In this article, let us discuss what Bug Bounty is and how to get started with Bug Bounty as a complete beginner. This article will guide you on where to start, how to learn and how to earn
I have been a bug bounty hunter for a while. Of course, I got some certifications for reporting critical bugs to companies and some bounties, too; I will share my journey, how I got into bug bounty, where I started, and some valuable tips and resources you can learn effectively.
Table of Contents
What is Bug Bounty
Bug Bounty is a process where companies invite hackers and offer bounties for finding vulnerabilities in their Software/Applications, which can be any type of Application, not just limited to Web, Mobile, or Desktop.What is a Bug Bounty Program
Suppose a company invites Hackers and security Researchers to test their applications for bugs/vulnerabilities. In that case, you can consider that
company as a program, but remember there are many types of programs, such as
VDP and reward-based programs.
VDP
A vulnerability Disclosure Program (VDP) is a procedure that Companies and Organisations have set. They Invite security researchers to test their applications, some programs reward bounties for the findings, and some offer Hall of Fame or certifications.
Reward Based Programs
In reward-based programs, Companies define the reward for each vulnerability and pay according to the impact of the vulnerability, By testing these reward-based programs, you can showcase your findings and get paid for it
How to get started in bug bounty
A bug bounty is not something that you can join a program, test for vulnerabilities, and get paid too quickly. When I was a beginner, I too thought it too easy to join a program and browse the target application to find vulnerabilities and report,
I used to do the same with all programs and ended with no bugs found. I thought that the applications were highly secure, and it was challenging to find the actual bugs,
I used to do the same with all programs and ended with no bugs found. I thought that the applications were highly secure, and it was challenging to find the actual bugs,
But wait, bug bounty is an art that can be mastered,
As a beginner, I needed to figure out Where to start bug bounty. I used to watch some YouTube videos and well-known vulnerabilities and tried to find the same vulnerabilities with every program but found nothing.
I want you to avoid making the same mistake. Here, you can follow the process carefully.
Learn the Basics of How the Internet Works
If you are a beginner, first learn how the Internet works and the protocols, IPs, ports, etc.
Here is a comprehensive article on how the Internet works and How the web works by Mozilla
Here is a comprehensive article on how the Internet works and How the web works by Mozilla
Since I had a Computer Science background, I skipped When I started my bug bounty journey. I didn't need to know How the web or the Internet works.
Start With the web first.
I suggest you to start. With web application pentesting, you need to know how the websites function and the technologies behind each web application; again, you need not be an expert at the beginning.
Or you can even start with Android app pentesting it involves some API pentesting part, still, you should have web app pen testing knowledge.
Learn the basics of web development.
You don't have to be an expert, but to learn how web applications work, it's optional. But Having a basic knowledge of HTML, Javascript, and PHP will give you an overview of how the Frontend and Backend stuff works again. There are many frameworks that developers often use to create websites, so you need not worry at the beginning.
Where to Start
Before you begin, you have to master web application pentesting first. When I was starting, there were not enough resources to learn now. There were no limitations on free resources.
Here are a few things to remember: Make sure you have a Linux distro installed on your system, like Kali Linux or Parrot Os, because these distros come with many tools and easy to install many other bug bounty tools
Practice Vulnerable web application exploitation.
I highly recommend you use DVWA, BWAPP. Vulnerable web applications to learn web application penetration testing: These can be installed on your local machine, and you can practice on it
Here are a few online resources you can utilize to enhance your web application security skills. I highly recommend you try the Portswigger Academy labs, which will take you from zero to an expert level.
Resources
What's Next
There is no end to Cyber Security. After learning and completing all the labs, you should be ready to test for real-world web applications. You can join bug bounty hunting platforms and start your journey there, or you can manually search for the websites that offer bounties for finding vulnerabilities in their web applications.
I have personally Joined the following Platforms. You can find a lot of programs to test on.