Bug Bounty Guide

Introduction

Bug bounty programs invite security researchers to find and report vulnerabilities in exchange for monetary rewards or acknowledgment. They represent a paradigm shift from traditional security testing — continuous, crowd-sourced, and performance-based. Success requires methodical technique, clear communication, and platform-specific knowledge.

Finding Vulnerabilities

Reconnaissance-Driven Approach

Successful bug bounty hunters invest heavily in reconnaissance. The more you know about a target, the more attack surface you can discover.

Subdomain enumeration pipeline

subfinder -d target.com -silent | tee subs_raw.txt

assetfinder --subs-only target.com | tee -a subs_raw.txt

Deduplicate and validate

cat subs_raw.txt | sort -u | httprobe -c 50 > live_subs.txt

Technology fingerprinting on discovered subdomains

cat live_subs.txt | httpx -sc -title -tech-detect -o tech_report.txt

Directory brute-forcing

ffuf -u https://admin.target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt \

-ac -t 100 -o admin_fuzz.json

Attack-Specific Techniques

Automated XSS discovery

import requests

from urllib.parse import urljoin, urlparse, parse_qs

def hunt_xss(base_url):

payloads = [

'',

'">',

'javascript:alert(1)',

'">',

'{{constructor.constructor("alert(1)")()}}', # SSTI-based XSS

]

Extract all forms

response = requests.get(base_url)

Parse and find all forms, inputs

for endpoint in discover_endpoints(base_url):

params = extract_params(endpoint)

for param in params:

for payload in payloads:

test_url = endpoint.replace(

f'{param}={params[param]}',

f'{param}={urlencode(payload)}'

)

resp = requests.get(test_url)

if payload in resp.text and not resp.text.count('"') > 3:

Check if payload rendered unescaped

print(f"[+] XSS found: {test_url}")

IDOR detection with autorize (Burp extension)

1\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Record authenticated session cookies

2\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Enable Autorize with victim cookie

3\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Browse application as victim user

4\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Monitor BApp output for unauthorized access

GraphQL introspection for API discovery

curl -X POST https://api.target.com/graphql \

-H "Content-Type: application/json" \

-d '{"query":"query { __schema { types { name fields { name } } } }"}'

Writing Effective Reports

A clear, well-structured report increases the likelihood of acceptance and higher bounties.

report_template:

title: "Stored XSS in User Profile Bio Field"

vulnerability_type: "Stored Cross-Site Scripting (XSS)"

severity: "High"

cvss: "7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)"

summary: >

The user profile bio field does not sanitize HTML input,

allowing an attacker to inject JavaScript that executes when

other users view the profile.

steps_to_reproduce:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- step: 1

action: "Log in as attacker user"

detail: "Create account at https://app.target.com/register"

action: "Navigate to profile settings"

detail: "https://app.target.com/settings/profile"

action: "Set bio to: "

action: "Save profile and navigate to public profile"

detail: "https://app.target.com/users/attacker"

action: "Observe JavaScript execution"

detail: "alert box displays current user's cookies"

impact: >

An attacker can steal session cookies, exfiltrate CSRF tokens,

perform actions on behalf of other users, or deface profiles.

remediation_suggestion: >

Apply context-sensitive output encoding to the bio field.

Use a DOMPurify-style sanitizer on input and properly escape

on output using the template engine's auto-escaping.

supporting_evidence:

file: "xss_bio_alert.png"

caption: "Alert box showing cookies on profile view"

file: "xss_exploit.html"

Platform Tips

HackerOne

Start with the hackerone.com/security page for each target
Use the disclosure timeline feature for managed programs
Leverage the hackerone.com/trending for current attack patterns
Build reputation through quality reports, not volume

Bugcrowd

Complete priority rating correctly (P1-P5 based on CVSS)
Use the built-in POC video recording for complex vulnerabilities
Engage in VRT (Vulnerability Rating Taxonomy) disputes professionally

Conclusion

Bug bounty hunting combines technical skill, persistence, and communication. Invest heavily in recon, develop methodical testing approaches, write clear reports with reproducible steps, and understand each platform's nuances. Quality always outperforms quantity — one critical bug well reported is worth more than dozens of duplicates.