Bug Bounty Hunting: Getting Started Guide
Bug bounty hunting is the practice of finding and reporting security vulnerabilities in web applications, mobile apps, and infrastructure in exchange for monetary rewards — through platforms like HackerOne, Bugcrowd, and Intigriti.
What You’ll Learn
You’ll understand how bug bounty platforms work, define scope and reward structures, use reconnaissance tools for target discovery, identify common vulnerability types, write professional vulnerability reports, and navigate responsible disclosure with proper legal boundaries.
Why It Matters
Bug bounty hunting is one of the most accessible paths into professional security. Top hunters earn six figures annually, and companies like Google, Microsoft, and Meta pay millions in bounties. Durga Antivirus Pro’s own bug bounty program has discovered critical vulnerabilities before they could be exploited in the wild.
Real-World Use
A researcher finds an IDOR (Insecure Direct Object Reference) in a banking app — changing an account number in the URL reveals other users’ transaction history. They report via HackerOne, receive $2,500, and the bank fixes the vulnerability before any data is breached.
Bug Bounty Workflow
flowchart LR
A[Choose Platform] --> B[Find Targets]
B --> C[Reconnaissance]
C --> D[Vulnerability Scanning]
D --> E[Manual Testing]
E --> F[Write Report]
F --> G[Submit Report]
G --> H{Valid?}
H -->|Yes| I[Receive Bounty]
H -->|No| J[Learn & Improve]
I --> K[Disclosure]
style A fill:#2563eb,color:#fff
style I fill:#059669,color:#fff
Step 1: Understanding Bug Bounty Platforms
| Platform | Typical Rewards | Notable Programs |
|---|---|---|
| HackerOne | $500 - $50,000+ | GitHub, Twitter, Shopify |
| Bugcrowd | $250 - $25,000+ | Atlassian, Heroku, TripAdvisor |
| Intigriti | $100 - $30,000+ | Intel, Unity, KPMG |
| Synack | $500 - $10,000+ | Government agencies, Fortune 500 |
| YesWeHack | $200 - $50,000+ | Doctolib, Orange, Total |
Signing up on HackerOne:
# 1. Create account at hackerone.com
# 2. Complete your profile (security researcher background)
# 3. Browse "Hacktivity" to see recent disclosures
# 4. Filter programs by "Public" and "All awards"
# 5. Start with programs offering "low barrier to entry" — VDP (Vulnerability Disclosure Programs)Expected output: You see a dashboard with available programs, each showing scope (URLs, app types), reward ranges, and program rules. Start with VDPs — they pay nothing but give experience and reputation.
Step 2: Reconnaissance — Finding Attack Surface
Reconnaissance is the most important phase. Spend 70% of your time here:
# Subdomain enumeration
subfinder -d target.com -o subdomains.txt
# DNS resolution
dnsx -l subdomains.txt -o resolved.txt
# Port scanning (top 1000)
naabu -list resolved.txt -o ports.txt
# HTTP service probing
httpx -l resolved.txt -o alive.txt
# Technology fingerprinting
wappalyzer-cli --input alive.txt
# Endpoint discovery with gau (get all URLs)
gau --subs target.com | grep -E '\.js$' > js_files.txt
# Hidden directory brute force
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txtExpected output: A list of live subdomains, open ports, web technologies used, JavaScript files (potential API endpoints), and hidden directories. This is your attack surface map.
Essential Recon Tools
| Tool | Purpose | Install |
|---|---|---|
| Subfinder | Subdomain enumeration | go install |
| Amass | In-depth subdomain discovery | go install |
| httpx | HTTP probe (alive check) | go install |
| gau | Get all URLs (Wayback, etc.) | go install |
| ffuf | Directory/parameter fuzzing | go install |
| Nuclei | Template-based scanning | go install |
Step 3: Common Vulnerability Types
IDOR (Insecure Direct Object Reference)
# Test: change the user ID in the URL
curl -I https://api.target.com/api/v1/users/1234
# Try with 1235, 1236...
# If you can access 1235's data without auth — IDORXSS (Cross-Site Scripting)
<!-- Payload test -->
<script>alert(document.domain)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>SQL Injection
# Classic test
curl 'https://target.com/product?id=1'
curl 'https://target.com/product?id=1''
curl 'https://target.com/product?id=1 OR 1=1'
curl 'https://target.com/product?id=1 AND 1=2'Open Redirect
curl -I 'https://target.com/redirect?url=https://evil.com'
# If response shows Location: https://evil.com — Open RedirectStep 4: Writing Professional Reports
A good report gets paid faster and has higher payout. Structure:
# Title: [Vulnerability Type] in [Endpoint] leading to [Impact]
## Summary
Brief description (1-2 sentences) of the vulnerability and its impact.
