Bug Bounty Beginner's Roadmap
Phase 1: Fundamentals (1-2 Months)
Week 1-4: Networking and Web Basics
Objective: Understand networking, HTTP, and how the web works.
Topics:
Learn TCP/IP, DNS, and HTTP/HTTPS.
Understand how web applications work (client-server model, cookies, sessions).
Tools:
Wireshark
Postman
cURL
Resources:
Week 5-8: Programming Basics & Scripting
Objective: Learn basic programming and scripting needed for bug hunting.
Languages:
HTML, CSS (basic structure of web apps).
JavaScript (for XSS, DOM manipulation).
Python (useful for scripting and automating tasks).
Topics:
Learn basic syntax, loops, conditionals, and functions.
Understand web forms, inputs, cookies, and session management.
Create basic scripts for automating simple tasks.
Resources:
Phase 2: Learn Security Concepts (1 Month)
Week 9-12: Web Vulnerabilities (OWASP Top 10)
Objective: Familiarize yourself with the most common web vulnerabilities.
Topics:
Study the OWASP Top 10: SQL Injection, XSS, CSRF, SSRF, IDOR, etc.
Understand how these vulnerabilities are exploited in real-world scenarios.
Practical Work:
Set up a virtual lab using DVWA (Damn Vulnerable Web App), BWAPP, or OWASP Juice Shop to practice these vulnerabilities.
Resources:
Phase 3: Reconnaissance & Enumeration (1 Month)
Week 13-16: Reconnaissance and Information Gathering
Objective: Learn how to gather information about a target before testing.
Topics:
Subdomain enumeration, port scanning, directory brute-forcing.
Passive recon using tools like crt.sh, SecurityTrails, and Wayback Machine.
Tools:
Sublist3r
Amass
nmap
ffuf
Shodan
Practical Work:
Choose a bug bounty program (e.g., HackerOne) and practice recon on targets.
Resources:
Phase 4: Vulnerability Discovery (1-2 Months)
Week 17-22: Hunting Common Bugs
Objective: Start actively testing and looking for common vulnerabilities.
Topics:
Injection Attacks: Test for SQLi and command injections.
XSS: Focus on input fields, search boxes, and parameter tampering.
IDOR: Look for broken access control in web apps.
Practical Work:
Use Burp Suite or OWASP ZAP to intercept and modify requests.
Explore vulnerable applications like Juice Shop or participate in Capture the Flag (CTF) challenges.
Resources:
Phase 5: Bug Bounty Hunting (1 Month+)
Week 23-24: Start Small
Objective: Now that you have the basic skills, start hunting.
Activities:
Pick low-hanging fruits such as XSS, IDOR, or exposed admin panels.
Automate recon with tools like Subfinder, Aquatone, and ffuf.
Practice:
Spend 2-3 hours daily hunting on platforms like HackerOne or Bugcrowd.
Resources:
Week 25-26: Report Your First Bug
Objective: After finding a vulnerability, submit a report.
Steps:
Create a Proof of Concept (PoC) with proper screenshots.
Write a detailed step-by-step report.
If the bug gets rejected, learn from it and improve your approach.
Resources:
Weekly Timetable (Sample)
Monday to Friday:
1-2 hours theory/study: Learning about web vulnerabilities or network basics.
1-2 hours hands-on practice: Recon, fuzzing, and testing for bugs on targets.
Saturday-Sunday:
Full-day practice: Set up a lab or test programs on bug bounty platforms.
Study write-ups: Read reports and watch CTF challenges on YouTube.
Summary
By following this plan:
1st-2nd month: Focus on learning networking, web basics, and programming.
3rd month: Dive into web security concepts, focusing on OWASP Top 10.
4th month: Master recon and information gathering tools.
5th month: Actively start testing for bugs on real-world targets.
6th month: Start reporting bugs, aiming to find and report your first vulnerability.
Useful Tools & Platforms
This roadmap provides a structured learning path to help you achieve your first bug bounty within 6 months. Dedication and consistency are key!
