Bug bounties look fancy after reading all those public reports and POCs. Most of the people think it as easiest part time job in the world, but this is not true. Like most of the jobs out there it require hard work, dedication, creativity and lots of patience.
I started my infosec journey back in my summer break of 2012(July), got Microsoft acknowledgement (first acknowledgement) in December 2012 and my first bounty came from Asana in September 2013.
There were less public programs back then, now we have almost 1000+ public programs with huge worldwide competition. It might be frustrating for novice but with creativity and patience it can be done. I get almost 4,5 messages on my social accounts on “How to get started”, here is a list of resources that can be helpful.
You should have basic understanding of “How web and browser works”, knowledge of one web scripting language (JS/PHP or any programming language with web framework) and of course “common sense”.
The Web Application Hacker’s Handbook , second edition [Amazon India Link]: The book is recommended by everyone from security community. Written by Burp suite creator, it has lots of hands on and cover almost everything related to web security. This book alone is more than enough to get started.
Burp suite : https://portswigger.net/burp/download.html [Browser proxy]
Tamper data : https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ [In-browser proxy for Mozilla]
Your Terminal and Google
You can find 100+ of bug bounty programs on these sites.
Blogs to follow:
Since bug bounty is very crowded and competitive, reading other’s blog can give you ideas about new techniques. Some of the recommended blogs are listed here.
Egor Homakov: http://homakov.blogspot.in/ [though the blog is shifted to http://sakurity.com/blog but it has great posts]
Detectify labs : https://labs.detectify.com/
These are some best blogs to start with. Along this keep an eye on Hackerone’s hacktivity and follow security researchers on Twitter to stay updated with their new hacks.
Note: Blogs posts are more helpful to people who are aware of basic security stuff.
Final thought: Most of the resources out there are for depth web application testing (pentesting) but bug bounty is bit different.
If you want a bug bounty e-book, you can drop your email below. If I will get 1000 emails in my list you’ll get a e-book for $15 ($20 for other people).
Visit the following link http://eepurl.com/b_9iDL and enter your email. I’ll update you when the book is ready.
Feel free to reach out on my Twitter if you have any suggestions or questions.