Bug Hunting Recon: Finding acquisitions of target

Hey there👋,

whoami?

I’m a Computer Science and Engineering graduate, a bug bounty hunter, and an ethical hacker with a deep passion for cybersecurity. But above all, I’m a lifelong learner — a curious mind who loves breaking down complex concepts into simple, digestible bits. 🧩✨

Join me on this exciting journey as I share my experiences, insights, and discoveries in the world of ethical hacking and cybersecurity. I’ll be posting my entire learning process right here, so if you enjoy my articles, don’t forget to drop a thumbs up 👍 and share — let’s learn and grow together! 🚀🔐

So, As we all do the first thing with our target.com is to check what technologies the target is running on? and try to find readily exploitable cves right? Everyone has a different approach of recon But I am writing these articles considering beginner’s perspective or someone who entered bug hunting recently. So without wasting any further time lets get started,

Step 1: Finding the scope of your target

Find the scope of your target.com Read the full policy if your target is a vdp or a public program or your target is on a platform, If “All assets and products are inscope” such thing is written, then You have found a best target to hunt that defines all the acquisitions of the target are in scope.

How to find acquisitions?

There are certain methods to find acquisitions of the target.com

Method 1: Using Reverse whois

First check whois records of your target using: whois.domaintools.comFor example, starbucks is my target whois starbucks.com and look for parameter registrant email.Sometimes this website shows “redacted” then use Linux terminal whois toolRegistrant email of starbucks

4. After successfully finding the email Lets get to the main part

5. Use a reverse whois service My favourite: reverse.whoisxmlapi.com

6. Paste the registrant email of target You’ll get a option to download csv file containing all the acquisitions of target registered with same email.

Method 2: Using Company profiler

I use crunchbasePaste your target name in search bar and check for acquisitionsStarbucks crunchbase profile

Method 3: Using wikipedia

Finding acquisitions using wikipedia is simpleSearch on google “starbucks acquisitions wiki”Tip: Dont expect you’ll always get a list of mergers table for every target you have to read the history for example here,Wiki acquisitions

4. Enumerate which acquisitions are running a active web service.

Method 4: Using trademark

Lastly You can find acquisitions using trademark of targetWhat is trademark?You all must have noticed “powered by xxxx” || “all rights reserved to xxx” thats trademark most of the target’s trademark is at the end of their web application index page you will need to scroll down.Trademark of target

4. Create a fancy google dork to find all the websites using the same trademark

site: *.com “trademark of company”

These are all the methods to find acquisitions of the target before directly diving into finding acquisitions of target make sure your target accepts bugs from acquisitions.

That’s all for today:)