A list of questions that bounty hunters frequently DM me about. 😄
I have a simple philosophy that I share with everyone:
- Learn to make it. Then break it!
- Read books. Lots of books.
- Join discussions and ask questions.
- Participate in open source projects. Learn to code.
- Smile when you get feedback and use it to your advantage.
- Help others. If you can teach it, you have mastered it.
https://bugbountyforum.com/tools/
Get familiar with Python first: https://learnpythonthehardway.org/.
- Web Hacking 101 by Peter Yaworski.
- Breaking into Information Security: Learning the Ropes 101 by Andy Gill.
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto.
- Crypto 101 by Laurens Van Houtven.
Depending on what platform/program you are working on there will be different requirements, but in general the following report by Eugene Farfel is very well written: https://hackerone.com/reports/115748.
Read the program's scope. If they do not explicitly request that type of issue, then I would not waste your time reporting it unless you believe the issue has a significant impact on the target.
The best program understands that they must work together with the researcher and not against them. Bug bounties should be a joint effort.
Lookup the corresponding regulations in order to prevent getting into trouble.
Actually it is a lot of fun. I really look forward to the next report all the time and I am continuously amazed by some of the fantastic findings that researchers report. Admittedly, I do have to deal with a bit of noise, but the good reports compensate for the bad ones.
They appreciated my report: https://hackerone.com/reports/190373.
Thank you !