Roadmap

Bug Bounty Hunter

The independent or professional security researcher who finds and responsibly discloses vulnerabilities in real production systems through authorized bug bounty programs, earning rewards from HackerOne, Bugcrowd, and direct programs run by Apple, Google, Microsoft, and thousands of other organizations.

OPTIMISTIC 6–12 monthsREALISTIC 1–2 years to part-time income

Stage 00

Web and Networking Foundations

You cannot find vulnerabilities in systems you do not understand. The fundamentals are prerequisites, not optional background reading.

How the Web Works

HTTP/HTTPS request-response cycle: methods (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS); request components (method, URL, headers, body); response components (status code, headers, body); status codes (200, 201, 301/302, 400, 401, 403, 404, 500); critical security headers (Authorization, Cookie, Content-Type, Referer, X-Forwarded-For, Host, Origin, Content-Security-Policy, X-Frame-Options); cookie attributes (name, value, domain, path, expires, HttpOnly, Secure, SameSite)
HTTPS and TLS: TLS handshake, certificate validation, session keys; HSTS forcing HTTPS; Certificate Transparency logs for subdomain discovery

Web Application Architecture

Client-side vs server-side rendering — affects what is visible in source and what requires API interception
Single-Page Applications (SPAs) — JavaScript handles routing; API endpoints critical attack surface
REST APIs — resource-based URLs; JSON payloads; stateless; authentication via tokens
GraphQL APIs — query language; single endpoint; introspection reveals full schema
WebSockets — persistent bidirectional connection; different security model from HTTP
Authentication mechanisms: session cookies (server creates session, cookie holds session ID); JWT (header.payload.signature, base64url encoded, common weaknesses alg:none, weak HMAC, RS256/HS256 confusion); OAuth 2.0 (authorization delegation, common misconfiguration source); API keys (static credentials often in JS files, git repos, mobile apps)
Authorization patterns — RBAC, ABAC; horizontal vs vertical privilege escalation

DNS and Networking Basics

DNS record types — A, AAAA, CNAME, MX, TXT, NS, SRV
DNS for recon — enumerating subdomains; finding forgotten assets
IP addressing — CIDR notation; identifying IP ranges for a target
Ports — common service ports; 80/443 (HTTP/HTTPS), 22 (SSH), 21 (FTP), 3306 (MySQL), 27017 (MongoDB)

HTML, JavaScript, and the DOM

HTML structure — forms, input fields, hidden fields, comments in source
JavaScript fundamentals — DOM manipulation, AJAX/fetch calls, event handlers
Reading JavaScript files — finding API endpoints, hardcoded credentials, internal logic
Browser DevTools: Network tab for intercepting all HTTP requests/responses; Console for JavaScript execution and XSS payloads; Sources for viewing JavaScript files; Application tab for cookies, localStorage, sessionStorage; Elements for viewing and modifying DOM

Resources

PortSwigger Web Security Academy (free, the best web security learning resource)
MDN Web Docs (free)
"The Web Application Hacker's Handbook" by Stuttard and Pinto (book)
TryHackMe Web Fundamentals path (free/paid)

Stage 01

OWASP Top 10 and Core Vulnerability Classes

These are the categories where most bug bounty findings live. Understanding each vulnerability, its causes, its impact, and its detection methods is the technical foundation.

OWASP A01: Broken Access Control

The most exploited vulnerability class; #1 in OWASP for a reason
Horizontal privilege escalation (IDOR — Insecure Direct Object Reference): accessing another user's resources by changing an ID; example GET /api/users/12345/documents changed to 12346; IDOR in JSON body or after redirect; UUID vs sequential IDs; IDOR in file paths, email parameters, export functions
Vertical privilege escalation: accessing functionality reserved for higher-privilege roles; changing role parameter; missing function-level access control; accessing hidden pages via JS files, robots.txt, or directory brute force
Business logic flaws — authorization that appears correct but can be bypassed through unexpected workflows

OWASP A02: Cryptographic Failures

Sensitive data transmitted without encryption — HTTP instead of HTTPS
Sensitive data stored unencrypted — passwords in plaintext; credit card numbers in logs
Weak cryptographic algorithms — MD5/SHA1 for passwords; RC4 for encryption
Hardcoded secrets — API keys, passwords, private keys in source code
Exposed JWT secrets — weak HMAC key; alg:none bypass
Information disclosure through verbose errors — stack traces revealing framework/database

OWASP A03: Injection

SQL Injection (SQLi): classic error-based (' OR 1=1 --, '; DROP TABLE); blind SQLi boolean-based; time-based blind (WAITFOR DELAY, SLEEP); union-based (column count and data types); out-of-band SQLi (DNS or HTTP callbacks); SQLi in JSON, cookies, HTTP headers; SQLMap automation
OS Command Injection: user input passed to shell commands (filename; id, filename | cat /etc/passwd); common in file conversion, ping/traceroute, webhook testing; blind command injection via sleep or DNS/HTTP callbacks
LDAP Injection — search filters; *)(uid=*))(|(uid=*
XPath Injection — XML queries; ' or '1'='1
Server-Side Template Injection (SSTI): input rendered in template engine; code execution; detection {{7*7}} → 49 in Jinja2/Twig, ${7*7} → 49 in FreeMarker; critical bug, often leads to RCE, very high bounty value

OWASP A04: Insecure Design

Race conditions — two requests modifying the same resource simultaneously; payment flows, coupon use
Business logic errors — applying discounts multiple times; negative quantities; free-tier limits bypassed

OWASP A05: Security Misconfiguration

Default credentials on admin interfaces
Directory listing enabled — browsing server file directories
Verbose error messages — stack traces revealing internal paths and library versions
Misconfigured CORS: Access-Control-Allow-Origin * with Allow-Credentials true; wildcard subdomain trust; null origin trust from sandboxed iframes
Unnecessary HTTP methods — TRACE enabled; PUT allowed to arbitrary paths
Exposed .git directory — source code and commit history downloadable
API endpoints exposed with no authentication
Cloud storage bucket misconfiguration — publicly accessible S3 buckets (increasingly rare but still valuable)

OWASP A06: Vulnerable and Outdated Components

Outdated web frameworks with known CVEs
Outdated JavaScript libraries with known vulnerabilities
Identifying component versions — response headers, error messages, HTML comments

OWASP A07: Identification and Authentication Failures

Weak password policies — no complexity requirements; short minimum lengths
Username enumeration — different response times or messages for valid vs invalid users
Account takeover via password reset: predictable reset tokens; token reuse; host header injection in reset email; no rate limiting
Brute force without rate limiting or lockout
Session fixation — attacker sets session ID before authentication; session remains valid after login
Session not invalidated on logout — token remains valid

OWASP A08: Software and Data Integrity Failures

Deserialization vulnerabilities — Java, PHP, Python object deserialization; often RCE
Insecure CI/CD pipelines — dependency confusion attacks; malicious package substitution
Update mechanisms without signature verification

OWASP A09: Security Logging and Monitoring Failures

Not directly exploitable; relevant for severity assessment and impact in reports

OWASP A10: SSRF

Server-Side Request Forgery: server makes HTTP request to URL provided by user; internal network access (192.168.1.1/admin, 169.254.169.254 AWS metadata); AWS IMDSv1 credential theft; blind SSRF via Burp Collaborator/interactsh; bypass via URL encoding, IPv6, DNS rebinding; protocol exploitation file://, gopher://, dict://

Cross-Site Scripting (XSS) — Deep

Reflected XSS (payload reflected in immediate response, requires social engineering); Stored/Persistent XSS (stored in database, executes for all viewers, highest impact); DOM-Based XSS (payload in client-side JavaScript without server reflection)
XSS payloads: basic detection <script>alert(1)</script>, <img src=x onerror=alert(1)>; context-aware attribute and URL contexts; WAF bypass via case, unicode, HTML entity encoding
XSS impact ladder: session cookie theft (if no HttpOnly); keylogging; phishing page injection; CSRF bypass; account takeover without cookie theft via JS-based email/password change

CSRF

CSRF (Cross-Site Request Forgery): victim's browser makes state-changing request to target app while authenticated; CSRF token random per-session value; missing protection indicators no token in forms, no SameSite cookie attribute; bypass via Content-Type change to text/plain, CORS + CSRF, referer validation bypass

