Bug Hunting Path

How to become a bug hunter?

Photo by Markus Spiske on Unsplash

Before focusing on path first lets discuss what bug hunting is?

A bug bounty program allows hackers to receive compensation for reporting bugs, also known as vulnerabilities and possible exploits, in organizations’ hardware, firmware, and software

Who are Bug Hunter?

Bug bounty hunters are individuals who know the nuts and bolts of cybersecurity and are well versed in finding flaws and vulnerabilities. Bug bounty programs allow hackers to detect and fix bugs before the public hears about them, in order to prevent incidents of widespread abuse.

  1. Learn Computer Networking

2. Get Familiarized With the Web Technologies: This includes getting a basic understanding of web programming and web protocols. Web programming languages are JS, html, and css. A beginner to intermediate level proficiency with these languages is more than enough in the beginning. The protocols you should learn about are HTTP, FTP, TLS, etc.

3. Learning Web Application Security Measures and Hacking Techniques: This will include learning about common security mechanisms, security practices, their bypasses, common vulnerabilities in web applications, ways to find these vulnerabilities, and ways to patch and prevent the applications from these vulnerabilities

Few recommended books:

  • Web Application Hacker’s Handbook
  • Mastering Modern Web Application Penetration Testing
  • Web Hacking 101

Practicing your skills:

Practicing helps in developing a framework for approaching a target. The more you practice on difficult targets the easier it will be for you to approach a web application in a way that increases your chances of finding a critical vulnerability

Vulnerable Web Applications: These are intentionally vulnerable virtual machines. Vulnerable web applications are available as general variants that contain many types of vulnerabilities and as dedicated variants that focus on a single vulnerability and its subtleties. Some examples are:

  • BWapp
  • DVWA
  • OWASP Webgoat
  • Cyclone Transfers
  • Bricks
  • Hacme
  • Juice Shop

Testing Real Targets: After you are thorough with your basics and have a decent level of skill, you can start doing the actual hunting on real websites. A lot of websites run bug bounty programs for their web assets.

  • Facebook
  • Twitter
  • Google
  • Verizon
  • Starbucks

You must remember that the top bug bounty hunters of the world are testing these websites along with you. However, that doesn’t mean you can’t find something at all.

Staying up-to-date on Latest Vulnerabilities:

You can read disclosed reports on bug bounty platforms like HackerOne. Some recommended researchers to follow are:

  • Frans Rosén
  • Jason Haddix
  • Geekboy
  • PortSwigger

At last — if you really want to get started with bug bounty then it doesn’t matter what is your stream or what is your current working domain — you simply can start learning the required skills and start doing the actual hunting!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cybersecurity Researcher | Penetration Tester