Skip to main content

10 Rules of Bug Bounty

1.Targeting the Bug Bounty Program
How long you target the program ?
If the Answer is Just Few Hour’s or a night, Then That’s where you are doing wrong .Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s.
Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit .Just take a deep dive into the application.
2. How do you Approach the Target ?

If Answer is Just by Signing up at Target , Checking For Vulnerabilities like CSRF, XSS,Subdomain’s etc , Then This Could be the problem where you end up getting many duplicates or not getting any bug . would suggest to first check their documentation . Recon the Target . Understand the functionalities & privileges of the user’s in target. Recon , Check their doc’s, Information Gathering , for at least 1–2 days before start Attacking .

3. Don’t Expect Anything !
We Believe this is the most common thing bug hunter’s do After Reporting Bug’s that they expect the upcoming reward amount . Don’t Expect anything just close the report and start looking for other bug’s Because that could end up making you sad .
If you made the mindset that you are going to hunt bugs in matter of hour’s or night . this may or may not work every time . 
Some High severity bugs may get rewarded with low-average bounties , Don’t Shout at them,Just Ask them politely What could be the reason for bounty decision . More Importantly Be Happy and thankful to yourself of what you found .
Try to Accept this “ Sometime’s we may get unexpected rewards for small issues , We should also accept less amounts for High Severity Issue’s aswell“
4. Less Knowledge about Vulnerabilities and Testing Methodologies :
This is also common scenario lot of new bounty hunter’s start looking for bug’s without basic knowledge of how things work. What i have learned from my personal experience is you will get to know how application works until and unless you know how they build them . it is necessary first to know how application Build with Programming language before start breaking it .
5. Surround yourself with Bug Bounty Community to keep yourself Updated.
1. Create Twitter Handle and go to Hackerone Leaderboard :
2. Go to their Hackerone profile’s one by one and Follow them on twitter , Same Applies on Bugcrowd and other Platform As Well. This way you can surround yourself by Bug Hunter’s and Security Researcher’s.
3. Keep Bookmarking .
5. Join Bug Bounty World on Slack and Keep reading Their Blog’s,Tool’s,General Channel and their conversation’s of Testing And Share what you know.
6. AUTOMATION: “Automation is Power.” If you want to automate things, you need to learn “scripting”. Is highly recommended learn some programming language. Some of the Best scripting languages are: JS, PYTHON, RUBY, BASH,even knowing some curl tricks or basic bash commands scripting, you have power in your hands for automate a lot of tasks!
“Hacking is an art from your own creation” .
7. GET BOUNTY or GET EXPERIENCE: As a Bug Hunter’s, sometimes we feel sad when no bounty is received. However we always gain experience, knowledge and your skills are improved. Look bug bounty in this way and keep your motivation up day by day. A lot of our life are made by emotions, is about how you feel your life moment after moment, doing all that things thats make you happy: so! if you do bug bounties, be happy! be fun! that’s the essence of this!
If you don’t get bounty, you get knowledge and experience, that’s why You always win!”
If you find a BUG, ask always yourself: what’s the security impact on the application? You can start hunting and have in your mind the concept of “find a bug” or you can think outside the box and start hunting with the concept of“looking the best impact”. The first concept is totally isolated, the second concept embrace a more bigger point of view.
“Stay at the valley or work hard to claim the mountain and see a big panorama.”
9. FOLLOW MASTER’S PATH: I ask myself every day how improve my skills a lot more, then i go and search for awesome hacker’s blog or the best write ups that i can find. Best hackers inspire us to be the better version of ourselves.

10. RELAX & ENJOY LIFE: The Real Success happens when you enjoy a balanced life. Your body and your mind needs an adequate rest to go beyond their own limits. If you spends a lot of hours hunting, close your laptop and go outside, to be more connected with the natural life. When you hunt with a rested mind, you can see beyond the bugs and all that important details that counts for a successful attack or PoC. Find all that gives you joy or peace, all that embrace you and improves you emotionally and mentally. Spend time with your friends and family, this life is like a Shooting Star, Enjoy that light!
Source: Arbaz Hussain(


Popular posts from this blog

Getting started with Bug Bounty!

Hey, Guys Hope you all are doing well. I started my journey in bug bounties around 1.5 years ago, and I am thankful to all the members of security community who share their knowledge to the community. I have learned a lot of things from them and I am still learning new things daily from fellow hackers, hacking is a continuous process and ultimately reflects a state of mind. I have received a lot of messages from people's asking me how to start, where to start in bug bounties. So I have decided to write a blog which contain as much information which helps for beginners. Quote- "Hacking is a lifelong Journey of Learning " Table of Content Introduction Reading Practicing Connect with community Ask Questions Motivation Certifications Conclusion Introduction What is bug bounty? To get a basic understanding of the role, the name itself is quite self-explanatory. A bug bounty hunter looks for bugs in applications and platforms, which they later

Ethical Hacking Resource

Book’s: Tangle Web Security Guide Web Hacking 101 The Basics of Web Hacking: Tools and Techniques to Attack the Web Learning Pentesting Android Devices Android Hacker’s Handbook Learning IOS Pentesting Practical IOT Security Burp Suite Tool Attack Approach Essential of Burp Suite Browser Plugin’s : Chrome  : Firefox  : Tool’s: Bug Bounty References: Payload’s: fuzzdb  — SecLists  — NickSanzotta  —

How I got access to Fastly account of

Hey Mates, Hope you all are Good, This is my first write-up about how i gain access to a company's( ) fastly account.  One Day I got email that is going to open source on Github . Previously I've found a critical account takeover bug in via stored XSS and get rewarded(Write-up later), Since I have account in that's why I receive this mail. Now Let's get started. Email From Now I was damn sure that there is something that the developer's missed while making project open source in Github , first i visited their Github project at  and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with  cache_buster.rb  which is leaking the fastly Api key like this. with( headers: { " Fastly-Key " => "k 15177t3dctdg27138b03c737688c 84g " }) Dont't waste your t