Bug Bounty Beginner's Roadmap
Hi! I'm Ansh Bhawnani. I am currently working as a Security Engineer and also a part time content creator. I am creating this repository for everyone to contribute as to guide the young and enthusiastic minds for starting their career in bug bounties. More content will be added regularly. Keep following. So let's get started!
NOTE: The bug bounty landscape has changed since the last few years. The issues we used to find easily an year ago would not be easy now. Automation is being used rigorously and most of the "low hanging fruits" are being duplicated if you are out of luck. If you want to start doing bug bounty, you will have to be determined to be consistent and focused, as the competition is very high.
Introduction
What is a bug?
Security bug or vulnerability is “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.
What is Bug Bounty?
A bug bounty or bug bounty program is IT jargon for a reward or bounty program given for finding and reporting a bug in a particular software product. Many IT companies offer bug bounties to drive product improvement and get more interaction from end users or clients. Companies that operate bug bounty programs may get hundreds of bug reports, including security bugs and security vulnerabilities, and many who report those bugs stand to receive awards.
What is the Reward?
There are all types of rewards based on the severity of the issue and the cost to fix. They may range from real money (most prevalent) to premium subscriptions (Prime/Netflix), discount coupons (for e commerce of shopping sites), gift vouchers, swags (apparels, badges, customized stationery, etc.). Money may range from 50$ to 50,000$ and even more.
What to learn?
Technical
Computer Fundamentals
Computer Networking
Operating Systems
Command Line
Linux:
Programming
Where to learn from?
Books
Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
Real World Bug Hunting: https://www.amazon.in/Real-World-Bug-Hunting-Field-Hacking-ebook/dp/B072SQZ2LG
Bug Bounty Hunting Essentials: https://www.amazon.in/Bug-Bounty-Hunting-Essentials-Quick-paced-ebook/dp/B079RM344H
Hands on Bug Hunting: https://www.amazon.in/Hands-Bug-Hunting-Penetration-Testers-ebook/dp/B07DTF2VL6
Hacker's Playbook 3: https://www.amazon.in/Hacker-Playbook-Practical-Penetration-Testing/dp/1980901759
OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project
Web Hacking 101: https://www.pdfdrive.com/web-hacking-101-e26570613.html
OWASP Mobile Testing Guide :https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
Writeups
Infosec Writeups: https://infosecwriteups.com/?gi=3149891cc73d
Hackerone Hacktivity: https://hackerone.com/hacktivity
Google VRP Writeups: https://github.com/xdavidhu/awesome-google-vrp-writeups
Blogs and Articles
Hacking Articles: https://www.hackingarticles.in/
Vickie Li Blogs: https://vickieli.dev/
Bugcrowd Blogs: https://www.bugcrowd.com/blog/
Intigriti Blogs: https://blog.intigriti.com/
Portswigger Blogs: https://portswigger.net/blog
Forums
Reddit: https://www.reddit.com/r/netsec/
Bugcrowd Discord: https://discord.com/invite/TWr3Brs
Official Websites
OWASP: https://owasp.org/
PortSwigger: https://portswigger.net/
Cloudflare: https://www.cloudflare.com/
YouTube Channels
English
Insider PHD: https://www.youtube.com/c/InsiderPhD
Bug Bounty Reports Explained: https://www.youtube.com/c/BugBountyReportsExplained
Vickie Li: https://www.youtube.com/c/VickieLiDev
Hacking Simplified: https://www.youtube.com/c/HackingSimplifiedAS
Pwn function :https://www.youtube.com/c/PwnFunction
Farah Hawa: https://www.youtube.com/c/FarahHawa
Live Overflow :https://www.youtube.com/c/LiveOverflow
Hindi
Spin The Hack: https://www.youtube.com/c/SpinTheHack
Pratik Dabhi: https://www.youtube.com/c/impratikdabhi
Join Twitter Today!
World class security researchers and bug bounty hunters are on Twitter. Where are you? Join Twitter now and get daily updates on new issues, vulnerabilities, zero days, exploits, and join people sharing their methodologies, resources, notes and experiences in the cyber security world!
