A complete guide to start earning money through bug bounty hunting.
Table of Contents
What is Bug Bounty?
Bug bounty programs reward security researchers for finding and responsibly reporting vulnerabilities in software, websites, and applications. Companies pay anywhere from $50 to $2,000,000+ depending on the severity of the bug.
Earnings Potential
Prerequisites
Required Knowledge
Mindset
Setting Up Your Environment
Operating System
Use a Linux-based OS for bug hunting. Recommended: Kali Linux, Parrot OS, or Ubuntu/Debian with tools installed manually.
Essential Tools Installation
# Update system
sudo apt update && sudo apt upgrade -y
# Install basic tools
sudo apt install -y git curl wget python3 python3-pip nmap
# Install Go (needed for many tools)
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:~/go/bin' >> ~/.bashrc
source ~/.bashrc
# Install subfinder (subdomain enumeration)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Install httpx (HTTP probing)
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# Install nuclei (vulnerability scanner)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Install ffuf (fuzzing)
go install github.com/ffuf/ffuf/v2@latest
Browser Setup
Configure Burp Suite
Learning Path
Phase 1: Foundations
Complete these free courses:
Learn OWASP Top 10:
Phase 2: Practice
Practice on legal targets: DVWA, bWAPP, OWASP WebGoat, HackTheBox machines, TryHackMe rooms, PentesterLab
Phase 3: Real Targets
Choosing a Platform
Program Selection Tips
Finding Your First Bug
1. Reconnaissance
# Find subdomains
subfinder -d target.com -o subdomains.txt
# Check which are alive
cat subdomains.txt | httpx -o alive.txt
# Find interesting endpoints
cat alive.txt | waybackurls > urls.txt
2. Map the Application
3. Test for Vulnerabilities
Start with these high-impact bugs:
4. Document Everything
Take screenshots, record HTTP requests/responses, note reproduction steps, save evidence before reporting.
Writing a Good Report
Report Template
Title: [Vulnerability Type] in [Feature/Endpoint] allows [Impact]
Summary: Brief description of the vulnerability and its impact.
Severity: Critical / High / Medium / Low
Steps to Reproduce:
Proof of Concept: Screenshots, videos, code snippets
Impact: Explain what an attacker could do
Recommended Fix: Suggest how to fix the issue
Common Vulnerability Types
Cross-Site Scripting (XSS)
Where to look: Search boxes, comment fields, profile fields, URL parameters
SQL Injection
Where to look: Login forms, search features, filters, any database queries
IDOR (Insecure Direct Object Reference)
Change IDs in requests: GET /api/user/123/profile -> GET /api/user/124/profile
Authentication Bugs
Business Logic Flaws
Information Disclosure
Check for exposed files: /.git/config, /.env, /config.php.bak, /api/swagger.json
Must-Have Tools
Tips for Success
Do's
Don'ts
Resources
Free Learning
YouTube Channels
STOK, NahamSec, InsiderPhD, LiveOverflow, John Hammond
Books
Communities
HackerOne Discord, Bugcrowd Discord, NahamSec Discord, Reddit r/bugbounty
Earnings Timeline
Remember: Bug bounty is a marathon, not a sprint. Stay consistent, keep learning, and the rewards will come.
Last updated: January 2026
More...
Table of Contents
- What is Bug Bounty?
- Prerequisites
- Setting Up Your Environment
- Learning Path
- Choosing a Platform
- Finding Your First Bug
- Writing a Good Report
- Common Vulnerability Types
- Tools
- Tips for Success
- Resources
What is Bug Bounty?
Bug bounty programs reward security researchers for finding and responsibly reporting vulnerabilities in software, websites, and applications. Companies pay anywhere from $50 to $2,000,000+ depending on the severity of the bug.
Earnings Potential
| Beginner | $0-500 | 0-12 months |
| Intermediate | $2,000-5,000 | 1-2 years |
| Advanced | $8,000-15,000 | 2-3 years |
| Elite | $20,000+ | 3+ years |
Prerequisites
Required Knowledge
- Basic understanding of how the web works (HTTP, DNS, cookies, sessions)
- HTML, CSS, JavaScript fundamentals
- Basic programming (Python recommended)
- Linux command line basics
- Networking fundamentals (TCP/IP, ports, protocols)
Mindset
- Patience (most hunters quit in the first 6 months)
- Curiosity and persistence
- Willingness to learn continuously
- Ethical behavior (never test without permission)
Setting Up Your Environment
Operating System
Use a Linux-based OS for bug hunting. Recommended: Kali Linux, Parrot OS, or Ubuntu/Debian with tools installed manually.