OWASP API Security Top 10

API1: Broken Object Level Authorization (BOLA/IDOR) — API objects accessed without authorization
API2: Broken Authentication — weak API authentication; tokens without expiry
API3: Broken Object Property Level Authorization — user can change fields they shouldn't access
API4: Unrestricted Resource Consumption — no rate limiting; bulk operations without pagination limits
API5: Broken Function Level Authorization — regular user accessing admin API endpoints
API6: Unrestricted Access to Sensitive Business Flows — abusing legitimate flows (account creation bots, checkout abuse)
API7: Server Side Request Forgery — same as web SSRF but through API parameters
API8: Security Misconfiguration — same as web but specific to APIs
API9: Improper Inventory Management — older, forgotten API versions accessible; /v1/ alongside /v3/
API10: Unsafe Consumption of APIs — consuming third-party API data without validation

Resources

PortSwigger Web Security Academy (free, labs for every vulnerability)
OWASP Testing Guide (free)
HackTheBox Academy Bug Bounty Hunter path (paid)
TryHackMe OWASP Top 10 room (free)

Stage 02

Tools and Reconnaissance Methodology

Bug bounty success requires systematic methodology. The hunters earning consistent income are methodical, not random.

Burp Suite — The Essential Tool

Burp Suite: Proxy for intercepting browser traffic and modifying requests; Repeater for replaying modified requests; Intruder for automated parameter fuzzing and brute force; Scanner (Pro) for automated vulnerability detection; Decoder for encoding; Comparer for diffing responses; Collaborator (Pro) for out-of-band detection of SSRF, blind XSS, XXE
Burp extensions (BApp Store): AuthMatrix for multi-role authorization testing; Param Miner for hidden parameter discovery; Turbo Intruder for high-speed race conditions; JWT Editor for JWT manipulation; Active Scan++ for additional checks; Retire.js for outdated JS libraries
Burp essential keyboard shortcuts: Ctrl+R (send to Repeater), Ctrl+I (send to Intruder), Ctrl+Shift+U (URL decode)

Reconnaissance Tools

Subdomain enumeration: Subfinder (passive DNS); Amass (comprehensive attack surface mapping); Assetfinder (fast discovery); GitHub dorks; Certificate Transparency (crt.sh); DNS brute force (ffuf -u https://FUZZ.target.com)
HTTP probing: HTTPx for probing live web servers with status codes and titles; Aquatone for screenshot visual review of discovered assets
Directory and parameter fuzzing: ffuf (versatile fuzzer for directories, parameters, headers, vhosts); Feroxbuster (recursive content discovery); Gobuster (directory/file enumeration); ParamSpider (extracting parameters from wayback)
JavaScript analysis: LinkFinder (extracting endpoints from JS); SecretFinder (finding API keys, tokens, secrets); Waybackurls (fetching URLs from Wayback Machine); gau GetAllURLs (fetching from multiple sources)
Port scanning: Nmap (network scanning, service detection, -sV for version, -sC for scripts); Masscan (high-speed large-scale); Shodan (search engine for internet-connected devices)
Content discovery: Nuclei (template-based vulnerability scanner with community templates); Katana (web crawler for application structure)

Specialized Tools

SQLMap — automated SQL injection detection and exploitation
Nikto — web server scanner; basic misconfiguration detection
WhatWeb — web technology fingerprinting
Metasploit (limited use in bug bounty, check scope) — exploitation framework
Interactsh — out-of-band interaction server; free alternative to Burp Collaborator

Reconnaissance Methodology

Asset discovery — find everything in scope: subdomain enumeration using multiple tools; certificate transparency mining (crt.sh); ASN discovery via amass intel -org; GitHub reconnaissance for target mentions, API keys, internal tools; Wayback Machine for archived versions and old endpoints; Google dorking for filetype and inurl
Asset fingerprinting — understand what you found: technology stack, WAF detection, CMS identification, API version discovery
Attack surface prioritization: newly added subdomains and assets; acquisitions with weaker security posture; new features; low-traffic endpoints with complex business logic
Content discovery — find what's hidden: directory brute force; JavaScript file deep reading; parameter discovery; mobile app decompilation exposing internal API structure

Stage 03

Bug Bounty Platforms and Program Selection

Platform selection and program targeting dramatically affect success rates. Hunter strategy matters as much as technical skill.

