Introduction
First of all this is nothing that makes you rich overnight. In fact it will probably take a lot of time till you are consistently earning small amounts. If you just want to make a lot of money really quick then this might not be the right thing for you. Finding bugs and security holes takes a lot of time, energy and dedication. Work hard and be patient.
About myself
I’m a 24 year old university student who started doing bug bounties in January 2021. Now you might ask yourself “What will this beginner teach me?”. Good question. See I’ve faced a lot of the difficulties every beginner comes in contact with so you can learn from my mistakes and get up to speed quicker than I did. When I started this year I already had two years of experience in infosec. Mainly through hackthebox and tryhackme. But I was already highly comfortable with operating linux systems, writing tools and scripts in python and I had a good understanding about different vulnerabilities. Nonetheless it took me 6 months of work every day till I got my first bounty. Now for some people it takes longer, for others it takes less time. This just goes to show that your mileage may vary.
Where to start?
This depends hugely on your current knowledge. If you don’t have any prior hacking experience then you might want to start building a solid fundamental understanding about how different things work before you try to break them.
There are a lot of different resources out there and we will dive into them in another article. But everything you need to know is freely available on the internet. My tip is don’t immediately spend money on courses or anything if you are not sure you’re in this for the long run.
With that being said, start with the basics. Learn about how the internet works. Look at different protocols, familiarize yourself with how they work and how they are implemented. You don’t need to be a web developer but it doesn’t hurt knowing how a web app is built. Maybe build a small website yourself. Just use some basic html, css and javascript, again it doesn’t have to be pretty or fancy but it will make it much easier to understand your target once you begin hunting. Don’t overcomplicate stuff, just pick a random tutorial on youtube or sites like freecodecamp and get going.
Once you get a grasp on those concepts it’s time to start with some basic vulnerabilities. Pick one and just start to learn about it. I’d highly recommend checking out Portswigger Academy. There you can learn a lot about how different vulnerabilities arise, how to detect them and practice some easy cases in the free labs they provide. However it is important that you stick to one vulnerability at a time. Jumping around between different vulns will only lengthen the learning process, trust me I’ve been there.
Help! I am stuck!
So you’ve hit your first road block? Good that means you’re moving forward. A lot of the issues you will face can be solved by googling for a little while. This is perhaps the most important skill you will need: finding answers on your own. Alright let’s say you spend a good amount of time and you’re still getting nowhere, you want to ask for help but don’t know how to approach someone. Here are my do’s and don’ts.
DONT:
- Ask people questions that can be solved in 5 minutes with google. Honestly you wouldn’t believe how many of those questions I get asked every day.
- Expect people to hand you everything on a silver tablet. This won’t teach you anything.
- Beg people for free stuff. When someone creates a course it takes them a considerable amount of time and therefore they deserve to be paid. Also as I already stated, basically everything is available for free.
- Ask questions without providing relevant details. Remember people take time out of their day to help and it’s rude to make them spend more time than necessary.
DO:
- Provide a full description of your problem, maybe even provide screenshots. Tell people what you’ve already tried and what you think the issue might be. This will make it easier and more likely that someone can help you out.
- Be nice and kind. Remember when someone helps you they take time out of their day and that’s not self-evident.
- Come straight to the point. Don’t be like “Hey” “Can I ask you something?” “I have a problem”. Write a friendly hello and then just proceed with your question. Don’t waste someone’s time.
Entering the real world
So you got the basics down and feel ready to approach your first target? Great! However there are some things to consider. You might want to start with a VDP, a program that doesn’t pay money. There is generally less competition thus more chances for you to actually find your first vulnerability. After a while, once you found your first few bugs you might want to try taking on a paid program. Keep in mind there will be more competition and those programs tend to be more secure so don’t give up.
Last but not least stick to one program for a few weeks/months. Consistency is the key. Many experienced hunters spend a huge amount of time on a single target and there is a reason for that. Enumerating your target takes a lot of time. Be sure to check each and every piece of functionality. Get a feel for your target. After that you can start tampering with it. Also don’t worry too much about picking the right target. You will figure out what kind of targets you like and what you don’t like.
I hope this cleared some things up for you. I hope you enjoy this wonderful journey that you’re now a part of. Good luck!