Essential Tools Installation
# Update system
sudo apt update && sudo apt upgrade -y
# Install basic tools
sudo apt install -y git curl wget python3 python3-pip nmap
# Install Go (needed for many tools)
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:~/go/bin' >> ~/.bashrc
source ~/.bashrc
# Install subfinder (subdomain enumeration)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Install httpx (HTTP probing)
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# Install nuclei (vulnerability scanner)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Install ffuf (fuzzing)
go install github.com/ffuf/ffuf/v2@latest
Browser Setup
- Install Firefox or Chrome
- Add extensions: FoxyProxy, Wappalyzer, Cookie Editor, HackBar
Configure Burp Suite
- Download from portswigger.net/burp/communitydownload
- Set proxy listener to 127.0.0.1:8080
- Configure browser to use this proxy
- Install Burp's CA certificate in browser
Learning Path
Phase 1: Foundations
Complete these free courses:
- PortSwigger Web Security Academy (FREE, essential)
- TryHackMe - Bug Bounty Path
- HackTheBox Academy
Learn OWASP Top 10:
- Injection (SQL, Command, LDAP)
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Phase 2: Practice
Practice on legal targets: DVWA, bWAPP, OWASP WebGoat, HackTheBox machines, TryHackMe rooms, PentesterLab
Phase 3: Real Targets
- Start with VDPs (Vulnerability Disclosure Programs)
- Move to paid bug bounty programs
- Focus on less popular targets (less competition)
Choosing a Platform
| HackerOne | Largest program variety |
| Bugcrowd | Beginner-friendly |
| Intigriti | European programs |
| YesWeHack | European programs |
| Immunefi | Crypto/Web3 (high payouts) |
| Synack | Invite-only, higher pay |
Program Selection Tips
- Start with programs that have broad scope
- Look for programs with good response times
- Avoid programs with many hunters (high competition)
- New programs often have more low-hanging fruit
Finding Your First Bug
1. Reconnaissance
# Find subdomains
subfinder -d target.com -o subdomains.txt
# Check which are alive
cat subdomains.txt | httpx -o alive.txt
# Find interesting endpoints
cat alive.txt | waybackurls > urls.txt
2. Map the Application
- Browse the application manually
- Identify all features and functionality
- Note authentication mechanisms
- Find input fields (forms, parameters, headers)
- Check for APIs
3. Test for Vulnerabilities
Start with these high-impact bugs:
- Authentication Issues (Password reset flaws, Account takeover)
- Access Control (IDOR, Privilege escalation)
- Injection (XSS, SQL Injection, Command Injection)
- Business Logic (Price manipulation, Race conditions)
4. Document Everything
Take screenshots, record HTTP requests/responses, note reproduction steps, save evidence before reporting.
Writing a Good Report
Report Template
Title: [Vulnerability Type] in [Feature/Endpoint] allows [Impact]
Summary: Brief description of the vulnerability and its impact.
Severity: Critical / High / Medium / Low
Steps to Reproduce:
- Go to the vulnerable endpoint
- Perform specific action
- Observe the vulnerability
Proof of Concept: Screenshots, videos, code snippets
Impact: Explain what an attacker could do
Recommended Fix: Suggest how to fix the issue
Common Vulnerability Types
Cross-Site Scripting (XSS)
Where to look: Search boxes, comment fields, profile fields, URL parameters
SQL Injection
Where to look: Login forms, search features, filters, any database queries
IDOR (Insecure Direct Object Reference)
Change IDs in requests: GET /api/user/123/profile -> GET /api/user/124/profile
Authentication Bugs
- Password reset token leaks
- No rate limiting on login
- Session not invalidated on logout
Business Logic Flaws
- Negative quantity in cart
- Skip payment step
- Coupon reuse
- Race conditions
Information Disclosure
Check for exposed files: /.git/config, /.env, /config.php.bak, /api/swagger.json
Must-Have Tools
| Burp Suite | Web proxy and testing |
| Subfinder | Subdomain enumeration |
| Nuclei | Vulnerability scanning |
| ffuf | Fuzzing |
| httpx | HTTP probing |
| Nmap | Port scanning |
| SQLMap | SQL injection |
| Amass | Subdomain enumeration |
Tips for Success
Do's
- Read the program scope carefully
- Start with less popular programs
- Focus on one vulnerability type
- Hunt consistently - 2-3 hours daily
- Learn from duplicates
- Network with other hunters
- Document everything
- Be patient
Don'ts
- Don't use automated scanners blindly
- Don't spam reports
- Don't test without permission
- Don't give up early - 95% quit, be the 5%
- Don't chase only critical bugs
- Don't disclose publicly without permission
Resources
Free Learning
- PortSwigger Web Security Academy
- HackerOne Hacktivity
- PentesterLand Newsletter
YouTube Channels
STOK, NahamSec, InsiderPhD, LiveOverflow, John Hammond
Books
- Web Application Hacker's Handbook
- Bug Bounty Bootcamp by Vickie Li
- Real-World Bug Hunting by Peter Yaworski
Communities
HackerOne Discord, Bugcrowd Discord, NahamSec Discord, Reddit r/bugbounty
Earnings Timeline
- Month 1-3: Learning, practicing, $0 earnings (normal)
- Month 4-6: First valid reports, $0-500
- Month 7-12: Consistent findings, $500-2000/month
- Year 2: Intermediate level, $2000-5000/month
- Year 3+: Advanced hunter, $5000-15000+/month
Remember: Bug bounty is a marathon, not a sprint. Stay consistent, keep learning, and the rewards will come.
Last updated: January 2026
More...