Bug Bounty FAQ

July 22, 2017

A list of questions that bug bounty hunters frequently DM me about. 😄

How do I get started with bug bounty hunting? How do I improve my skills?

I have a simple philosophy that I share with everyone:

  • Learn to make it. Then break it!
  • Read books. Lots of books.
  • Join discussions and ask questions.
  • Participate in open source projects. Learn to code.
  • Smile when you get feedback and use it to your advantage.
  • Help others. If you can teach it, you have mastered it.

What tools should I use?

https://bugbountyforum.com/tools/

What platforms should I use?

How should I learn to code?

Get familiar with Python first: https://learnpythonthehardway.org/.

What books do you recommend?

Where can I get in touch with fellow researchers?

What does a good report look like?

Depending on what platform/program you are working on there will be different requirements, but in general the following report by Eugene Farfel is very well written: https://hackerone.com/reports/115748.

Is it worth reporting XYZ?

Read the program’s scope. If they do not explicitly request that type of issue, then I would not waste your time reporting it unless you believe the issue has a significant impact on the target.

What is the best bug bounty program?

The best program understands that they must work together with the researcher and not against them. Bug bounties should be a joint effort.

Is it illegal to do XYZ?

Lookup the corresponding regulations in order to prevent getting into trouble.

What is it like to run a bug bounty program?

Actually it is a lot of fun. I really look forward to the next report all the time and I am continuously amazed by some of the fantastic findings that researchers report. Admittedly, I do have to deal with a bit of noise, but the good reports compensate for the bad ones.

How did you get to run a company’s program?

They appreciated my report: https://hackerone.com/reports/190373.