# Bug Bounty Hunting: Lessons from the Trenches **Author:** kelexine **Date:** 2025-12-04 **Category:** Security **Tags:** Security, Bug Bounty, Hacking, Web Security, Pentesting **URL:** https://kelexine.is-a.dev/blog/bug-bounty-lessons --- # The Hunt Begins Bug bounty hunting sounds glamorous: find bugs, get paid, work from anywhere. The reality? Mostly frustration, duplicate reports, and out-of-scope findings. But occasionally, you strike gold. Here's what years of hunting taught me. ## Getting Started (For Real) Forget the "complete guide to bug bounty" tutorials. Here's what actually matters: ### 1. Pick Your Platform - **HackerOne**: Largest, most programs - **Bugcrowd**: Good variety, solid community - **Synack**: Invite-only, higher payouts - **Direct programs**: Many companies run their own ### 2. Choose Your First Target ``` ✅ Good first targets: - Large scope (*.example.com) - Active program (fast response) - Old program (more attack surface) ❌ Avoid: - Programs with thousands of hackers - Very restricted scope - New programs (less attack surface) ``` ## The Methodology That Works ### Reconnaissance Is Everything ```bash # Subdomain enumeration subfinder -d target.com | httpx | tee subdomains.txt # Look for forgotten assets cat subdomains.txt | grep -E "(dev|staging|test|admin|internal)" # Port scanning the interesting ones nmap -sV -sC target.com -oA scan_results ``` ### Finding the Low-Hanging Fruit ```bash # Check for exposed files ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/common.txt # Look for: # - /robots.txt (often reveals hidden paths) # - /.git (source code exposure) # - /backup.zip, /db.sql (data leaks) # - /phpinfo.php (configuration disclosure) ``` ### JavaScript Analysis Modern apps hide secrets in JavaScript: ```bash # Extract JS files gau target.com | grep -E "\.js$" | sort -u > js_files.txt # Look for: # - API keys # - Hidden endpoints # - Debug functions # - Hardcoded credentials cat bundle.js | grep -E "(api_key|secret|password|token)" ``` ## Vulnerability Classes That Pay ### 1. IDOR (Insecure Direct Object Reference) The bread and butter of bug bounties: ```http # Try changing IDs in requests GET /api/users/12345/profile # Can you access user 12346? GET /api/users/12346/profile # Try different formats /api/users/12345 /api/users/00012345 /api/users/12345.json ``` ### 2. Authentication Bypass ```python # Test password reset flows # - Request reset for victim # - Check if token is predictable # - Check if token works for any user # - Check rate limiting # Test session management # - Do sessions invalidate on password change? # - Can you use old session tokens? # - Is there session fixation? ``` ### 3. Information Disclosure ```bash # Check error messages # Trigger errors and see what leaks curl "https://target.com/api?id='" # GraphQL introspection {__schema{types{name,fields{name}}}} # Check response headers curl -I https://target.com # X-Powered-By, Server versions = footprinting ``` ### 4. Race Conditions ```python import threading import requests def withdraw(): requests.post("https://target.com/api/withdraw", data={"amount": 100}) # Fire multiple requests simultaneously threads = [threading.Thread(target=withdraw) for _ in range(100)] [t.start() for t in threads] [t.join() for t in threads] # Check: Did you withdraw more than your balance? ``` ## Writing Reports That Get Paid Your report is as important as the bug. Template: ```markdown ## Title [Vulnerability Type] in [Feature] allows [Impact] ## Summary One paragraph describing the issue. ## Steps to Reproduce 1. Login as normal user 2. Navigate to /settings 3. Intercept the request 4. Change user_id parameter 5. Observe access to other user's data ## Impact Attacker can access any user's private data including [list data types]. ## Proof of Concept [Screenshot or video] [Request/Response snippets] ## Remediation Implement proper authorization checks on the user_id parameter. ``` ## The Psychology of Hunting ### Dealing with Duplicates You will get duplicates. A lot. It hurts less if you: - Focus on less-tested programs - Hunt for complex bugs (chains, logic flaws) - Document everything for personal learning ### Avoiding Burnout ``` - Set time limits (2-3 hours per session) - Take breaks after rejections - Switch programs when stuck - Build automation to reduce tedium ``` ### Building Your Reputation - Write detailed reports (even for N/A) - Be professional in all communication - Share knowledge (write-ups, after fixes) - Help others in the community ## The Money Reality | Bug Class | Typical Bounty | |-----------|----------------| | RCE | $10,000 - $100,000+ | | SQL Injection | $5,000 - $25,000 | | Authentication Bypass | $2,000 - $15,000 | | IDOR | $500 - $5,000 | | XSS | $100 - $2,000 | | Info Disclosure | $100 - $500 | But remember: these are lottery wins. Most hunters earn far less consistently. ## My Toolkit ```bash # Recon subfinder, amass, httpx, nmap, masscan # Content Discovery ffuf, gobuster, feroxbuster # Exploitation Burp Suite, sqlmap, XSStrike # Automation Custom Python scripts, nuclei ``` ## Lessons Learned 1. **Patience pays**: The best bugs take time to find 2. **Read the scope**: Out-of-scope = wasted effort 3. **Document everything**: For reports and learning 4. **Automate the boring stuff**: But verify manually 5. **Join communities**: Learn from others' wins ## Conclusion Bug bounty isn't a get-rich-quick scheme. It's a skill that takes years to develop. But if you love security, enjoy the hunt, and can handle rejection, it's incredibly rewarding. Every rejected report is a lesson. Every duplicate is proof you're looking in the right places. Keep hunting. --- **Resources**: - [PortSwigger Web Security Academy](https://portswigger.net/web-security) - [HackerOne Hacktivity](https://hackerone.com/hacktivity) - [Nahamsec's Resources](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters) --- *This content is available at [kelexine.is-a.dev/blog/bug-bounty-lessons](https://kelexine.is-a.dev/blog/bug-bounty-lessons)*