PRACTICE! PRACTICE! and PRACTICE!
CTF
Hacker 101: https://www.hackerone.com/hackers/hacker101
PicoCTF: https://picoctf.org/
TryHackMe: https://tryhackme.com/ (premium/free)
HackTheBox: https://www.hackthebox.com/ (premium)
VulnHub: https://www.vulnhub.com/
HackThisSite: https://hackthissite.org/
CTFChallenge: https://ctfchallenge.co.uk/
PentesterLab: https://pentesterlab.com/referral/olaL4k8btE8wqA (premium)
Online Labs
PortSwigger Web Security Academy: https://portswigger.net/web-security
OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
XSSGame: https://xss-game.appspot.com/
BugBountyHunter: https://www.bugbountyhunter.com/ (premium)
W3Challs : https://w3challs.com/
Offline Labs
DVWA: https://dvwa.co.uk/
bWAPP: http://www.itsecgames.com/
BugBountyHunter: https://www.bugbountyhunter.com/ (premium)
W3Challs : https://w3challs.com/
More Tools and Services To use
Servers
Shodan - Search Engine for the Internet of Everything
Censys Search - Search Engine for every server on the Internet to reduce exposure and improve security
Onyphe.io - Cyber Defense Search Engine for open-source and cyber threat intelligence data
ZoomEye - Global cyberspace mapping
GreyNoise - The source for understanding internet noise
Natlas - Scaling Network Scanning
Netlas.io - Discover, Research and Monitor any Assets Available Online
FOFA - Cyberspace mapping
Quake - Cyberspace surveying and mapping system
Hunter - Internet Search Engines For Security Researchers
Vulnerabilities
NIST NVD - US National Vulnerability Database
MITRE CVE - Identify, define, and catalog publicly disclosed cybersecurity vulnerabilities
GitHub Advisory Database - Security vulnerability database inclusive of CVEs and GitHub originated security advisories
cloudvulndb.org - The Open Cloud Vulnerability & Security Issue Database
osv.dev - Open Source Vulnerabilities
Vulners.com - Your Search Engine for Security Intelligence
opencve.io - Easiest way to track CVE updates and be alerted about new vulnerabilities
security.snyk.io - Open Source Vulnerability Database
Mend Vulnerability Database - The largest open source vulnerability DB
Rapid7 - DB - Vulnerability & Exploit Database
CVEDetails - The ultimate security vulnerability datasource
VulnIQ - Vulnerability intelligence and management solution
SynapsInt - The unified OSINT research tool
Aqua Vulnerability Database - Vulnerabilities and weaknesses in open source applications and cloud native infrastructure
Vulmon - Vulnerability and exploit search engine
VulDB - Number one vulnerability database
ScanFactory - Realtime Security Monitoring
Trend Micro Zero Day Initiative - Publicly disclosed vulnerabilities discovered by Zero Day Initiative researchers
Google Project Zero - Vulnerabilities including Zero Days
Trickest CVE Repository - Gather and update all available and newest CVEs with their PoC
cnvd.org.cn - Chinese National Vulnerability Database
InTheWild.io - Check CVEs in our free, open source feed of exploited vulnerabilities
Vulnerability Lab - Vulnerability research, bug bounties and vulnerability assessments
Red Hat Security Advisories - Information about security flaws that affect Red Hat products and services in the form of security advisories
Cisco Security Advisories - Security advisories and vulnerability information for Cisco products, including network equipment and software
Microsoft Security Response Center - Reports of security vulnerabilities affecting Microsoft products and services
VARIoT - VARIoT IoT Vulnerabilities Database
Exploits
Exploit-DB - Exploit Database
Sploitus - Convenient central place for identifying the newest exploits
Rapid7 - DB - Vulnerability & Exploit Database
Vulmon - Vulnerability and exploit search engine
packetstormsecurity.com - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
0day.today - Ultimate database of exploits and vulnerabilities
LOLBAS - Living Off The Land Binaries, Scripts and Libraries
GTFOBins - Curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
Payloads All The Things - A list of useful payloads and bypasses for Web Application Security
XSS Payloads - The wonderland of JavaScript unexpected usages, and more
exploitalert.com - Database of Exploits
Reverse Shell generator - Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode
HackerOne hacktivity - See the latest hacker activity on HackerOne
Bugcrowd Crowdstream - Showcase of accepted and disclosed submissions on Bugcrowd programs
