Hello Folks 👋 , this is my first blog post where I will show you a secret path which can lead you to the success in bug bounty on HackerOne. After that you're on your own!
This post is for those who think bug bounty on HackerOne is not easier for them nowadays. So Let me show you the reality.
Learning -> Find VDP -> Never Giveup -> Get more than 500 Reputation -> New Program Invitation -> Hack on New programs -> Celebrate -> Upgrade Yourself
“If you always do what interests you, at least one person is pleased ” - Katharine Hepburn
Requirements will be the basic things you need to start. Follow these:-
Basic knowledge of bug bounty (Google everything)
Learn how to use Burpsuite from Youtube (Learn only these features:- Proxy, Intruder, Repeater)
Focus on Learning not Earning
Now, this is the important part where you have to spend more time learning and exploring new things on the internet. It's more important because most of the people will give up from here because they have other interests too. If you are this type of person then please don't waste your time in this field, follow your passion, not money. Before starting this, just think yourself as a Great Hacker on his way to Hack the world. For learning, follow these:-
Learn these Vulnerabilities:- XSS, IDOR, Open redirect, Information disclosure from Portswigger or any other websites.
Do some labs online and easy CTF's on H1 CTF https://ctf.hacker101.com/
Read these Books :- ZSeanos Methodology, The Tangled Web - A Guide to securing modern Web Applications, The Browsers Hacker Handbook. You can get PDF online and don't spend more time on these because you will learn more in practical not books.
“Focus is everything!”
After spending many days learning, you might have gained some real hacking knowledge. Now it's time to pick a program on HackerOne. You might have these questions before picking any program:-
Which program to Hack as a beginner? - Hack on VDP's because only beginners are Hacking on VDP's. Example - US Department of Defence, Sony, IBM, etc.
Is it possible to find basic bugs on VDP's? - Yes, you can still find many basic bugs like information disclosure on popular VDP's. You just need to find new domains and subdomains with the help of recon.
How much time should I spend on one endpoint? - If there are not much features on the web application, then give it few days otherwise spend at least few weeks.
I would recommend these VDP programs:-
US Department of Defence - https://hackerone.com/deptofdefense (Unlimited scope, no strict policy, Its a reputation mining platform, easy to find bugs)
Sony - https://hackerone.com/sony (Unlimited scope, no strict policy, easy to find bugs)
IBM - https://hackerone.com/ibm?type=team (Large scope but not much big, no strict policy, many features on web applications)
Chargepoint - https://hackerone.com/chargepoint?type=team (Large scope, decent program policy, few features)
Jimdo - https://hackerone.com/jimdo?type=team (Good scope, decent program policy, many features)
Keep an eye on https://hackerone.com/directory/programs for new programs.
Find some bugs on VDP's and don't stop till you reach more than 500 reputation. In starting it might take time but after 2-3 months you can reach above 500 reputation easily with VDP's. I have seen many bugs on the recommended VDP programs. You can try on those and build good reputation. If you can get more than 500 reputation, then you will receive few new programs invitation. It can BBP or VDP, so you can hunt on those programs and enjoy.
Get inspired by other Hackers by observing their methodology. When you are hacking, you will create your own methodology and you might discover new bugs. You can subscribe intigriti newsletters and check HackerOne Hactivity daily to see other Hackers disclosed reports. Check these as well:-
You can join our discord server to contact me personally for any help in bug hunting or related to crypto market. Thank you for reading this, Happy Hunting.