medium write-ups” & start reading.

Don’t move to any other vulnerability until you are able to find a valid bug of that particular vulnerability on a real site.

If you ask any bug bounty hunter, then they will tell you that they only hunt for 3–4 types of Vulnerabilities.

So rather than learning the basics of all vulnerabilities, it is better to focus on 1 vulnerability at a time.


Make a daily routine that you will read (articles/book/write-ups, etc) on a particular vulnerability every 1–2 Hours.

And then hunt for next 1–2 hours, after hunting for let’s say 2 hours, simply leave the target for next day, if you are not able to find anything useful.

And then repeat this READ — HUNT — LEAVE Formula.

Remember your existing knowledge is not enough, you will need a knowledge Booster.

THAT’S WHY ALWAYS READ for at least 1 hour.

Don’t hunt for more than 3 hours a day, because in beginning you will not be able to find any valid bug.

Thus excess hunting could lead to demotivation & you will often leave bug hunting.

Don’t depend on Automated Vulnerability Scanner

They are BULLSHIT!

You will often get False Positives from those tools.

Automated Scanners are only helpful for Black Hat Hacking,

In other words, if you are targeting personal sites of individuals who do not run Bug Bounty, then it could help.

Target Selection is Super-Duper Important

As you know, competition has increased a lot in Bug Bounties also.

So it is very difficult for a beginner to find a valid bug (Not Duplicate) on a limited scope target.

Always try to hunt on those targets who have large testing scope i.e. Wild Card Domain (* are In-Scope.

It is recommended to go for those targets who only offer swags or points,

Don’t run for money just for the beginning …

Bug Bounty is just like math, the more you do it, the better you become.

Follow Less Traveled Road Concept wherever Possible

Now let’s suppose, you have learned a lot about particular vulnerability by reading articles, books, write-ups, blogs, etc,

And you have also selected a large scope target, but what if the domain you are testing is already tested by Thousands of Pentesters & Bug Bounty Hunters.

It is then also possible that someone is able to find vulnerability on that particular domain, despite the fact that the domain is already tested by Thousands of Security Researchers,

But it is extremely hard for a Beginner to get its 1st bug on that particular target.

Let’s take another example, where you and only you are able to find a particular subdomain by let’s say Subdomain Brute-force,

So now tell me, what are the chances that you are able to find your 1st valid bug?

Now I think, you get an idea that what I’m trying to say,

Recon & Content discovery should be your topmost priority, it will not only helps you to move away from the Crowd, but also it will help you to achieve Less Traveled Road Concept.

Well, that’s all for today! Thanks for Reading : )

Follow Us On GitHub, YouTube & Twitter:




Kick Start In Bug Bounties was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s