Hello Everyone,
I hope you are doing well.

I am Shrimant More currently working as a Penetration Tester at TCS.


I have been in this Bug Bounty thing for some amount of time(still learning every day) and performed well on HackerOne, BugCrowd, and YesWeHack.


So thought of doing a write up where I’ll share how I started my Bug Bounty journey and how beginners can use this for their reference.

I usually get messages like

“From where to start Bug Bounty”
“Tips for Bug Bounty”
“Recon methodology”

Sometimes it becomes hectic to reply the same thing again and again to every message, so here’s a complete detailed write-up.



I follow “The Golden Circle Rule” almost everywhere, and I want you, yes the one who is reading this, to follow the same thing while entering into Bug Bounty.



1. What is Bug Bounty / Bug Bounty Program

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs.

2. How to do Bug Bounty?

i. Find a Bug Bounty Program

ii. Read InScope and Out of Scope items

iii. Report bugs with detailed Proof of Concepts to respective Bug Bounty Program (Sometimes reports are marked as Not Applicable or Duplicate)

iv. Earn (Money / Swag / Hall of Fame)

Seems Easy right? But it’s NOT that easy and NOT hard too

3. Why Bug Bounty?

Ask yourself, why you want to become a Bug Bounty Hunter?

If the answer is: Easy Money

Then, my friend, you won’t stay here for a long time, because submitted Reports going duplicates and Not applicable is demotivating and most of them give up here.

But, If you are someone who loves:

i. Challenges

ii. Reads daily/weekly

iii. Has “Never Give Up” attitude

iv. Out of the box thinking

v. Appreciate others work for the community

vi. Works smart

Then you will get success in Bug Bounty.



Choose your Bug Bounty niche

There might be varieties of interests depending from person to person, You can find various platforms that have Bug bounty programs relate to the below list:

i. Web Application

ii. Android Application

iii. iOS Application

iv. Hardware

v. Source Code Review

vi. Reverse Engineering etc.

So, as a Beginner, I started with Web Application because it was easy to set up labs and a lot of resources were available easily.

I would suggest beginners that, start learning how to find Vulnerabilities in Web Applications and then move towards other types from the list.

Find Bug Bounty Platform

Below are some of the Google dorks to find Public Bug Bounty Programs/Responsible Disclosure Programs

inurl /bug bounty

white hat program

inurl : / security

inurl:security.txt

"powered by synack"

inurl"security report"

inurl:security "reward"

buy bitcoins "bug bounty"

site:help.*.* inurl:bounty

site responsible disclosure

responsible disclosure:sites

responsible disclosure europe

intext responsible disclosure

responsible disclosure r=h:nl

responsible disclosure r=h:uk

responsible disclosure r=h:eu

"submit vulnerability report"

intext:bounty inurl:/security

/trust/report-a-vulnerability

site eu responsible disclosure

site:responsibledisclosure.com

inurl : /responsible disclosure

site .nl responsible disclosure

inurl: private bugbountyprogram

inurl:reporting-security-issues

site:security.*.* inurl: bounty

responsible disclosure white hat

"vulnerability reporting policy"

"security vulnerability" "report"

inurl:/security ext:txt "contact"

inurl:security-policy.txt ext:txt

site:*.*.* inurl:bug inurl:bounty

inurl:/security ext:txt "contact"

responsible disclosure swag r=h:nl

responsible disclosure swag r=h:uk

responsible disclosure swag r=h:eu

site:*.*.de inurl:bug inurl:bounty

responsible disclosure swag r=h:com

responsible disclosure hall of fame

"responsible disclosure" university

inurl:/.well-known/security ext:txt

inurl:responsible-disclosure-policy

responsible disclosure bounty r=h:nl

responsible disclosure bounty r=h:uk

responsible disclosure bounty r=h:eu

responsible disclosure reward r=h:nl

responsible disclosure reward r=h:uk

responsible disclosure reward r=h:eu

intext:responsible disclosure bounty

inurl : / responsible-disclosure/ swag

inurl:'/responsible disclosure' hoodie

inurl : /responsible-disclosure/ reward

intext:Vulnerability Disclosure site:nl

intext:Vulnerability Disclosure site:eu

inurl : / responsible-disclosure/ bounty

"powered by bugcrowd" -site:bugcrowd.com

insite:"responsible disclosure" -inurl:nl

site:*.*.nl intext:security report reward

inurl:/responsible-disclosure/ university

site:*.*.uk intext:security report reward

site:*.*.cn intext:security report reward

intext:security report reward inurl:report

inurl:'vulnerability-disclosure-policy' reward

site:support.*.* intext:security report reward

intext:security report monetary inurl:security 

site:*.*.nl intext:responsible disclosure reward

"Submission Form powered by Bugcrowd" -bugcrowd.com

"powered by hackerone" "submit vulnerability report"

inurl:/.well-known/security ext:txt intext:hackerone

inurl:"bug bounty" and intext:"$" and inurl:/security

"If you believe you've found a security vulnerability"

intext:"BugBounty" and intext:"BTC" and intext:"reward"

inurl:"bug bounty" and intext:"€" and inurl:/security

inurl:"bug bounty" and intext:"INR" and inurl:/security

"van de melding met een minimum van een" -site:responsibledisclosure.nl

inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbugbounty

inurl:/security.txt "mailto*" -github.com  -wikipedia.org -portswigger.net -magento


Tools used in Bug Bounty

If you have selected Web Application for finding bugs, you’ll require Browser(I use Firefox) and BurpSuite (proxy-based tool) in the starting phase.

The list of tools will increase from person to person.