## Steps to Reproduce
1. Navigate to https://target.com/profile
2. Intercept the request with Burp Suite
3. Change the `user_id` parameter from `1234` to `1235`
4. Observe that user 1235's data is returned without authentication
## Impact
An attacker can access any user's personal information (name, email, address, phone) by enumerating user IDs.
## Technical Details
- **Endpoint**: GET /api/v1/users/{user_id}
- **Method**: GET
- **Authentication**: Required (but improperly enforced)
- **Parameter**: user_id (integer, sequential)
## Proof of Concept (PoC)GET /api/v1/users/1235 HTTP/1.1 Host: target.com Cookie: session=valid_session_token
Response includes 1235’s full profile data
## Remediation Suggestion
- Implement proper authorization checks on all API endpoints
- Use UUIDs instead of sequential integers for user IDs
- Apply rate limiting to prevent enumeration
## Attachments
[screenshot.png] — showing unauthorized access to user 1235's dataExpected output: A clear, reproducible report. Triagers can verify in seconds. High-quality reports average 25% higher bounties.
Step 5: Legal Considerations
# ALWAYS follow these rules
✅ **Allowed:**
- Testing only on in-scope targets
- Using test accounts when provided
- Reporting through official channels
- Stopping at proof-of-concept (no data exfiltration)
❌ **NOT Allowed:**
- Brute-forcing passwords (may crash auth systems)
- Testing on third-party infrastructure
- Social engineering of employees
- Storing/downloading actual user data
- Public disclosure without permission (30-90 day embargo)
⚠️ **Gray areas (check program rules):**
- Automated scanning without rate limiting
- Testing rate limits themselves
- Using acquired credentials from previous testsLegal note: Bug bounty programs are not a “license to hack.” You must stay strictly within scope. Going out of scope is still illegal under the Computer Fraud and Abuse Act (CFAA) in the US and similar laws globally. When in doubt, ask the program team.
Common Errors
1. Going out of scope
The most common mistake. A program lists *.target.com but you test admin.target.com thinking it’s separate — it’s in scope. But if you test target-cdn.com (different domain), that’s out of scope and potentially illegal.
2. Submitting duplicate reports Another researcher already found the vulnerability. Save time by: checking the program’s “Hacktivity” for recent reports, scanning for similar issues, and focusing on less obvious vulnerabilities.
3. Automation without understanding Running Nuclei with 1000 templates against a target generates noise and may crash the app. Manually validate every finding before reporting. Automated findings are almost always duplicates or false positives.
4. Poor report quality “XSS on /search page” with no steps, no PoC, and no impact assessment gets rejected or receives minimum bounty. Write every report as if the triager has never seen this vulnerability before.
5. Not negotiating Bounty amounts are often negotiable. If you found a critical vulnerability that would cost the company millions in breach costs, a $500 bounty might be worth discussing. Be professional and present the business impact.
Practice Questions
1. What is the difference between in-scope and out-of-scope testing? In-scope targets are explicitly listed in the program policy — you have permission to test these. Out-of-scope targets are anything not listed or explicitly excluded. Testing out-of-scope can result in account suspension, bounty forfeiture, or legal action.
2. Why is reconnaissance the most important phase? The bigger your attack surface map, the more vulnerabilities you can find. Knowing every subdomain, endpoint, technology stack, and JS file gives you a complete picture of what to test. Top hunters spend 70% of their time on recon.
3. What makes a good vulnerability report? Clear summary, exact replication steps, technical details (endpoint, method, parameters), proof of concept (screenshots or CURL commands), impact assessment, and remediation suggestions. The report should be verifiable in under 2 minutes.
4. How do bug bounty platforms protect researchers? Platforms provide a legal framework, mediation between researchers and companies, guaranteed payment (mediated), and anonymous disclosure options. They also maintain reputation scores so good researchers get prioritized.
5. Challenge: Set up a recon automation pipeline Create a bash script that takes a domain, runs Subfinder + httpx + gau + Nuclei, and outputs a clean report of findings with severity levels. Schedule it to run weekly.
FAQ
What’s Next
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro