How to get started in a bug bounty?
A big question in front of everyone who wants to start in bug bounty! We hope this will clear your thoughts at some level!
Straight to the Point, multiple platforms are publicly available for everyone to join and be a part of the bug bounty community! We are not going to name any as we believe you must start your first step without any help! ;)
For a beginner or the person who is entirely new to application security, you must have a basic understanding of the following things,
How Websites work?
How they transfer the data?
OWASP top 10(Web+Mobile)
How to Google!
When it comes to bug bounty, almost everyone expects you to do at least a basic google search that can find the answer for you! If it doesn't, you can always ask the community using different social platforms.
You can choose any Linux distribution to hack on! It's totally up to you! Some distributions are built as a hacking arena! A lot of tools come to preinstall in that! So you can start with that!
Not using one of these prebuilt hacking arenas? "Good choice too!" When you use something like Ubuntu as your primary OS for hacking, you will come across a lot of installation bugs sometimes but will also strengthen your "Linux" Skills. In the future, you will be writing your automated hacking scripts. To do that Linux skills will become handy.
You must know, how websites work? What happened when you type info.ninadmathpati.com? What's the DNS role in this? How that can be helpful in a bug bounty? Subnets, Ports, ASN, TCP, UDP, ICMP these and some more networking basics you have to cover before you start doing bug bounty!
The OWASP Top 10 is a standard awareness document for developers and application security. The document is available for Web, and Mobile applications. We Believe this is the perfect start point for learning about security vulnerabilities. So go check out their official website!
Have you asked anyone about something related to bug bounty or a bug or anything simple? And the person told you to search on "google"! There are a lot of reasons people usually answer like that! The primary one is obviously because it is readily available on the internet! You need to understand that people on the other side did the same thing. (almost everyone) They expect you to at least search on the internet, learn and if have any doubts ask. People in the infosec community are so helpful in nature that we are sure they will help you! We have purposely shared some of the half information with you above because we want you to complete this information using a basic google search.
Example?: what are the Linux distros available for hacking?
As you already have covered OWASP Top 10, some other great platforms teach you more attack vectors plus a lab to try your hands on such vulnerabilities. This time we are sharing some of these platform links with you, :)
One of the most important things to understand about bug bounty is, it may take time to find your first bug and evolve as a good bug hunter! No one in the world became a good hacker in a day or even in a month. It will take time. So invest most of the time in learning! "Remember, hacking is learning!"
YouTube is another great place to learn about bug bounty! We are listing some of the best channels we believe are out there for everyone!
There are a lot of other great hackers who have youtube channels who share, talk about bug bounty. You can easily find them!
CTFs are really great and can be helpful to sharpen your hacking skills. There are some great CTFs platforms that can help you to sharpen your skills. Some of them are,
There is always a question on, "How to pick a program"!
While selecting a program, check if you have used the application ever before like a regular user! Hunt on these programs first, because you are already aware of the functionality of an application. If none of these applications is working for you, know where your interest really is! Do you love mobile applications, more or web applications? Where are you more comfortable while hacking, on the web or on mobile applications? These things will help you while choosing a program to hack on!
While it's demotivating and frustrating to not get a bug even hacking for a month! But one thing you can remember is that "this happens with almost everyone!" You are not alone in this fight! Take a break and come back with more power!
Duplicates are not bad at all! It tells you that you are on the right path! But certainly getting around these duplicates is the thing you really want! While hacking an excellent thing to remember is, "One vulnerability can be exploited using one or more different ways." While your way might be different from the original reporter's way but does, he tried your method on other applications? Or did you try his way on your favorite applications? Can you bypass the Patch of the bug? Just don't stop!
There is always a debate on this topic in infosec. But we think you should decide this for yourself! There are some great courses available on the internet and some of them are just fake/stolen! But there are some courses that stands-out! And we recommend you to buy these courses and start learning from them. Below are some best courses,
Bug bounty needs your time and money! Sometimes it can give you frustration, burnout. But in return, it will also give you the happiness of helping and securing the company's assets and obviously a recognization in different ways to remember for a lifetime! :)