GTFOArgs - Curated list of Unix binaries that can be manipulated for argument injection
shell-storm.org/shellcode - Shellcodes database for study cases
Hacking the Cloud - Encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure
LOLDrivers - Open-source project that brings together vulnerable, malicious, and known malicious Windows drivers
PwnWiki - Collection of TTPs (tools, tactics, and procedures) for what to do after access has been gained
CVExploits Search - Your comprehensive database for CVE exploits from across the internet
VARIoT - VARIoT IoT exploits database
LOOBins - Detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes
Coalition Exploit Scoring System - Model that dynamically scores new and existing vulnerabilities to reflect their exploit likelihood
WADComs - Interactive cheat sheet containing a curated list of offensive security tools and their respective commands to be used against Windows/AD environments
LOLAPPS - Compendium of applications that can be used to carry out day-to-day exploitation
Living off the Hardware - Resource collection that provides guidance on identifying and utilizing malicious hardware and malicious devices
Living Off the Pipeline - How development tools commonly used in CI/CD pipelines can be used to achieve arbitrary code execution
Bug Bounty Platforms
Crowdsourcing
Bugcrowd: https://www.bugcrowd.com/
Hackerone: https://www.hackerone.com/
Intigriti: https://www.intigriti.com/
YesWeHack: https://www.yeswehack.com/
OpenBugBounty: https://www.openbugbounty.org/
Individual Programs
Bug Bounty Report Format
Title
The first impression is the last impression, the security engineer looks at the title first and he should be able to identify the issue.
Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line.
Include the Impact of the issue in the title if possible.
Description
This component provides details of the vulnerability, you can explain the vulnerability here, write about the paths, endpoints, error messages you got while testing. You can also attach HTTP requests, vulnerable source code.
Steps to Reproduce
Write the stepwise process to recreate the bug. It is important for an app owner to be able to verify what you've found and understand the scenario.
You must write each step clearly in-order to demonstrate the issue. that helps security engineers to triage fast.
Proof of Concept
This component is the visual of the whole work. You can record a demonstration video or attach screenshots.
Impact
Write about the real-life impact, How an attacker can take advantage if he/she successfully exploits the vulnerability.
What type of possible damages could be done? (avoid writing about the theoretical impact)
Should align with the business objective of the organization
Sample Report
Some additional Tips
Don't do bug bounty as a full time in the beginning (although I suggest don't do it full time at any point). There is no guarantee to get bugs every other day, there is no stability. Always keep multiple sources of income (bug bounty not being the primary).
Stay updated, learning should never stop. Join twitter, follow good people, maintain the curiosity to learn something new every day. Read writeups, blogs and keep expanding your knowledge.
Always see bug bounty as a medium to enhance your skills. Money will come only after you have the skills. Take money as a motivation only.
Don't be dependent on automation. You can't expect a tool to generate money for you. Automation is everywhere. The key to success in Bug Bounty is to be unique. Build your own methodology, learn from others and apply on your own.
Always try to escalate the severity of the bug, Keep a broader mindset. An RCE always has higher impact than arbitrary file upload.
It's not necessary that a vulnerability will be rewarded based on the industry defined standard impact. The asset owners rate the issue with a risk rating, often calculated as impact * likelyhood (exploitability). For example, an SQL Injection by default has a Critical impact, but if the application is accessible only inside the organization VPN and doesn't contain any user data/PII in the database, the likelyhood of the exploitation is reduced, so does the risk.
Stay connected to the community. Learn and contribute. There is always someone better than you in something. don't miss an opportunity to network. Join forums, go to conferences and hacking events, meet people, learn from their experiences.
Always be helpful.