Major Platforms

HackerOne — largest platform; widest program selection; reputation system; leaderboards; CTF-based access to private programs; Hacker-Powered Security Report published annually
Bugcrowd — major platform; Bugcrowd Points reputation system; Crowdstream for triage transparency
Intigriti — European-focused; EU-based companies; GDPR-relevant programs; growing rapidly
YesWeHack — European platform; French companies; expanding globally
Synack — invitation-only; vetted professional researchers; higher-paying private programs; background check required
Open Bug Bounty — free responsible disclosure; no payout; practice and community
Self-hosted programs — Apple Security Bounty, Google Vulnerability Reward Program, Microsoft Security Response Center — direct submission, often highest payouts

Program Selection Strategy

Start with VDP (Vulnerability Disclosure Programs) — no payout but perfect for practice without pressure of duplicate fees; then move to small-scope bounty programs — less competition, faster triage; avoid mega-corp programs until methodology is dialed in
Look for: new programs with untested assets; wide scope (*.target.com); clear out-of-scope; active triage responding in days; fair rewards (check hunter satisfaction scores)
Target selection within a program: acquisition targets recently integrated; new features from changelog, blog posts, app store updates; subdomains with less competition beyond www and app

CVSS and Severity Ratings

CVSS v3.1 — most common scoring system in bug bounty
Base Score components — Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality/Integrity/Availability Impact
Bug bounty platforms often have their own severity definitions: Critical ($$$$$ for ATO, RCE, auth bypass, mass IDOR); High ($$$$ for stored XSS, SQLi, SSRF to internal metadata); Medium ($$$ for self-XSS limited, CSRF limited, info disclosure); Low ($$ for missing rate limiting, minor info leakage); Informational ($0 for best practices)
Common beginner mistake: overrating severity; damages reputation with triage teams

Stage 04

Report Writing

A valid bug with a poorly written report often gets rejected or downrated. Report quality is a skill that separates earning hunters from non-earning hunters.

Report Structure

Title — specific, descriptive, technical: "IDOR in /api/v2/users/{id}/billing allows accessing any user's billing information", NOT "IDOR vulnerability found"
Severity — justified against the program's severity definitions; err toward conservative
Description — concise explanation of the vulnerability, what it allows an attacker to do, and why it exists technically
Steps to Reproduce — numbered; precise; a triage analyst who has never seen this before should be able to reproduce it exactly including log in as User A, navigate to exact URL, intercept request, change parameter, forward, observe response contains User B's data
Proof of Concept (PoC) — screenshots annotated with arrows; Burp request/response showing the finding; video for complex multi-step issues
Impact — what can an attacker actually do with this? Be specific about access level and risk escalation
Suggested remediation — briefly; shows understanding of the root cause

Report Quality Signals

Good reports: clearly reproducible from the steps alone; impact is specific and realistic; PoC demonstrates finding without inference; shows business impact not just technical impact
Poor reports get rejected or downrated: vague steps; overstated impact; no PoC; wrong severity; out of scope testing

Duplicate Reports

Duplicate = someone found it before you; not a failure; means you found a real bug; reduce duplicates by hunting less-tested assets, hunting quickly on new programs, focusing on business logic; learning from duplicates by studying disclosed original reports

Stage 05

Advanced Topics and Specialization

After finding entry-level bugs consistently, specialization increases earnings. These are the topics that produce high-value findings.

Advanced Web Vulnerabilities

OAuth 2.0 Attacks: open redirect in redirect_uri to redirect tokens; state parameter missing or predictable causing CSRF on OAuth flow; implicit grant token leakage via Referer; authorization code interception via race condition or Referer leak
Business Logic Vulnerabilities: race conditions via Turbo Intruder on payment, coupons, free trials; price manipulation via negative quantities, integer overflow, currency conversion abuse; workflow bypass via direct navigation; A/B test exposure
XML External Entity (XXE): external entity declaration (<!ENTITY xxe SYSTEM "file:///etc/passwd">); blind XXE via OOB with Burp Collaborator; XXE via file upload (SVG, DOCX, XLSX, PDF parsers); XXE via content-type switching (JSON → XML)
Prototype Pollution (JavaScript): polluting Object.prototype via __proto__ or constructor.prototype; client-side XSS via polluted properties; server-side (Node.js) RCE via child process spawning

