A list of questions that bug bounty hunters frequently DM me about. 😄
How do I get started with bug bounty hunting? How do I improve my skills?
I have a simple philosophy that I share with everyone:
- Learn to make it. Then break it!
- Read books. Lots of books.
- Join discussions and ask questions.
- Participate in open source projects. Learn to code.
- Smile when you get feedback and use it to your advantage.
- Help others. If you can teach it, you have mastered it.
What tools should I use?
What platforms should I use?
How should I learn to code?
Get familiar with Python first: https://learnpythonthehardway.org/.
What books do you recommend?
- Web Hacking 101 by Peter Yaworski.
- Breaking into Information Security: Learning the Ropes 101 by Andy Gill.
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto.
- Crypto 101 by Laurens Van Houtven.
Where can I get in touch with fellow researchers?
What does a good report look like?
Depending on what platform/program you are working on there will be different requirements, but in general the following report by Eugene Farfel is very well written: https://hackerone.com/reports/115748.
Is it worth reporting XYZ?
Read the program’s scope. If they do not explicitly request that type of issue, then I would not waste your time reporting it unless you believe the issue has a significant impact on the target.
What is the best bug bounty program?
The best program understands that they must work together with the researcher and not against them. Bug bounties should be a joint effort.
Is it illegal to do XYZ?
Lookup the corresponding regulations in order to prevent getting into trouble.
What is it like to run a bug bounty program?
Actually it is a lot of fun. I really look forward to the next report all the time and I am continuously amazed by some of the fantastic findings that researchers report. Admittedly, I do have to deal with a bit of noise, but the good reports compensate for the bad ones.
How did you get to run a company’s program?
They appreciated my report: https://hackerone.com/reports/190373.