Bug Bounty Guide


Introduction

Bug bounty programs invite security researchers to find and report vulnerabilities in exchange for monetary rewards or acknowledgment. They represent a paradigm shift from traditional security testing — continuous, crowd-sourced, and performance-based. Success requires methodical technique, clear communication, and platform-specific knowledge.

Finding Vulnerabilities

Reconnaissance-Driven Approach

Successful bug bounty hunters invest heavily in reconnaissance. The more you know about a target, the more attack surface you can discover.




# Subdomain enumeration pipeline


subfinder -d target.com -silent | tee subs_raw.txt


assetfinder --subs-only target.com | tee -a subs_raw.txt




# Deduplicate and validate


cat subs_raw.txt | sort -u | httprobe -c 50 > live_subs.txt




# Technology fingerprinting on discovered subdomains


cat live_subs.txt | httpx -sc -title -tech-detect -o tech_report.txt




# Directory brute-forcing


ffuf -u https://admin.target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt \


-ac -t 100 -o admin_fuzz.json





Attack-Specific Techniques




# Automated XSS discovery


import requests


from urllib.parse import urljoin, urlparse, parse_qs




def hunt_xss(base_url):


payloads = [


'',


'">',


'javascript:alert(1)',


'">',


'{{constructor.constructor("alert(1)")()}}', # SSTI-based XSS


]




# Extract all forms


response = requests.get(base_url)


# Parse and find all forms, inputs




for endpoint in discover_endpoints(base_url):


params = extract_params(endpoint)


for param in params:


for payload in payloads:


test_url = endpoint.replace(


f'{param}={params[param]}',


f'{param}={urlencode(payload)}'


)


resp = requests.get(test_url)


if payload in resp.text and not resp.text.count('"') > 3:


# Check if payload rendered unescaped


print(f"[+] XSS found: {test_url}")








# IDOR detection with autorize (Burp extension)


# 1. Record authenticated session cookies


# 2. Enable Autorize with victim cookie


# 3. Browse application as victim user


# 4. Monitor BApp output for unauthorized access




# GraphQL introspection for API discovery


curl -X POST https://api.target.com/graphql \


-H "Content-Type: application/json" \


-d '{"query":"query { __schema { types { name fields { name } } } }"}'





Writing Effective Reports

A clear, well-structured report increases the likelihood of acceptance and higher bounties.




report_template:


title: "Stored XSS in User Profile Bio Field"




vulnerability_type: "Stored Cross-Site Scripting (XSS)"


severity: "High"


cvss: "7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)"




summary: >


The user profile bio field does not sanitize HTML input,


allowing an attacker to inject JavaScript that executes when


other users view the profile.




steps_to_reproduce:


- step: 1


action: "Log in as attacker user"


detail: "Create account at https://app.target.com/register"




- step: 2


action: "Navigate to profile settings"


detail: "https://app.target.com/settings/profile"




- step: 3


action: "Set bio to: "




- step: 4


action: "Save profile and navigate to public profile"


detail: "https://app.target.com/users/attacker"




- step: 5


action: "Observe JavaScript execution"


detail: "alert box displays current user's cookies"




impact: >


An attacker can steal session cookies, exfiltrate CSRF tokens,


perform actions on behalf of other users, or deface profiles.




remediation_suggestion: >


Apply context-sensitive output encoding to the bio field.


Use a DOMPurify-style sanitizer on input and properly escape


on output using the template engine's auto-escaping.




supporting_evidence:


- type: "screenshot"


file: "xss_bio_alert.png"


caption: "Alert box showing cookies on profile view"




- type: "poc_script"


file: "xss_exploit.html"





Platform Tips

HackerOne

* Start with the `hackerone.com/security` page for each target

* Use the disclosure timeline feature for managed programs

* Leverage the `hackerone.com/trending` for current attack patterns

* Build reputation through quality reports, not volume


Bugcrowd

* Complete priority rating correctly (P1-P5 based on CVSS)

* Use the built-in POC video recording for complex vulnerabilities

* Engage in VRT (Vulnerability Rating Taxonomy) disputes professionally


Conclusion

Bug bounty hunting combines technical skill, persistence, and communication. Invest heavily in recon, develop methodical testing approaches, write clear reports with reproducible steps, and understand each platform's nuances. Quality always outperforms quantity — one critical bug well reported is worth more than dozens of duplicates.