How to start Bug Bounty Hunting $$$$ in 2024??

Image Source: Internet

TL;DR: This guide is tailored for complete beginners. Learn how to hunt down digital bugs, improve cybersecurity skills, and earn $$$$$ along the way!

• The majority of the assets are web. So it’s essential to learn web technology. It’ll help you to understand the game better & keep you ahead of the table. Learning languages like JS helps a lot. Once you know the basics of web (front-end, back-end, DB) flow, you can learn how to break it!
• Your machine is your weapon! Learn OS, Be a pro in CLI. It’s essential in your journey. Most of the kids in this era already knew this stuff. Still, it should be mentioned.
• Learn the basics: OWASP Top 10, CWE, CVE, CVD, 0day & their differences.
• Research & Learn more about CWEs & where they can be visible. For example, in CWE-79: Cross-site Scripting, you must investigate the corresponding bug, where it can be reproduced & why it occurs (root cause). Then, you can think as a developer (you learned at the beginning) how this is possible at the code level. Then, you will understand how to prevent this.
• Focus more on OWASP-TOP-10 vulnerabilities (Web, API, Android, whatever). And investigate the latest CVEs for those bugs. After doing this and familiarising yourself with the industry, you can slowly move on to practice.
• Skill Assessment: Sharpen your skills by doing Labs like Portswigger, PentesterLab, Secure Code, etc. Read the related blogs once you find it difficult to solve these challenges. Use a keyword and google it. Learn more & pwn the challenge later. Read Blogs and write-ups daily (it’ll only take a little time). Subscribe to bug bounty blogs.
• Watch videos of:

* LiveOverflow
* InsiderPhd
* Bug Bounty Reports Explained
* NahamSec
* Farah Hawa
* Rana Khalil
* John Hammond
* Ippsec
* rs0n_live
* Intigriti
* etc.

Their contents are outstanding.

• Learn more about Public, Private, & VDP BB Programs and understand how it works. You can start hunting from a less competitive environment (up to you); people always suggest beginning with VDP.
• Platforms for hunting bugs: https://www.trustradius.com/bug-bounty
• Apple, Meta, Google, etc. have their reporting end-points (don’t forget)
• How to escape from Duplicate: Build your methodology. You can learn from public resources & apply, but make some changes from what you learned from the public. It’ll take time; you must try harder & maintain the consistency to get to that level.
• Important: Don’t share your methodology; you can share the resources & knowledge (Sharing is caring, but spoon feeding isn’t. I hope you understand).
• Join discord & telegram channels (Bug Bounty/Infosec communities).
• Please don’t stay inside any “Toxic community” that kills your peace of mind; you don’t have to carry criticism of idiots & charlatans. Only stay inside the healthy circle and share the contents.

Let’s learn and grow together.

For more updates about Offensive-Security & Hacking, Follow me: 7h3h4ckv157