Bug bounties look fancy after reading all those public reports and POCs. Most of the people think it is the easiest part time job in the world, but this is not true. Like most of the jobs out there it requires hard work, dedication, creativity and lots of patience.
I started my infosec journey back in my summer break of 2012(July), got Microsoft acknowledgment (first acknowledgment) in December 2012 and my first bounty came from Asana in September 2013.
There were less public programs back then, now we have almost 1000+ public programs with the huge worldwide competition. It might be frustrating for a novice but with creativity and patience, it can be done. I get almost 4,5 messages on my social accounts on “How to get started”, here is a list of resources that can be helpful.
Prerequisites:
You should have the basic understanding of “How web and browser works”, knowledge of one web scripting language (JS/PHP or any programming language with web framework) and of course “common sense”.
Books:
The Web Application Hacker’s Handbook, second edition [Amazon India Link]: The book is recommended by everyone from the security community. Written by Burp suite creator, it has lots of hands on and covers almost everything related to web security. This book alone is more than enough to get started.
Tools:
Burp suite: https://portswigger.net/burp/download.html [Browser proxy]
Tamper data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ [In-browser proxy for Mozilla]
Your Terminal and Google
Your Playground:
You can find 100+ of bug bounty programs on these sites.
Hackerone: https://hackerone.com
BugCrowd: https://bugcrowd.com/
Cobalt: https://cobalt.io/
Synack: https://www.synack.com/
Blogs to follow:
Since bug bounty is very crowded and competitive, reading other’s blog can give you ideas about new techniques. Some of the recommended blogs are listed here.
Jack’s blog: https://whitton.io/articles/bug-bounties-101-getting-started/
Egor Homakov: http://homakov.blogspot.in/ [though the blog is shifted to http://sakurity.com/blog it has great posts]
Detectify labs: https://labs.detectify.com/
These are some best blogs to start with. Along this keep an eye on Hacker one’s activity and follow security researchers on Twitter to stay updated with their new hacks.
Note: Blogs posts are more helpful to people who are aware of basic security stuff.
Final thought: Most of the resources out there are for depth web application testing (pen-testing) but bug bounty is different.
Feel free to reach out on my Twitter if you have any suggestions or questions.
Manish
what I'm breaking... 