Bug Bounty for Beginners
2 min readSep 14, 2023
What is Bug Bounty?
Vulnerability Rewards Program (VRB) — Also known as bug bounty. Offers financial rewards to individuals for finding and reporting software bugs.
How It Works
Companies create financial incentives through online programs to independent bug bounty hunters (researchers) as part of a vulnerability management strategy. This is used to supplement penetration tests and internal code audits.
- Penetration Test: An authorized, simulated cyber attack performed on a computer system to evaluate its security.
- Internal Code Audits: A comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches, or violations of programming conventions.
- Programming Conventions: A set of guidelines for a specific programming language that recommends programming style, practices, and methods for each aspect of a program written in that language.
Downside to Bug Bounty
- Doesn’t guarantee coverage for all types of vulnerabilities.
- Can be stressful and time-consuming
- Prices can vary
- Low: $~150
- Med: $~500
- high: roughly $1,000 to $3,000
What You Should Learn
Computer Networking:
Fundamentals of inter-networking, IP and MAC addresses, ISO stack, TCP/IP stack, etc.
Web Technologies:
Basic understanding (beginner to intermediate is fine) of:
- Web programming
- JavaScript
- HTML
- CSS
2. Protocols
- HTTP/HTTPS
- FTP
- TLS
Web App Security Measures:
Security mechanisms, practices, bypasses, vulnerabilities (common in web apps) and how to find/patch/prevent these apps from the vulnerabilities.
Practice: Intentionally Vulnerable Virtual Machines
- bWapp
- DVWA
- OWASP
- Cyclone
- Bricks
- Butterfly
- Hacme
- Juice Shop
- Railsgoat
- SQLol
Tools
- Burp Suite ($349/yr)
- OWASP Zone (Open source)
- Kali Linux (Open source)
Certifications
- HackTheBox Certified Bug Bounty Hunter
- ISAC Bug Bounty Researcher
- Ethical Hackers Academy Certified Bug Bounty Expert
