Diving into Bug Bounty Hunting: My Journey Begins with Resources and Tips for Beginners

After taking the much needed break and rest in the festive seasons, a period in which I had much reflection on my career and life goals, I dove into cybersecurity with a focus on bug bounty hunting. I have been contemplating on this for a while, ever since I came across the 0 to 100K in Bug Bounty Year One thread on X by @Rhynorater. I used ChatGPT to create a bug bounty hunting road map and begun on a resource finding mission. I will write weekly posts documenting my journey and milestones into becoming a bug bounty hunter. This first article will document some of the useful resources that those aspiring to become bounty hunters can use. The resources range from ChatGPT, YouTube Channels, websites, GitHub Accounts, X Accounts, and SubReddits.

Remember

When starting out, always be aware of the shiny object syndrome and analysis paralysis. Shiny object syndrome (SOS) is the tendency to be distracted by new ideas (courses) that are often at the expense of your current goal, which is becoming a bug bounty hunter in this case. Analysis paralysis is that point when you cannot decide because you are overwhelmed with courses/ materials and you are not sure of which one to use.

Another thing I will recommend while starting is developing a good note taking system. There are various Note Taking Apps you can use, such as Notion, Evernote, Microsoft OneNote, Joplin, Obsidian and many others. When choosing a note app, there are factors you have to put into consideration. Some features I look for in a note taking app are cost, ease of use, organizational features, and cross device access. My choice is Obsidian. Having a good note taking system is like having a second brain. Good notes always come in handy along your career trajectory, and they are what will catapult you to the next level.

Resources

Now, back to resources. I will focus on the free resources here, as I believe most of the required knowledge is free if you have the patience and time to go after it.

1. ChatGPT: The first and key resource I found helpful is ChatGPT. You are not restricted to this. You can use GPTs of your choice like copilot, Gemini or any other you may prefer. I used ChatGPT to brainstorm and be sure that I really wanted to go into bug bounty hunting. After being sure I wanted this, I prompted it to come up with a learning path and a study plan for bug bounty hunting. There are unlimited ways you can use GPTs from generating explanations, examples and analogies, motivation, role-plays, questions, mind maps, mental associations and much more. You can also use them to engineer effective prompts which you can then re-use to get exact answers you want.

2. YouTube Channels: Some of the YouTube channels I have found to be amazing are:
   NahamSec - Has detailed bug bounty tutorials and live hacking sessions.
   STÖK - Offers practical bug hunting techniques and methodologies.
   InsiderPhD - Insider PHD is great for beginners, provides structured learning content. This is the channel I have been using, mostly. I highly recommend it if you are starting out.
   Jason Haddix - Industry veteran sharing advanced techniques and methodologies
   TCM Security - Comprehensive ethical hacking and penetration testing tutorials
   HackerSploit - Detailed tutorials on various security tools and techniques
   LiveOverflow - In-depth technical content about security research and exploitation
   PortSwigger - Official channel for Burp Suite with web security tutorials

3. Learning Websites:
   PortSwigger Web Security Academy - Free, comprehensive web security training. I recommend PortSwigger Academy if you are starting out.
   Bugcrowd University - Free educational resources for bug bounty hunters. Bugcrowd also provides a platform for the Vulnerability Disclosure Program (VDP) and Bug Bounty Programs (BBP). It is a good place to start your bug bounty hunting by creating an account on their platform.
   TryHackMe - Interactive cybersecurity training platform with guided learning paths. Try Hack Me is fully free, but it has some amazing labs that provide hands-on experience.
   HackTheBox - Platform offering realistic penetration testing labs and challenges
   HackerOne Hacktivity - Public bug reports to learn from real-world examples. HackerOne also provides a platform for the Vulnerability Disclosure Program (VDP) and Bug Bounty Programs (BBP).
   PentesterLab - Hands-on exercises for web penetration testing
   VulnHub - Provides materials to gain practical cybersecurity experience
   OWASP - Comprehensive resource for web application security knowledge

4. GitHub Accounts:
   BugBounty: This GitHub account has most of the resources you need in becoming a bounty hunter.

5. X Accounts: There is an amazing Bug Bounty Community on X with lots of accounts dedicated to sharing information on Bug Bounty Hunting. I will not recommend any account in particular but if you are on X, search for a bug bounty and you’ll find lots of accounts with posts that will inspire you.

6. SubReddits: Reddit is another Social Media platform I like. There is an amazing community here with amazing people who are always ready to jump in and assist with any query you might be having. Just be sure to search first if the question was asked and answered before. Also, be sure to ask on the right subreddit. The subreddit for bug bounty hunters which is active, and I’d recommend you join is r/bugbounty/.