How to find 1st bug for beginner bounty hunters (from personal experience)

Like the hacking culture, heard and know about bug bounties.Amazed that top hackers are making quite a lot of money and really curious.Interested in bug bounties but not really quite sure if it’s worth the dive.Not really sure where to start or which way to go.Looking for good content that will actually help with progression of bug bounties.

My personal experience

Currently in 2022, I am not a top bug bounty hunter, and I am definitely not saying that the resources I recommend are going to make you a hacker millionaire.

The point of this post is to give you some good resources that might make the bug bounty journey easier. Especially for people starting with little IT experience, it can be very intimidating. These are resources that I would recommend to my past self.

Who it’s not for

More emphasis on secureness with a normal job.Just expecting to make quick money fast with little effort (unless you have decades of IT experience or a genius, and if you think yourself as a genius, most likely not).Expecting to become super rich fast.Not that interested in hacking systems, more interested in social interactions.

Of course, you can still do bug bounties as a side gig but probably not going to become a rich hacker any time soon unless really efficient with time management.

Who it is for

If you really like the hacking culture, for example watch a lot of hacking related entertainment etc.Mainly like solitude (definitely not like marketing where tons of social interactions on SNS).Curious and like asking questions to Google or other search engines.Like challenges and novelty.Worried about the really unstable future and want a powerful skill that can essentially help you to survive pretty much anything or anywhere.Don’t really have much to lose focusing on bug bounties.Long term investment mindset.Want to increase earnings exponentially and become rich long-term.Really value FREEDOM over most other things.

Side note, people with forms of ADHD seem to do better in this field.

Survivorship bias

You don’t hear about the ones who gave up, also most people who think they won’t make it won’t start bug bounties in the first place so… Getting discouraged when not being able to find a bug is a mistake, but also not expecting too much is important too.

An actual security vulnerability in a web application. A monetary reward is preferable but Vulnerability Disclosure Programs can earn you points which can lead to more private invites, which have less competitors.

My personal opinion, strategizing is very important in bug bounties. Just randomly using tools could help you find some low severity bugs but for long term, not gonna get you very far.

Motivation for money is good. Current strategic timing in 2022, Intigriti is a good platform to focus on. The overall support for beginner hunters is good too. HackerOne is the biggest platform but if there’s too much competition, going to lose motivation quickly.

Every target is unique. Pick a target that’s not too limited with the scope of assets. A target that you regularly use as a service and are interested in is good too.

By deciding a good program to hack on first, more motivation to learn. Also more likely to study and focus on relevant things to earn money as bug hunter.

Nowadays, a lot of information online so might be confusing where to start.

Long term mindset

How long will it take? I think it just varies so much between people that really no point comparing too much… Having a specific goal helps but probably better to focus more on how you’re using your time.

I personally don’t recommend comparing to other people all the time (I barely look at SNS). Everybody’s level/situation/etc is just too different. If you really like comparing with other people for motivation that’s great but I think it leads more to lack of motivation when hear about top hackers making so much money, especially when just starting out hunting.

Search engine first mindset

Many people tend to ask people on social media but that is a bad start. I guess humans grow up with lots of social interactions in school so they might think the best way is to ask people on SNS. But most humans are biased/have outdated information/just overall not likely to have good information for you personally. People on Twitter are just posting spontaneous thoughts which are not likely to help you long term. Overall SNS is just a lot of random information and unless you’re at the level of being able to filter out the good from the bad, going to get confused.

On the other hand, a good search engine can help you a lot. It does take some skill to actually use Google in an effective way but that’s for more advanced hunters. When just starting out as beginner, simple Google searches can help you a lot. Get in the habit of searching for things that you don’t know or understand. Taking screenshots and notes can help to retain information a bit better in the brain too.

Currently, Google is the world’s top machine learning powered search engine in the world and if you have a question to ask, you’ll pretty much get a good answer from it. A lot more reliable than just some random internet stranger. Yes, it’s the humans that are writing the answers in the articles but it is Google that is sorting and filtering the good quality information for you.

Investment mindset

Anything “free” is pretty much only worth that value.

Meaning if really want to differentiate between other bug hunters, investing some money into good resources is important. Don’t have to buy the most expensive and incredible computer on Earth but invest a bit with education.

The whole point of bug bounties is to find security vulnerabilities that scanners/pentesters/other bug hunters have missed. So just buying scanner tools or doing basic testing is not gonna get you very far.

Nahamsec resources

I definitely recommend starting with Nahamsec’s GitHub resources. Nahamsec is an educator at HackerOne, mainly focused on bug bounty materials that really help. I wish I knew about his resources more early on.

Udemy

If you don’t have much of an IT background, I personally recommend good Udemy courses.

Lots of resources on YouTube but things are all over the place. Also lots of articles on hacking but when first starting out, probably very hard to visualize what’s going on with just text.

Bad sides of Udemy

A few courses is not enough to do well in bug bounties.Review algorithm can be a bit misleading.Quality does differ between teachers.

Good sides of Udemy

Global leader as a teaching platform.Best teachers in the world, can check with reviews.Discounts about once a month (not really worth buying at full price).Videos easier to understand and visualize.Content is organized so easier to learn.

I recommend good Linux OS courses first. Understanding and being able to use Linux does help a lot in the bug bounty journey.

PortSwigger Labs

Free good labs to practice on, able to understand the basics.

PentesterLab

Some free labs but mostly have to pay subscription, but good practice. Updated quite often.

A lot of good bug bounty resources nowadays but definitely don’t expect to become rich just by practicing labs. A lot of good resources also means a lot of competition too. So should always think “how can I differentiate myself against other bug hunting competitors”. Bug bounty is hard and requires quite some effort.