How to Get Started with Bug Bounty Hunting: A Beginner’s Guide
You pick a platform first. HackerOne and Bugcrowd both run public programs that accept reports from anyone with a verified account. Create a profile on one of them, complete the basic verification steps, and note which programs list low difficulty tags or welcome beginners.
Set up your testing workflow before you hunt
Install a clean browser profile with Burp Suite Community Edition or ZAP for intercepting traffic. Add the usual extensions: Wappalyzer to spot tech stacks, and a cookie editor so you can test session handling quickly. Keep a private text file for each target where you log endpoints and test cases as you go.
Start with these common checks on any new target:
- Try reflected XSS by sending a payload like
?q=<img src=x onerror=alert(1)>through search or comment fields. - Test for IDOR by changing numeric values in URLs or API requests while logged in as a second account.
- Look for open redirects on login or logout links by appending a foreign domain to the redirect parameter.
Submit only when you can reproduce the issue in a private tab and have a short proof-of-concept. Programs reject vague reports that lack clear steps or impact.
Choose your first targets and track results
Filter the program list for scopes that contain only web applications and exclude mobile or hardware. Pick three that have paid out at least a few hundred dollars in the last month. Spend one week on each before moving on.
| Platform | Example scope focus | Typical first payout range |
|---|---|---|
| HackerOne | Web apps on Shopify or GitLab public programs | $100-500 |
| Bugcrowd | API endpoints on Verizon or Twitter programs | $150-750 |
Track every test you run in a simple spreadsheet with columns for date, endpoint, payload, and result. After 20-30 hours you will see patterns in what gets accepted and what gets closed as duplicate or out of scope. Adjust your focus accordingly instead of guessing.