Learning Path for Bug Bounty

  1. OWASP Top 10 – Web
  2. BurpSuite
  3. Books:

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

Web hacking 101

Mastering Modern Web Penetration Testing

4. Video Material for Bug Bounty

Hacker101

BugCrowd University

Jason Haddix

Codingo

STÖK

Zseano

Pratik Dabhi

Hacking Simplified



Recon and Automation in Bug Bounty

Recon and Automation are important in bug bounty.

If you want to make your Recon Game strong:

1. Watch Nahamsec’s Twitch Streams it’s FREE.

2. Bug Bounty Automation Tools made by Tom Hudson (Tomnomnom)

3. Automation Tools from Project Discovery

4. Most of the tools are built using Bash, Go, or Python, so it would be great if you use Debian based OS (I am using Ubuntu 20.04)

You guys might have read writeups where a particular Security Researcher has found a really simple Insecure Direct Object References (IDOR) for which he got paid $$$$.

Ever wondered why they were able to find that particular endpoint?
Yup, Correct. Recon !!

I have a habit of using various tools to enumerate subdomains Because I DON’T want to miss a single subdomain.

so here’s an example of how I have been doing it.

echo 'Started assetfinder'
assetfinder --subs-only smshrimant.com | sort -u | tee -a 1DomainsfromAF.txt
echo ''
echo 'Completed assetfinder'


echo 'Started subfinder'
subfinder -d smshrimant.com | sort -u | tee -a 2DomainsfromSubfinder.txt
echo ''
echo 'Completed subfinder'


echo 'Sorting and Merging Domains'
sort 1DomainsfromAF.txt 2DomainsfromSubfinder.txt -u | tee -a UniqueDomains.txt

This is just an example of using 2 tools, you can add more tools of your choice 🙂



Wordlist for Bug Bounty

Bug Bounty Hunting is a sort of Black Box Penetration Testing, so we don’t have an idea what all endpoints exist. That’s where Fuzzing comes into the picture.

We do have a tool name ffuf which can be used for various tasks. Using ffuf in your recon methodology is great but it’s also important to be nice to servers.

Have a look at videos posted by Codingo and InsiderPhD were they teach us how to use ffuf and be nice to the servers at the same time 🙂

We do require wordlist for fuzzing, Being a Beginner I would suggest to use the below wordlists:

  1. SecLists
  2. Assetnote Wordlists

Once you get experienced at it, try to make your custom wordlists.



Practice Attacks on Labs

After learning attacks we need to implement those, so you can test those on the below labs:

1) PortSwigger Labs

2) Testphp Vulnweb

3) OWASP Juice Shop



Checklist for Bug Bounty

It’s Important to make our checklist, This Checklist should comprise of:

1) Attacks you are Good at OR

2) Attacks to look for when you have given a website to PenTest

Being a Beginner, I would suggest BugCrowd’s VRT and start learning these attacks.

P1 = High Impact, Good Bounty
.
.
P4 = Low Impact, Less Bounty

(I started from P4 tho 🙂 ) It’s your choice You can start from P1 or P4



Twitter BugBountyTips

“Refer the trend, then modify it” – Shrimant

This means, start using Twitter and see what other Bug Hunters are reporting, Now learn those Techniques, and Try to increase the impact by modifying it according to that particular scenario.

We are lucky enough that we have an amazing community that is active and posting BugBountyTips on Twitter.


Whatever topic you want to learn, just use Twitter dorks and you’ll get “Lesser Known” amazing tips

xss bug bounty

xss bugbounty

I know you guys are creative, now make your Twitter dork and hit the search button.



Discord Groups for Bug Bounty

HackerOne and BugCrowd have public Discord groups which you can join using the below link.

Hackerone’s Discord Group

Bugcrowd’s Discord Group


Advantages: Most of the Bug Hunters are Active there and will reply to all your questions (Just make sure that you don’t ask silly questions like how to hack a Facebook account)



I hope that you have enjoyed the write-up and learned something new today.

Thank You 😀

Categories: Bug Bounty

15 Comments

Shamsher Shikalgar · January 13, 2021 at 1:50 pm

Learned a lot. Thanks!

Abhii Mali · January 13, 2021 at 2:01 pm

Nice one!!
thanks

    smshrimant · January 17, 2021 at 11:45 am

    Welcome 🙂
    Stay tuned, new writeups are coming 🙂

Anonymous · January 13, 2021 at 4:54 pm

Hey Shri
Nice to read your blog, about Bug bounty..
I can see your hardship and dedication to write this unmatched blog post.
It will help newbies as well as Experienced people . I would really recommend it.

Keep it up and best luck for your future..

Keep in touch buddy and Don’t forget me;)

Gowtham · January 13, 2021 at 5:41 pm

For Tips – https://app.gitbook.com/@gowsundar/s/book-of-bugbounty-tips/

manosh · January 15, 2021 at 7:31 am

thanks a lot

Mogembo · January 15, 2021 at 9:31 am

Your subfinder script should have > uniquedomains.txt instead of | uniquedomains.txt because it considers that as an command instead of an output file. Thanks

    smshrimant · January 17, 2021 at 11:48 am

    Thanks for pointing that out, I just updated the script.
    `sort 1DomainsfromAF.txt 2DomainsfromSubfinder.txt -u | tee -a UniqueDomains.txt`

    This won’t give error 🙂

escort bayan · March 1, 2021 at 10:31 pm

Pretty! This has been a really wonderful article. Many thanks for supplying this information. Casey Benjie Mason

erotik · March 2, 2021 at 4:21 am

We are a group of volunteers and starting a new scheme in our community. Your web site provided us with valuable information to work on. You have done an impressive job and our entire community will be thankful to you. Chad Chaddy Guenna

Situs Judi Slot Online · March 5, 2021 at 5:08 am

This is my first time visit at here and i am really happy to read all at single place. Abigael Adamo Lodmilla

Leave a Reply

Your email address will not be published. Required fields are marked *