The art of learning bug bounty.

Sirat Sami (analyz3r)
7 min readJan 24, 2024

--

If you don’t know me

My name is Sirat from iraqi kurdistan, I have been a hackerman since childhood and a bug hunter for a few years (Only on hackerone), I have shared some hacking stories recently and bug bounty is my only job.
Also sorry if you have some trouble with my english, I learned it for tom and jerry, LOL.

Getting started

This article is for people who want to join bug bounty or have hacking skills at all, if you are interested of starting bug bounty or hacking but you lost in courses and tips or tricks or labs etc.. this article is for you, (even if you are a black hat).
Since theres many ways like billions of ways to learn hacking stuff and its not like learning anything else, it can be very difficult for anyone who wants to start, and many of you when feel disappointed you start asking people who has experience in bug bounty or cyber security.
Since I have experience of very stupid failed attempts to learn bug bounty, when someone says I don’t get it or can’t find bugs I know where exactly the pain is and why they cannot find even a single bug, so if you are new to bug bounty and haven’t find anything yet or don’t know about it yet I think you should read this article first (slowly), then let me know your thoughts about it.

What does restricts you to learn/find vulnerabilities?

I describe these points based on my experience:

  1. You want to learn fast, when you try to learn fast, you will miss many good points which allows you to understand better, you have to think slower because when you try to learn something you have to fully understand, especially for bug bounty, if you learn a vulnerability type eg xss, you have to learn at least of 3 types of xss, because you may find only one type of xss in your target, it also allows you to understand much more of the vulnerability type.
  2. Your findings depends on luck, theres many starters who wants to only use tools and they think its better than doing it manually, but even the tools requires a good skill, or when they start on their target and they don’t find bugs after a hour they leave the target because they think they don’t have enough luck, personally I think theres no luck in bug bounty if you have good experience, the hackers who find critical issues on big companies, they spend even months to find a such thing, so if you leave your target after a few minutes, you probably need a therapist…
  3. You still don’t have a main target, after learning some of bug types, you should choose your main target, and spend at least three hours a day on the target, this is forces you to find a bug on the target like you are forcing yourself to a find a bug on this target otherwise you cant leave it, some times I stick on my favorite program and target, its really helps me to learn more and learn new vulnerabilities even find techniques which no one knows about, so choose a few programs which is your favorite programs and never leave them without a valid report.
  4. You just repeat what others do and you don’t have creative ideas, while learning new things from other hackers are a good idea, but you just can’t repeating same as them, finding same as their vulnerability may require a much more experience for you, some times when a hacker shares its write up it doesn’t mean you can find same thing on all other targets or even a single target, you have to understand finding a vulnerability is depends on yourself’s skills, you may have reported what you saw from write ups and even paid for that, just remember it doesn’t mean you are a bug hunter or you are successfully learned it, its actually same as luck.
  5. You don’t have enough time, yeah buddy you are wasting time on tiktok and netflix, you need time much more than you think, reading a few articles and doing a few labs are never enough, you should remain focused on what you were trying to learn, never leave an article without fully reading it, not only reading, you also need to put it on your brain, please make sure you have fully understand what you were trying to learn.
  6. You fall in to the rabbit hole, there is also rabbit holes in bug bounty same as CTF challenges, have you ever noticed you are doing too many recon for a target? while it may only have a few subdomains, or have you ever noticed you are only looking for a single vulnerability type?
    When I was started, I was looking for only XSS, after having some valid reports with other kind of vulnerability types, I just noticed I was actually in the rabbit hole when I was looking only for XSS, and its been almost 2 years I haven’t reported a single XSS vulnerability.

There’s tons of other reasons why you can’t learn bug bounty, I have only described what I was wrong about when I started bug bounty.
You have to learn bug bounty carefully, because some times you don’t know even you are doing wrong.

So what is the right way to learn bug bounty?

There’s also points to learn bug bounty, if you keep going based on these points Im sure you can be much better than who you are now, these points also are from my experience and this is my ideas of how you can learn bug bounty much better:

  1. Learn some philosophy, find the reason of why you want to learn bug bounty, is that a habit or you do that for being famous or might be the money, or you might be want to get rid of your current job just like me.
    Once you find the reason why you want to start bug bounty, you can know how matter it is for you, it makes you to feel excited of doing bug bounty.
  2. Don’t spend too much time on bug bounty, when you feel like you don’t want to do it, its probably because you made it to look boring and you are facing burnout, but when you do it less, you are much more excited and its mean you are much more better for learning know.
  3. If you think its a bug just report it, you may get your platform account ruined for that, but mistakes are the best teachers, if you think you spotted some thing which is a bug just report it, your report will be probably closed as N/A or informative, but when they close it they may also tell you the reason why its not a bug and you may learn how to add extra impact for it next time.
  4. Learn the target before you start it, pretend yourself as the targets user, you learn how to post how to delete where to upload and even its rare functions or paths, it can open other doors to find bugs especially business logic issues.
  5. Learn to pre-find vulnerabilities, when you see a reflected text you have to think what can happen here of course might be XSS or htmli or even SSTI, when you see login think about what security threat can happen here eg missing rate limit, when you see a file upload function you have to think about what vulnerabilities can be possible here, it allows you to don’t miss vulnerabilities.
  6. Don’t think about only money, when the money is main goal, you probably go to programs which pay high bounties and of course these programs are pretty clean because as more as it pay it will be more attractive for hackers, and you will lose low bugs, losing low bugs makes you to feel useless and disappointed, so you also need VDP programs too to remember what you learned and to gain more skills and stay tuned.
  7. When you try to learn a vulnerability learn it sharp, when you try to learn a vulnerability eg XSS, try to learn about it as much as possible, as much you learn the vulnerability it will be much harder for the vulnerability to escape from your eyes, you may need at least one week for any vulnerability kind, you learn rate limit’s, learn about 10 type of rate limit issues.
  8. You know how to find but you don’t know how to bypass, bypassing security controls and filters or WAF’s are very important, eg when you look for rate limit in a login panel, you know it doesn’t miss it and its already has rate limit, but you also need creative ideas of how to bypass the rate limit, bypassing security controls allows you to find much more vulnerabilities.

These were some of points of how you can learn bug bounty, theres tons of ways to learn it, but its mostly depends on yourself and you need to know how to solve your own problems.
If you think this story isn’t enough great for your, bro, you really need to solve it yourself, just think what is wrong and you find it surely.

I have written this story for people who were asking how to learn bug bounty, or who were blaming the situation they fall in to, but remember being positive and waiting is the main key.

I hope you all enjoyed this article and find it helpful, wish you all best ❤

https://twitter.com/siratsami71
https://hackerone.com/analyz3r

--

--