Cloud Security Bug Bounty

AWS IAM misconfigurations — overly permissive bucket policies; cross-account trust misconfigurations
S3 bucket misconfigurations — still found; checking aws s3 ls s3://target-bucket --no-sign-request
GitHub secrets exposure — searching for target in GitHub; AWS keys, API tokens, credentials
Subdomain takeover: dangling DNS (subdomain pointing to expired S3 bucket, Heroku app, GitHub Pages); check with dig sub.target.com CNAME; tools Subjack, can-i-take-over-xyz

Mobile Application Bug Bounty

Android: APK decompilation (jadx, apktool) extracting hardcoded credentials, API endpoints, logic; deep links intent handling for unauthorized app activity invocation; WebView vulnerabilities loading user-controlled URLs; JavaScript bridge exposure
iOS: IPA analysis extracting and analyzing iOS app binary; URL scheme abuse; insecure data storage with cleartext credentials in UserDefaults, SQLite
Common in both: API testing with mobile app's traffic (Burp proxy on mobile)

AI/LLM Bug Bounty (Emerging)

Prompt injection — injecting instructions into LLM applications
System prompt extraction — tricking the model into revealing its system prompt
Indirect prompt injection — malicious content in data the LLM processes (documents, web pages)
Jailbreaking — bypassing safety filters
Many programs now explicitly include AI-powered features in scope

Stage 06

Building Reputation and Income

Platform Reputation

HackerOne reputation — gained from valid reports; lost from invalid/spam reports; gates access to private programs
Private programs — higher payouts, fewer hunters, less competition; invited based on reputation and leaderboard position
Leaderboard ranking — compound advantage; higher ranking → more private invites → more earnings
Profile optimization — LinkedIn integration; skills tags; bio explaining specializations
HackerOne CTF events — structured challenges gating private program access; complete to unlock

Community and Learning

Twitter/X — follow top hunters; most disclosed reports and techniques shared here
Discord communities — HackerOne Discord, Bugcrowd Discord; technique sharing; motivation
Disclosed reports — read every disclosed report on programs you hunt; understand what others found; pattern recognition
Bug bounty YouTube — NahamSec, STÖK, InsiderPhD, TomNomNom; methodology content
Hacker101 — HackerOne's free training platform; CTF challenges gating private program access

What to Document on LabList

HackerOne/Bugcrowd public profile — link directly; shows validated findings, reputation, bounties
Disclosed reports — if any of your reports are public, link and summarize
Technical write-ups — detailed walkthroughs of interesting findings (without violating program NDAs)
CTF writeups — demonstrating analytical approach and methodology
Hall of fame acknowledgements — CVEs credited, security acknowledgments from programs

FAQ

Common questions

How long does it take to start earning from bug bounty?

6–12 months to your first valid finding if you put in 20–25 hours/week and target Web Security Academy + the OWASP Top 10 systematically. 1–2 years to part-time income for most people. Top earners (the ones HackerOne reports as $1M+ annually) have 5+ years of obsessive practice. Don't enter bug bounty as a primary income strategy in year one — treat it as portfolio work and learning, with sporadic payouts as a bonus. Most bounty-only careers are unstable.

Do I need certifications for bug bounty?

No. Bug bounty is the most credentialing-agnostic security path. Your HackerOne reputation score, public reports on Hacktivity, and CVE history are the only credentials that matter. OSCP and OSWE help if you're trying to convert bounty work into a full-time AppSec or pentest role, but pure bounty hunters don't need them. PortSwigger Web Security Academy completion is the closest thing to a 'cert' that bounty hunters care about — and it's free.

Do I need a degree?

No. Bug bounty is more meritocratic than almost any tech role. Your earnings and reputation come from findings, not credentials. Plenty of top hunters never finished college; some are still in high school. What matters: methodical reconnaissance, persistence, willingness to read JavaScript bundles for hours, and reading enough disclosure reports to internalize patterns.

What separates a hunter who earns from one who doesn't?

Methodology, not technical depth. Strong hunters have a repeatable workflow — recon, scope review, attack-surface enumeration, hypothesis-driven testing — that they apply consistently across programs. Weak hunters chase the latest exploit trend and burn out. The 2026 bounty market favors hunters specializing in API/GraphQL, cloud misconfigurations, and AI-related bugs. Generic XSS findings on legacy web apps barely pay anymore. Read 100 disclosed reports before submitting your first; the pattern recognition is worth more than any course.

Bug Bounty Hunter

Common questions

Related roles